I would imagine (I could be wrong) countries that only have a single authorized source of IP-based TV also aren't going to be incredibly nuanced in what they want blocked, but expect you to comply with it. If it was here in the states, they better spell out exactly what they want blocked and even then, I may not block it because of 1st amendment stuff. Obviously, if there's exploitation happening, that's a quick override to my resistance to blocking. Yes, obviously I'd have them consult with an attorney from that jurisdiction. I didn't come here for legal advice, but of technical. I didn't know if someone like Sandvine, Palo, F5, Allot, etc. had some kind of magic that would make it "simpler" to facilitate such a block. Afterall, things like FQ_CODEL and CAKE have pretty much just created an easy button for Internet QOS. I don't have to identify game download vs. email download vs. web browsing vs. VoIP vs. video conference vs.... it just magic buttons it away. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Jay" <mysidia@gmail.com> To: "Mike Hammett" <nanog@ics-il.net> Cc: "NANOG" <nanog@nanog.org> Sent: Monday, February 10, 2025 5:38:10 PM Subject: Re: Filtering "Illegal" Video On Mon, Feb 10, 2025 at 4:14 PM Mike Hammett <nanog@ics-il.net> wrote: ..
Are there platforms out there that can accomplish this with any precision?
the Snort IDS? Any product capable of deep packet inspection that can be plugged into a Tap or SPAN port. Many network-based IDS would allow you to write custom rules to detect packets matching certain patterns. Then if the packet being sent out matches your custom rules one can execute a trigger condition, such as temporarily block the customer IP address for 2 minutes, until all their opened TCP connections time out. There's a scalability issue in that a large carrier would require a massive number of analysis machines. The cost and hardware resources to operate inspection devices can be very high, and they can be very prone to false positives.
No, I don't know what constitutes "TV" in that jurisdiction, nor do I ask this group to weigh in on that. Are YouTube, Vimeo, and Rumble "TV"? Are Netflix and Prime "TV"?
In most of the world "Block all Illegal TV" would be a vague unenforceable order. The biggest thing you had to do in that case may be to file a response to the order and provide what additional information/direction is necessary. Carrying out a blocking order for an ISP would generally include steps such as modifying your recursive DNS server policies to deny lookups for the domain names to be blocked. Or possibly adding ACLs to deny traffic towards IP addresses from your customers on your network within jurisdiction provided the IP addresses belong to entities to be blocked. It's not that you have to weight in on what you think is illegal TV; it's not a carrier's duty to figure out every type of message that might be illegal where you have no knowledge. Until there is a particular regulation or law spelling out the requirement specifically or Until you are given enough information about exactly who to block with enough specificity to block them without causing damage to other legitimate service providers who aren't subjects of the order. For you to block Youtube: they had to tell you specifically to block Youtube. Netflix would not be covered, unless they provide Netflix in the order, etc. You had to have knowledge that a particular domain, IP address, or protocol is an illegal service in order to recognize it should be blocked. It's not generally possible to block a whole protocol without the network containing deep-packet inspection equipment. In that case protocol alone still cannot tell you the difference between IP telephony/videoconferencing, or personal streaming versus viewing illegal content. Traffic over VPNs is almost completely opaque, and there is no way for a transit provider to detect the difference between transferring legal Linux install disk images or Home security footage to a cloud provider versus pirated movies. So the only blocking order that could really apply to data transmission over VPN would be if the whole VPN connection is to be blocked. As a carrier you should have legal counsel to advise you about special regulations in countries you operate. It is possible to make efforts at disrupting or throttling different protocols or port numbers. For example, you could deploy a solution to block bittorrent if you wanted, but it would be expensive, not highly effective, and still impact legal uses of the protocol just as much as illegal uses.
----- Mike Hammett -- -JA