Broadband? Re: [Fwd: [IP] Feds: VoIP a potential haven for terrorists]
On Fri, 18 Jun 2004, Michael Painter wrote: A coupla' years ago, the FCC defined Broadband as 200Kbps and above. Hmm different jurisdiction but Tiscali NTL seems to think broadband is as low as 100Kbps http://www.tiscali.co.uk/products/broadband/3xfaster.html?code=ZZ-NL-11MR http://www.ntlhome.co.uk/ntl_internet/broadband.asp?cust=ntlcom_broadbandtextlink Wrongful trading or say what you like if you make it up as you go along.. ? Steve
Re: [Fwd: [IP] Feds: VoIP a potential haven for terrorists]
In message [EMAIL PROTECTED], Sean Donela n writes: In reality, CALEA is a funding bill; it has very little to do with technology. There's a lot more to it than that -- there's also access without involving telco personnel, and possibly the ability to do many more wiretaps (have you looked at the capacity requirements lately), but funding is certainly a large part of it. From Section (e) of http://www4.law.cornell.edu/uscode/18/2518.html : Any provider of wire or electronic communication service, landlord, custodian or other person furnishing such facilities or technical assistance shall be compensated therefor by the applicant for reasonable expenses incurred in providing such facilities or assistance. --Steve Bellovin, http://www.research.att.com/~smb
Re: [Fwd: [IP] Feds: VoIP a potential haven for terrorists]
Speaking on Deep Background, the Press Secretary whispered: Any provider of wire or electronic communication service, landlord, custodian or other person furnishing such facilities or technical assistance shall be compensated therefor by the applicant for reasonable expenses incurred in providing such facilities or assistance. --Steve Bellovin, http://www.research.att.com/~smb The issue, I suspect, is, who defines reasonable here? Is it like Blue Cross who decides that UCR is 50% of what every MD charges, and refuses to justify their decision? I suspect some here have already been there, done that... Then there is the issue of getting paid in a timely manner, Prompt Payment Act or not. -- A host is a host from coast to [EMAIL PROTECTED] no one will talk to a host that's close[v].(301) 56-LINUX Unless the host (that isn't close).pob 1433 is busy, hung or dead20915-1433
where is whois.arin.net?
whois.arin.net appears to have been down for at least the past hour or two. Anyone know what happened or an ETR for it? ARIN seems to block ping/traceroute at their border, but www.arin.net is still usable. The web frontend to whois at www.arin.net seems nonfunctional at this time as well. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
ARIN whois server offline ?
Reachability to the network seems OK, but the server seems to time out. marble% whois -h whois.arin.net 220.175.8.27 whois: connect(): Operation timed out marble% marble% traceroute whois.arin.net traceroute to whois.arin.net (192.149.252.43), 64 hops max, 44 byte packets 1 iolite4-fxp2 (199.212.134.10) 0.114 ms 0.105 ms 0.090 ms 2 tor-hespler-360-mica (64.7.143.42) 3.105 ms 3.365 ms 3.691 ms 3 h66-59-189-97.gtconnect.net (66.59.189.97) 4.509 ms 4.644 ms 3.871 ms 4 216.18.63.93 (216.18.63.93) 15.021 ms 14.774 ms 15.044 ms 5 POS4-0.PEERA-CHCGIL.IP.GROUPTELECOM.NET (66.59.191.86) 14.175 ms 14.009 ms 14.556 ms 6 p4-6-2-0.r01.chcgil01.us.bb.verio.net (129.250.10.97) 14.892 ms 14.477 ms 14.667 ms 7 p16-2-0-0.r01.chcgil06.us.bb.verio.net (129.250.5.70) 14.680 ms 14.497 ms 14.477 ms 8 POS5-2.BR3.CHI2.ALTER.NET (204.255.174.233) 15.266 ms 15.298 ms 14.956 ms 9 0.so-5-2-0.XL2.CHI2.ALTER.NET (152.63.68.6) 15.469 ms 14.989 ms 15.546 ms 10 0.so-0-0-0.TL2.CHI2.ALTER.NET (152.63.68.89) 15.618 ms 15.804 ms 16.736 ms 11 0.so-3-0-0.TL2.DCA6.ALTER.NET (152.63.19.170) 34.436 ms 34.240 ms 34.352 ms 12 0.so-7-0-0.CL2.DCA1.ALTER.NET (152.63.32.181) 34.680 ms 35.498 ms 35.267 ms 13 194.ATM5-0.GW4.DCA1.ALTER.NET (152.63.37.65) 35.113 ms 35.455 ms 35.452 ms 14 arin-gw2.customer.alter.net (65.207.88.74) 110.848 ms 37.177 ms 38.229 ms 15 *^C marble% Mike Tancsa, tel +1 519 651 3400 Sentex Communications,[EMAIL PROTECTED] Providing Internet since 1994www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike
Re: VoIP a potential haven for terrorists
At 04:32 PM 18-06-04 -0500, Stephen Sprunk wrote: Thus spake Daniel Golding [EMAIL PROTECTED] The amount of money the FBI would need to spend to tap a VoIP call is highest with the first option, intermediate with the second, and lowest with the last. Some services companies are really salivating for the chance to add CALEA hardware to VoIP networks. I won't mention any particular companies here, as they have taken a recent beating on this list. Piling on seems rather cruel. Electronic Surveillance Needs for Carrier-Grade Voice over Packet (CGVoP) Service CALEA Implementation Federal Bureau of Investigation Jan 29, 2003 http://www.ictlaw.net/upload/fbivoip.pdf -Hank
Re: Verisign vs. ICANN
Just curious. How much would it differ from http://www.amazon.com/exec/obidos/redirect?tag=icannwatch-20path=tg/detail/-/0262134128/qid%3D1041619276/sr%3D1-1 and http://www.law.miami.edu/~froomkin/articles/icann.pdf ? On Fri, 18 Jun 2004, Jonathan Slivko wrote: Maybe try these guys? http://cyber.law.harvard.edu/is99/governance/love.html -- Jonathan On Fri, 18 Jun 2004 15:38:50 -0700, Peter H Salus [EMAIL PROTECTED] wrote: Paul (et al.), If you can find a willing publisher and an organization able to supply some funds, I would be delighted to work on a real history of Internet governance since RFCs 881-883. (Most of the funds would be for travel, Xeroxing, etc.) Peter - Peter H. Salus, Ph.D. 40 IH 35 N #4A3Austin, TX 78701 consultant author [EMAIL PROTECTED] +1 512 478-7562 -- http://www.icannwatch.org Personal Blog: http://www.discourse.net A. Michael Froomkin |Professor of Law| [EMAIL PROTECTED] U. Miami School of Law, P.O. Box 248087, Coral Gables, FL 33124 USA +1 (305) 284-4285 | +1 (305) 284-6506 (fax) | http://www.law.tm --It's warm here.--
Re: Verisign vs. ICANN
I will admit to only thinking about this for a few days. However, it seems to me that the Harvard material is rather narrowly focussed both on a temporal and on a topical level. I am an admirer of Froomkin's essays, and have published at least one of them (in the distant past when Matrix News was published). I haven't really looked at Ruling the Root, because I was turned off by Dave Crocker's review in IPJ. But, anyway, as it appeared in 2002, I imagine it contains little of the recent Verisign/Netsol business. However, I should most likely give Mueller more leeway, as I really liked his telephony book. Peter
Re: [Fwd: [IP] Feds: VoIP a potential haven for terrorists]
On Sat, 19 Jun 2004, Steven M. Bellovin wrote: There's a lot more to it than that -- there's also access without involving telco personnel, and possibly the ability to do many more wiretaps (have you looked at the capacity requirements lately), but funding is certainly a large part of it. From Section (e) of http://www4.law.cornell.edu/uscode/18/2518.html : Any provider of wire or electronic communication service, landlord, custodian or other person furnishing such facilities or technical assistance shall be compensated therefor by the applicant for reasonable expenses incurred in providing such facilities or assistance. That is not part of CALEA. Carriers found to be covered by CALEA must provide certain capabilities to law enforcement. For telecommunication equipment, facilities or services deployed after January 1 1995 the carrier must pay all reasonable costs to provide the capabilities. The capacity requirements are interesting. In some cases, the carrier is required to have more law enforcement tapping capacity than customer capacity. The government sets the capacit requirements without any regard for the cost of maintaining the capacity. If there are multiple competitive carriers in the same area, all of the carriers must have the same capacity. If you have a single customer in Los Angeles, you must provide the capacity for at least 1,360 simultaneous interceptions. How many SPAN ports do you have? As I mentioned, the wiretap acts and CALEA are really independent.
RE: [Fwd: [IP] Feds: VoIP a potential haven for terrorists]
It's not just a funding bill. It provided $500MM for carrier network upgrades and for switch software compliance. That fund has been exhausted from what I have been told. It also clearly defined technical expectations that carriers and manufacturers have to live up to. All that being CALEA compliant means is that you are capable, as required, to provide service to a legal order i.e. pin register, trap, trace, DTMF extration, flash hook operations ala three way calling, CALLER ID, and voice intercept. There's no secret sauce to CALEA. CALEA doesn't expand LEA's authority, it puts them on an even playing field with suspected criminals with regards to access. -M -- Martin Hannigan (c) 617-388-2663 VeriSign, Inc. (w) 703-948-7018 Network Engineer IV Operations Infrastructure [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Sean Donelan Sent: Saturday, June 19, 2004 1:49 AM To: Stephen Sprunk Cc: North American Noise and Off-topic Gripes Subject: Re: [Fwd: [IP] Feds: VoIP a potential haven for terrorists] On Fri, 18 Jun 2004, Stephen Sprunk wrote: I'm told that most CALEA warrants only authorize a pen register, not an CALEA and wiretaps are independent subjects. You can have CALEA obligations even if you never, ever implement a single wiretap. On the other hand you may need to implement many wiretaps even though you have no CALEA obligations. For example, hotels and universities have traditionally been considered not to have CALEA obligations. However, both hotels and universities must comply with court orders if law enforcement wants to wiretap one of their phones. Should CALEA be extended to hotels and universities? Are hotels and universities broadband Internet providers when they offer Internet service in student dorm rooms or hotel rooms? In reality, CALEA is a funding bill; it has very little to do with technology. Imagine if law enforcement thought DNA testing was too expensive, so Congress passes a law requiring all doctors to purchase DNA testing equipment and provide free DNA tests to law enforcement. DNA is a complicated subject. Few police officers are qualified to analyze DNA. Instead law enforcement pays for professional DNA testing when it needs DNA testing. The FCC comment period has closed. Everyone had an opportunity to submit comments on the topic to the FCC. Consult your own attorney if you want real legal advice.
Re: Verisign vs. ICANN
Just curious. How much would it differ from http://www.amazon.com/exec/obidos/redirect?tag=icannwatch-20path=tg/detail/-/0262134128/qid%3D1041619276/sr%3D1-1 and http://www.law.miami.edu/~froomkin/articles/icann.pdf as i said, it can't be written by an ambulance-chaser or nobody will pay attention.
Re: Verisign vs. ICANN
(read it only today, so sorry if I repeat something). The technical roots of the problem are: proposed services VIOLATES internet specification (which is 100% clean - if name do not exist, resolver must receive negative response). So, technically, there is not any ground for SiteFinder - vice versa, now you can add client-level search SiteFinder (MS did it, and it took LOONG to turn off their dumb 'search' redirect) so allowing competition between ISP, browsers and so on. Anyway, please - those who knows history and can read this 'official' English (little bored) - I am sure, that we can find many inconsistencies in the filing; it may be reasonable to provide a set of independent _technical_ reviews, showing that ICANN plays a role of technical authority, just do not allowing to violate a protocols. For the second case (waiting lists), it is not technical issue, but it is anti-competitional attempt from Verisign as well. I can ask my Russian folks to review it as well (dr. Platonov, Dimitry Burkov) but I am not sure, if it is of any use... Anyway, good review, explaining history and revealing real ICANN role, should be done. If VeriSign wish to deploy services - they must put thru new RFC first. PS. I am excited - Vixie as a co-conspirator... Vixie, you can be proud -:). Alexei Roudnev PV Date: 18 Jun 2004 05:58:00 + PV From: Paul Vixie PV Paul Vixie is an existing provider of competitive services for PV registry operations, including providing TLD domain name hosting PV services for ccTLDs and gTLDs, and a competitor of VeriSign for PV new registry operations. [...] I'm missing something. By what stretch of whose imagination does root nameserver operations compete with a registrar? Eddy -- EverQuick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses: [EMAIL PROTECTED] -*- [EMAIL PROTECTED] -*- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
RE: [Fwd: [IP] Feds: VoIP a potential haven for terrorists]
Sean, the capacity requirements aren't as straightforward as you are interpreting them. If you are a CLEC and you cover a full five state area in the Northeast, you probably are subject to a county aggregate of a capacity requirement of 1500. You would then look at your historicals, refer to the Federal Register for the actual maximum, and adjust your capacity as required to meet your own historicals and averages -- that also should take into consideration other RBOCs/CLECs operating in the same five state region as the orders will more than likely be broken out by access line % per carrier unless a single carrier dominates in a traditionally active area. In New York City and Los Angeles, the two most active areas, there was a mean average of .035 active electronic/oral intercepts per day. It's complicated, but noone is subject to a straight 1200+ capacity required. There were 1,442 NON FISA oral and electronic intercepts in the entire United States last year.[2] I have the Federal Register Notice if you want a copy. Let me know. [1] Federal Register Volume 63, No. 48 - March 12, 1998 NOTICE 12231 [2] 30 APR 2004 Press Release, Admin office of US Courts -M -- Martin Hannigan (c) 617-388-2663 VeriSign, Inc. (w) 703-948-7018 Network Engineer IV Operations Infrastructure [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Sean Donelan Sent: Saturday, June 19, 2004 4:24 PM To: Steven M. Bellovin Cc: North American Noise and Off-topic Gripes Subject: Re: [Fwd: [IP] Feds: VoIP a potential haven for terrorists] On Sat, 19 Jun 2004, Steven M. Bellovin wrote: There's a lot more to it than that -- there's also access without involving telco personnel, and possibly the ability to do many more wiretaps (have you looked at the capacity requirements lately), but funding is certainly a large part of it. From Section (e) of http://www4.law.cornell.edu/uscode/18/2518.html : Any provider of wire or electronic communication service, landlord, custodian or other person furnishing such facilities or technical assistance shall be compensated therefor by the applicant for reasonable expenses incurred in providing such facilities or assistance. That is not part of CALEA. Carriers found to be covered by CALEA must provide certain capabilities to law enforcement. For telecommunication equipment, facilities or services deployed after January 1 1995 the carrier must pay all reasonable costs to provide the capabilities. The capacity requirements are interesting. In some cases, the carrier is required to have more law enforcement tapping capacity than customer capacity. The government sets the capacit requirements without any regard for the cost of maintaining the capacity. If there are multiple competitive carriers in the same area, all of the carriers must have the same capacity. If you have a single customer in Los Angeles, you must provide the capacity for at least 1,360 simultaneous interceptions. How many SPAN ports do you have? As I mentioned, the wiretap acts and CALEA are really independent.
Re: Verisign vs. ICANN
Hi Alexei, I do not believe there is any technical spec prohibiting this, in fact that DNS can use a wildcard at any level is what enables the facility. I think this is a non-technical argument.. altho it was demonstrated that owing to the age and status of the com/net zones a number of systems are now in operation which make assumptions about the response in the event of the domain not existing... Steve On Sat, 19 Jun 2004, Alexei Roudnev wrote: (read it only today, so sorry if I repeat something). The technical roots of the problem are: proposed services VIOLATES internet specification (which is 100% clean - if name do not exist, resolver must receive negative response). So, technically, there is not any ground for SiteFinder - vice versa, now you can add client-level search SiteFinder (MS did it, and it took LOONG to turn off their dumb 'search' redirect) so allowing competition between ISP, browsers and so on. Anyway, please - those who knows history and can read this 'official' English (little bored) - I am sure, that we can find many inconsistencies in the filing; it may be reasonable to provide a set of independent _technical_ reviews, showing that ICANN plays a role of technical authority, just do not allowing to violate a protocols. For the second case (waiting lists), it is not technical issue, but it is anti-competitional attempt from Verisign as well. I can ask my Russian folks to review it as well (dr. Platonov, Dimitry Burkov) but I am not sure, if it is of any use... Anyway, good review, explaining history and revealing real ICANN role, should be done. If VeriSign wish to deploy services - they must put thru new RFC first. PS. I am excited - Vixie as a co-conspirator... Vixie, you can be proud -:). Alexei Roudnev PV Date: 18 Jun 2004 05:58:00 + PV From: Paul Vixie PV Paul Vixie is an existing provider of competitive services for PV registry operations, including providing TLD domain name hosting PV services for ccTLDs and gTLDs, and a competitor of VeriSign for PV new registry operations. [...] I'm missing something. By what stretch of whose imagination does root nameserver operations compete with a registrar? Eddy -- EverQuick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses: [EMAIL PROTECTED] -*- [EMAIL PROTECTED] -*- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: [Fwd: [IP] Feds: VoIP a potential haven for terrorists]
* [EMAIL PROTECTED] (Jeff Shultz) [Fri 18 Jun 2004, 21:42 CEST]: Pay for it? If I remember from CALEA, the providers pay for it (and eventually their customers), and as for broadband Internet providers... I'm guessing anyone who offers end user customers a circuit bigger than 53.333k. Pet peeve: broadband isn't a synonym for faster than a modem. Cable and DSL are broadband due to those technologies using a wide range of frequencies. Ethernet is not broadband (but baseband). -- Niels.
Re: Broadband? Re: [Fwd: [IP] Feds: VoIP a potential haven for terrorists]
Stephen J. Wilcox [19/06/04 16:38 +0100]: On Fri, 18 Jun 2004, Michael Painter wrote: A coupla' years ago, the FCC defined Broadband as 200Kbps and above. Hmm different jurisdiction but Tiscali NTL seems to think broadband is as low as 100Kbps In India, it is anywhere over 64 Kbps, and the maximum offered over cable / dsl is currently 512 Kbps. And of course, anything below several Mbps (or 100 Mbps in the case of FTTH) is definitely not broadband in Japan :) srs
RE: [Fwd: [IP] Feds: VoIP a potential haven for terrorists]
On Sat, 19 Jun 2004, Hannigan, Martin wrote: Sean, the capacity requirements aren't as straightforward as you are interpreting them. You are absolutely correct, they are not that straightforward. You should consult a telecommunications attorney with expertise in this area for legal advice. If you are a CLEC and you cover a full five state area in the Northeast, you probably are subject to a county aggregate of a capacity requirement of 1500. No. The FBI is very clear, if you are a CLEC and cover a full five state area in the Northeast, you are subject to the CUMULATIVE capacity require for every county in those five states. See the www.askcalea.com web site for full details. You would then look at your historicals, refer to the Federal Register for the actual maximum, and adjust your capacity as required to meet your own historicals and averages -- that also should take into consideration other RBOCs/CLECs operating in the same five state region as the orders will more than likely be broken out by access line % per carrier unless a single carrier dominates in a traditionally active area. Although this was suggested by commentators, the FBI explicitely rejected that. The theory was the Mafia would then buy phone service from some smaller carrier without enough capacity to monitor all their calls. Individual carriers must provide sufficient capacity so that law enforcement has the ability to simultaneously conduct any number of call content interceptions, pen registers, and trap and trace devices, not to exceed the estimated actual and maximum requirements (which are based on historical interception activity) at any location within a county. Appendix A of the Final Notice of Capacity (63 Fed Reg 12217, 12238) However, there is an exception, no single switch is required to support more than 386 simultaneous pen registers and trap and trace devices or 75 simultaneous call content interceptions. What is a switch? http://www.askcalea.com/docs/capsecg.pdf Individual carriers can take the legal gamble and use other network deployment strtegies, such as making assumptions of how many pen registers, trap and trace and intercepts will occur on their network versus a competitors network. Assume 95% of the court orders will go to your competitors, so you only need to provide 5% of the capacity in the county. But you can't escape the penalties by depending on your competitor's capacity. The obligation to satisfy the capacity requirements in a cost-effective andreasonable manner is the responsibility of all carriers that operate within a given geographic area. How often do you see all the competitors in an industry sit down in a room and decide how they will divide up the costs and establish pricing? It's complicated, but noone is subject to a straight 1200+ capacity required. There were 1,442 NON FISA oral and electronic intercepts in the entire United States last year.[2] Actually, they are expected to provide far more than that. As you know, the Wiretap report does not include pen registers. There is no public source for the number of pen registers in the US, but some industry sources estimate it at 70,000 to 75,000 per year.
RE: [Fwd: [IP] Feds: VoIP a potential haven for terrorists]
-Original Message- From: Sean Donelan [mailto:[EMAIL PROTECTED] Sent: Saturday, June 19, 2004 8:39 PM To: Hannigan, Martin Cc: North American Noise and Off-topic Gripes Subject: RE: [Fwd: [IP] Feds: VoIP a potential haven for terrorists] On Sat, 19 Jun 2004, Hannigan, Martin wrote: Sean, the capacity requirements aren't as straightforward as you are interpreting them. You are absolutely correct, they are not that straightforward. You should consult a telecommunications attorney with expertise in this area for legal advice. It's a law that has technical requirements co mingled so you need both lawyers and engineers. If you are a CLEC and you cover a full five state area in the Northeast, you probably are subject to a county aggregate of a capacity requirement of 1500. No. The FBI is very clear, if you are a CLEC and cover a full five state area in the Northeast, you are subject to the CUMULATIVE capacity require for every county in those five states. See the www.askcalea.com web site for full details. I have. And I continue to disagree. [snip] Individual carriers must provide sufficient capacity so that law enforcement has the ability to simultaneously conduct any number of call content interceptions, pen registers, and trap and trace devices, not to exceed the estimated actual and maximum requirements (which are based on historical interception activity) at any location within a county. Appendix A of the Final Notice of Capacity (63 Fed Reg 12217, 12238) Which is what I defined. Sufficient capacity with capability to increase if needed. However, there is an exception, no single switch is required to support more than 386 simultaneous pen registers and trap and trace devices or 75 simultaneous call content interceptions. What is a switch? That's what the federal register notice I pointed you at said. And in come cases, a single switch can carry a five state area. Softswitch comes to mind. http://www.askcalea.com/docs/capsecg.pdf Individual carriers can take the legal gamble and use other network deployment strtegies, such as making assumptions of how many pen registers, trap and trace and intercepts will occur on their network versus a competitors network. Assume 95% of the court orders will go to your competitors, so you only need to provide 5% of the capacity in the county. But you can't escape the penalties by depending on your competitor's capacity. You can't service a competitors legal orders so I'm not sure what you're getting at. You're almost saying every carrier should have one DS0 for every single dialup user. The obligation to satisfy the capacity requirements in a cost-effective andreasonable manner is the responsibility of all carriers that operate within a given geographic area. How often do you see all the competitors in an industry sit down in a room and decide how they will divide up the costs and establish pricing? What has pricing intercepts have to do with concurrent intercepts? CLECS are not going to make money servicing legal orders. I doubt RBOCS make money doing it either. It's complicated, but noone is subject to a straight 1200+ capacity required. There were 1,442 NON FISA oral and electronic intercepts in the entire United States last year.[2] Actually, they are expected to provide far more than that. They're expected to have the capability. So let me rephrase. They are subject. The actual and historic are relevant. As you know, the Wiretap report does not include pen registers. There is no public source for the number of pen registers in the US, but some industry sources estimate it at 70,000 to 75,000 per year. I'll check on the pen-register comment. You keep saying talk to a lawyer, but quoting legalese. Are you an attorney? Not being smarmy. Just curious. Hypothetical. How many bankrupt CLEC's do you expect to see this year complying with CALEA and providing, as an example, a fully loaded 1200 concurrent session infrastructure in a 100 a year historically survielled area? N0TE: I am speaking from experience on the LEC side, nowhere else.
Re: [Fwd: [IP] Feds: VoIP a potential haven for terrorists]
Thus spake Niels Bakker [EMAIL PROTECTED] * [EMAIL PROTECTED] (Jeff Shultz) [Fri 18 Jun 2004, 21:42 CEST]: Pay for it? If I remember from CALEA, the providers pay for it (and eventually their customers), and as for broadband Internet providers... I'm guessing anyone who offers end user customers a circuit bigger than 53.333k. Pet peeve: broadband isn't a synonym for faster than a modem. Cable and DSL are broadband due to those technologies using a wide range of frequencies. Ethernet is not broadband (but baseband). Congress can define a word (in the US legal context) to mean anything they want; whether such has any relation to its technical definition is irrelevant. I doubt they care about the technology used to deliver IP service, only the capabilities and typical users; defining broadband as any circuit 56kbps or above would likely suffice for their intent, regardless of how incorrect it is. However, I fail to see how broadband or link speeds in general even matter in this context; what matters is whether the link is of sufficient speed for VoIP to be feasible, in which case anything from 9.6kbps cellular to WiFi, from ARCnet to OC192/10GE might qualify -- or might not, if IP isn't running over it. S Stephen Sprunk Those people who think they know everything CCIE #3723 are a great annoyance to those of us who do. K5SSS --Isaac Asimov
Justice Dept: Wiretaps should apply to Net calls
The battle rages on, apparently. The more things change, the more things stay the same, it would seem. ;-) This is from this past Wednesday --I'm surprised that I somehow overlooked it and only just now saw this. http://www.cnn.com/2004/TECH/internet/06/16/telecoms.voip.reut/index.html FYI, - ferg -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED]
Re: Justice Dept: Wiretaps should apply to Net calls
I guess the Akami hoopla caused me to overlook it, but one more thing: I always did like John McCain. His quote: Since it is a breakthrough technology, there's going to be a lot of china broken. Shake, rattle, roll. Same as it ever was. - ferg -- Fergie (Paul Ferguson) [EMAIL PROTECTED] wrote: The battle rages on, apparently. The more things change, the more things stay the same, it would seem. ;-) This is from this past Wednesday --I'm surprised that I somehow overlooked it and only just now saw this. http://www.cnn.com/2004/TECH/internet/06/16/telecoms.voip.reut/index.html FYI, - ferg -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED]
real-time DDoS help?
Howdy, Is there any place where people with experience dealing with DDoS attacks hang out? I'm getting very little assistance from my upstream beyond call whomever is in charge of each IP attacking and make them stop, and even though we null route the destination IP being attacked, this traffic will be billed. I've got a nice snippet of flows, so I can mostly see where everything is coming from, and it's obvious what the target is, but my flow-stat/flow-report skills are pretty weak. Oddly, in eight years of working for smallish ISPs I've never been hit very hard, believe it or not. Is the response from my upstream typical? I was expecting a bit more cooperation rather than them seeing as this as an opportunity to bill me for lots of traffic. Thanks, Charles -- Charles Sprickman [EMAIL PROTECTED]
Re: real-time DDoS help?
Charles Sprickman wrote: even though we null route the destination IP being attacked, this traffic will be billed.
Re: real-time DDoS help?
Hmmm. Maybe if NANOG had irc.nanog.org, maybe that might be something to consider - a real-time network of communication for network operators to deal with issues, etc. -- Jonathan On Sat, 19 Jun 2004 22:04:36 -0400 (EDT), Charles Sprickman [EMAIL PROTECTED] wrote: Howdy, Is there any place where people with experience dealing with DDoS attacks hang out? I'm getting very little assistance from my upstream beyond call whomever is in charge of each IP attacking and make them stop, and even though we null route the destination IP being attacked, this traffic will be billed. I've got a nice snippet of flows, so I can mostly see where everything is coming from, and it's obvious what the target is, but my flow-stat/flow-report skills are pretty weak. Oddly, in eight years of working for smallish ISPs I've never been hit very hard, believe it or not. Is the response from my upstream typical? I was expecting a bit more cooperation rather than them seeing as this as an opportunity to bill me for lots of traffic. Thanks, Charles -- Charles Sprickman [EMAIL PROTECTED] -- Jonathan M. Slivko - [EMAIL PROTECTED] Linux: The Choice for the GNU Generation - http://www.linux.org/ - Don't fear the penguin. .^. /V\ /( )\ ^^-^^ He's here to help.
RE: [Fwd: [IP] Feds: VoIP a potential haven for terrorists]
On Sat, 19 Jun 2004, Cade,Marilyn S - LGCRP wrote: Jim Dempsey's testimony at Senator Sununu's hearing is very interesting, and very educational on these issues. CALEA was not written for the IP world. When CALEA was being written, the Internet, IP and information services were all debated. But, the facts are that IP service providers comply with law enforcement's requests. IF more legal vehicles are needed, beyond what law enforcement has today, then Congress should make that determination. CALEA doesn't reduce law enforcement's wiretap authority or the obligation for carriers to provide technical assistance under Title III or ECPA or other statutes. Law enforcement has been conducting wiretaps for decades prior to the passage of CALEA. Law enforcement has been using Title III and ECPA to tap e-mail, internet communications, pagers, etc for years. The FBI even demostrated its Canivore DSC1000 box at NANOG in Washington DC a few years ago. A SPAN port could satisfy an ISP's obligations under TitleIII/ECPA, but not satisfy CALEA.
Re: real-time DDoS help?
On Sat, 19 Jun 2004, Jonathan Slivko wrote: Maybe if NANOG had irc.nanog.org, maybe that might be something to consider - a real-time network of communication for network operators to deal with issues, etc. There's always http://puck.nether.net/mailman/listinfo/nsp-security -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: real-time DDoS help?
On Sun, 20 Jun 2004, Suresh Ramasubramanian wrote: On Sat, 19 Jun 2004, Jonathan Slivko wrote: Maybe if NANOG had irc.nanog.org, maybe that might be something to consider - a real-time network of communication for network operators to deal with issues, etc. There's always http://puck.nether.net/mailman/listinfo/nsp-security I can tell you right off AS8059 doesn't meet the requirements. I'd gladly respond to any reports of attacks from them, but I don't think you'd ever see any. Basement multihomers unite. Charles -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: real-time DDoS help?
Is there any place where people with experience dealing with DDoS attacks hang out? I'm getting very little assistance from my upstream beyond call whomever is in charge of each IP attacking and make them stop, and even though we null route the destination IP being attacked, this traffic will be billed. It seems that you should look somewhere else for your next bandwidth contract... I've got a nice snippet of flows, so I can mostly see where everything is coming from, and it's obvious what the target is, but my flow-stat/flow-report skills are pretty weak. Fake or real source IPs ? TCP SYNs, ICMPs, UDPs ? Rubens
S.2281 Hearing (was: Justice Dept: Wiretaps...)
The particular hearing that set this all off is the Senate Commerce Committee's review of S.2281 (VoIP Regulatory Freedom Act) that took place on last Wednesday, and in general, the hearing has a higher content to noise ratio than the resulting press coverage. The agenda and statements of the participants can be found here: http://commerce.senate.gov/hearings/witnesslist.cfm?id=1230 S.2281 takes the middle of the road position in areas such as lawful intercept, universal service fund, and E911. At a high-level, those VoIP services which offer PSTN interconnection (and thereby look like traditional phone service in terms of capabilities) under S.2281 pick up the same regulatory requirements. Those VoIP services which do not interconnect are continue to be treated as information services and therefore excluded from these requirements. With respect to facilitating lawful intercept, the opening comments of Ms. Laura Parsky (Deputy Assistant Attorney General, US DoJ) and James Dempsey, Executive Director of the Center for Democracy and Technology (CDT) are quite informative. The DoJ view is that S.2281 is not enough, and any service using switching or transport should facilitate lawful intercept. This position has the advantage of clarity, but there are lots of communications (chat/IM/etc) that are going to hard to decode and make readily available as needed. It is also an expansion of the current framework of CALEA, which specifically sets aside information services including email and messaging. The CDT position is interesting, noting that CALEA came into being to address concerns that law enforcement wouldn't be able to readily pursue lawful intercept orders without directly mandating call intercept capacity in each service provider. This works fine with one application (voice) but that replicating this model for data services makes no sense given the diversity of Internet communications applications. CDT proposes that if law enforcement really needs better intercept capabilities for data applications, it should work on its own decode capabilities or get service bureaus to handle that same, and that the Internet service providers shouldn't have to do anything other supply a copy of the relevant users raw packet stream... Despite the angst on both sides, requiring just those VoIP services which look like traditional phone service (due to PSTN interconnection) as requiring ready lawful intercept capacity will result in the equivalent situation as we have today with CALEA, and appears to be the likely outcome of the debate. Apologies for length, /John
Re: real-time DDoS help?
Charles Sprickman wrote: Is there any place where people with experience dealing with DDoS attacks hang out? I'm getting very little assistance from my upstream beyond call whomever is in charge of each IP attacking and make them stop, and even though we null route the destination IP being attacked, this traffic will be billed. While I hate the blame the victim mentality in general, I'd guess that up to half of all the packet floods we've experienced were aimed at compromised client boxes that were hosting illegitimate services. If your victim has no idea why they're being attacked, I'd scrutinize the target host very carefully. Or if your victim is a shell host who's probably got some skript kiddie engaged in channel wars, it will likely save you a lot of time and grief to just dump that client. Is losing one worth sacrificing the rest? Unless you know exactly why you're being attacked and are willing to suffer these consequences indefinitely, you will do yourself a big favor by looking at the victim to see why the attack is occurring and removing the target from your network.
Re: real-time DDoS help?
On Sat, 19 Jun 2004, Charles Sprickman wrote: On Sun, 20 Jun 2004, Suresh Ramasubramanian wrote: On Sat, 19 Jun 2004, Jonathan Slivko wrote: Maybe if NANOG had irc.nanog.org, maybe that might be something to consider - a real-time network of communication for network operators to deal with issues, etc. There's always http://puck.nether.net/mailman/listinfo/nsp-security I can tell you right off AS8059 doesn't meet the requirements. I'd gladly respond to any reports of attacks from them, but I don't think you'd ever see any. which of your 2 upstreams isn't helping out? I'm fairly certain both providers have security groups, and do mitigate attacks for customers on a regular basis. Perhaps you are not getting in touch with the correct customer service folks? We often have this issue ;( Basement multihomers unite. hurray!
Re: real-time DDoS help?
On Sun, 20 Jun 2004, Christopher L. Morrow wrote: which of your 2 upstreams isn't helping out? I'm fairly certain both providers have security groups, and do mitigate attacks for customers on a regular basis. Perhaps you are not getting in touch with the correct customer service folks? We often have this issue ;( I don't want to go too much into it, but HE.net, once they supplied me with the proper channels immediately null-routed the IP, hurrah! I'm waiting on the answer as to whether we get billed or not for this traffic. The other upstream whom I won't name is through a reseller. That wasn't necessarily our first choice, but their own sales department told us to go with a reseller as they were not interested in two cabinets and a 100Mb handoff, so that's what we did. I'm hoping their reseller is just misunderstanding something here. For a long time he kept telling me this is illegal, you need to contact the source networks and make them stop it, so I'm guessing DDoS is not a subject he's intimately familiar with (nor am I, but I understand the mechanics of it, and I don't think that I could contact each source in my lifetime). Thanks to everyone for your input. To answer some other questions, the box under attack is not a client box, but it is the main webserver for the ISP's own site and ~user sites. It's also has shell accounts, but since I've been here I've not seen one complaint about any of our users. Most seem to not know much beyond how to use pine. I think most of our heavy-duty irc users are using windows clients at home, any irc tools on the server are horribly dated. Not saying it's not a possibility, but I do personally watch abuse@ and I've not seen anyone complain about the box. Thanks again, Charles Basement multihomers unite. hurray!
Re: real-time DDoS help?
Charles Sprickman wrote: I don't want to go too much into it, but HE.net, once they supplied me with the proper channels immediately null-routed the IP, hurrah! I'm waiting on the answer as to whether we get billed or not for this traffic. One other way to get a hold of clueful contacts, especially if you have your own AS, is the inoc-dba project - http://www.pch.net/inoc-dba/ srs
Re: real-time DDoS help?
I could host and/or setup the irc server if anyone is interested. On Sun, Jun 20, 2004 at 03:23:06AM +, Christopher L. Morrow wrote: On Sat, 19 Jun 2004, Charles Sprickman wrote: On Sun, 20 Jun 2004, Suresh Ramasubramanian wrote: On Sat, 19 Jun 2004, Jonathan Slivko wrote: Maybe if NANOG had irc.nanog.org, maybe that might be something to consider - a real-time network of communication for network operators to deal with issues, etc. There's always http://puck.nether.net/mailman/listinfo/nsp-security I can tell you right off AS8059 doesn't meet the requirements. I'd gladly respond to any reports of attacks from them, but I don't think you'd ever see any. which of your 2 upstreams isn't helping out? I'm fairly certain both providers have security groups, and do mitigate attacks for customers on a regular basis. Perhaps you are not getting in touch with the correct customer service folks? We often have this issue ;( Basement multihomers unite. hurray! -- Bubba Parker [EMAIL PROTECTED] CityNet LLC http://www.citynetinfo.com/ pgprb5nAZjPzK.pgp Description: PGP signature
Re: S.2281 Hearing (was: Justice Dept: Wiretaps...)
On Sat, 19 Jun 2004, John Curran wrote: S.2281 takes the middle of the road position in areas such as lawful intercept, universal service fund, and E911. At a high-level, those VoIP services which offer PSTN interconnection (and thereby look like traditional phone service in terms of capabilities) under S.2281 pick up the same regulatory requirements. It sounds good, if you assume there will always be a PSTN. But its like defining the Internet in terms of connecting to the ARPANET. What about Nextel's phone-to-phone talk feature which doesn't touch the PSTN? What about carriers who offer Free on-net calling, which doesn't connect to the PSTN and off-net calling to customers on the PSTN or other carriers. Will the bad guys follow the law, and only conduct their criminal activities over services connected to the PSTN? With respect to facilitating lawful intercept, the opening comments of Ms. Laura Parsky (Deputy Assistant Attorney General, US DoJ) and James Dempsey, Executive Director of the Center for Democracy and Technology (CDT) are quite informative. The DoJ view is that S.2281 is not enough, and any service using switching or transport should facilitate lawful intercept. This position has the advantage of clarity, but there are lots of communications (chat/IM/etc) that are going to hard to decode and make readily available as needed. It is also an expansion of the current framework of CALEA, which specifically sets aside information services including email and messaging. Its a return to DoJ's pre-CALEA position. Its almost a word-for-word replay of the debates in 1992/1993 and the Digital Telephony proposals. http://www.eff.org/Privacy/CALEA/digtel92_old_bill.draft Briefing Report to the Subcommittee on Telecommunications and Finance, Committee on Energy and Commerce of the House of Representatives by the United States General Accounting Office (GAO/IMTEC-92-68BR, July 1992), The FBI now has the technical ability required to wiretap certain technologies, such as analog voice communications carried over public networks' copper wire. However, since 1986, the FBI has become increasingly aware of the potential loss of wiretapping capability due to the rapid deployment of new technologies, such as cellular and integrated voice and data services, and the emergence of new technologies such as Personal Communication Services, satellites, and Personal Communication Numbers. There are six current or imminent telecommunications technologies that the FBI needs to be able to wiretap. These are (1) analog and digital using copper wire transport, (2) analog and digital using fiber optic transport, (3) Integrated Services Digital Network (ISDN), (4) Private Branch Exchange (PBX), (5) broadband, and (6) cellular. There are also three future technologies for which wiretapping capabilities need to be addressed: (1) satellite switches, (2) Personal Communication Services (PCS), and (3) Personal Communication Number (PCN). Further, the FBI needs to be able to wiretap any special features, such as call forwarding or electronic mail.
Re: S.2281 Hearing (was: Justice Dept: Wiretaps...)
At 12:06 AM -0400 6/20/04, Sean Donelan wrote: On Sat, 19 Jun 2004, John Curran wrote: S.2281 takes the middle of the road position in areas such as lawful intercept, universal service fund, and E911. At a high-level, those VoIP services which offer PSTN interconnection (and thereby look like traditional phone service in terms of capabilities) under S.2281 pick up the same regulatory requirements. It sounds good, if you assume there will always be a PSTN. But its like defining the Internet in terms of connecting to the ARPANET. Correct. It's a workable interim measure to continue today's practice while the edge network is transitioning to VoIP. It does not address the more colorful long-term situation that law enforcement will be in shortly with abundant, ad-hoc, encrypted p2p communications. What about Nextel's phone-to-phone talk feature which doesn't touch the PSTN? What about carriers who offer Free on-net calling, which doesn't connect to the PSTN and off-net calling to customers on the PSTN or other carriers. Will the bad guys follow the law, and only conduct their criminal activities over services connected to the PSTN? Sean - what alternative position do you propose? /John
Re: S.2281 Hearing (was: Justice Dept: Wiretaps...)
if the pro-ported bad guys are so swift why would they use anything packaged anyway? They have engineers and scientific minds in their ranks that understand devices, boards and the likes and could simply create their own data centers and simply use new protocols to communicate over the public lines and not one person would know the difference, all the laws in the world would not stop them, since US law doesn't apply to anyone but US citizens and most other nations could care less about what we imagine, contrive and go into hysterics about. -Henry --- John Curran [EMAIL PROTECTED] wrote: At 12:06 AM -0400 6/20/04, Sean Donelan wrote: On Sat, 19 Jun 2004, John Curran wrote: S.2281 takes the middle of the road position in areas such as lawful intercept, universal service fund, and E911. At a high-level, those VoIP services which offer PSTN interconnection (and thereby look like traditional phone service in terms of capabilities) under S.2281 pick up the same regulatory requirements. It sounds good, if you assume there will always be a PSTN. But its like defining the Internet in terms of connecting to the ARPANET. Correct. It's a workable interim measure to continue today's practice while the edge network is transitioning to VoIP. It does not address the more colorful long-term situation that law enforcement will be in shortly with abundant, ad-hoc, encrypted p2p communications. What about Nextel's phone-to-phone talk feature which doesn't touch the PSTN? What about carriers who offer Free on-net calling, which doesn't connect to the PSTN and off-net calling to customers on the PSTN or other carriers. Will the bad guys follow the law, and only conduct their criminal activities over services connected to the PSTN? Sean - what alternative position do you propose? /John