[LINK] internet chapter of secret ACTA draft leaked

Glen Turner gdt at gdt.id.au
Wed Feb 24 12:10:55 AEDT 2010


OK, I'm going to give your idea a moment of my time.

1) It won't help ISPs overcome their issues with ACTA.  The
entertainment industry's issue is with unlicensed copies of
its material, not with the technology, ISPs are merely a
handy lever. If fact, I'd predict that the entertainment
industry would seek by lobbying to directly manage your
APN firewalls, seeing that as a useful lever too.

ISPs don't want to be involved in a fight between the
entertainment industry and its customers, because ISPs
don't want to fight with their customers. Similarly, your
APN will end up in the position of fighting with your
customers at the behest of a party totally unconnected
with you.

2) ISPs can't deploy firewalls for their entire customer base. "Deep
packet inspection" is CPU intensive. We simply can't power and cool
that amount of CPU or ASIC. Just moving packets around takes 8KVA
per router at 10Gbps.

Technically, you need federated configuration of the firewalls on
customer premises equipment, not a distinct network.  That's an
idea who's time has come and I'd encourage you to pursue it.

3) Blocking is problematic.

3a) Evil traffic runs on real ports between real IP addresses.
For example, HTTP to a real but subverted web server.

3b) You don't know what you are blocking. It could be a machine,
it could be a proxy or NAT for tens of thousands of users. As a
result you can only block what you know --- the *attacked* machine,
not the *attacker*.

For example, imagine a parliament with its web site being DDoSed.
That government could issue notices to ISPs obligating them to
block the *attacker* IP addresses.  That could block the web
proxy of a major hospital, denying its A&E access to online
resources such as poisons databases because of one subverted PC
in its network of thousands of PCs. So lives are risked so that
a political website can continue to serve its pamphlets.

So blocking is effective on a small scale, but fails at a large
scale.

-- 
  Glen Turner   <http://www.gdt.id.au/~gdt/>



More information about the Link mailing list