On 20/01/2016 16:40, uknof-requ...@lists.uknof.org.uk wrote:
A slightly more detailed description can be found in some of the Home
Office written evidence to the joint committee:
http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidence
document/draft-investigatory-powers-bill-committee/draft-investigatory-p
owers-bill/written/26435.pdf
Page 29 provides the following items as the "core" of an ICR:
* Account reference
* Source IP
* Source port
* Dest IP
* Dest port
* Session start timestamp
That sounds rather like Netflow accounting - except "Account reference"
would have to be externally obtained by looking up the customer's IP
address in some other data source, e.g. RADIUS accounting.
And additionally, entities "whose quality may be degraded by a
numberof factors" and which "are desirable and will be sought where
feasible and cost effective to do so":
* URI domain/service identifier
* Session end timestamp
* Volumes transferred and direction
Netflow will also give you the last two. However looking at
network-layer traffic can't possibly give you the domain. (Well, you
could attempt to correlate network traffic with client DNS queries; but
the presence of client caching and multiple clients behind NAT makes
that pretty infeasible. Otherwise you can do DPI on HTTP, SMTP etc; but
that won't work with the TLS versions of those)
It seems to me this whole thing is written by someone who thinks that:
1. "The Internet" and "The Web" are the same thing
2. "Internet Connection Records" are real things, which are already
captured by ISPs in the course of their business (in the way that CDRs
are captured by telephony providers)
Maybe that's true for mobile phone networks, who often funnel clients
through their own NAT/proxy devices for the purposes of saving IP
addresses and compressing content. But it's clearly not the case for
fixed-line ISPs.
And what would be the requirements for *hosting* ISPs, who sell multiple
1G and 10G ports?
