Pascal Gloor wrote:
Does any country in the world require such things ?
To put a small operational comment here [this is NANOG isn't it?], customers with Slammer worm -really- blow out internal NetFlow between themselves and the nearest filter blocking them. We had a lot of 56k modem customers with Slammer so we hadn't noticed them in terms of any throughput graphs, and their actual traffic gets blocked at various points, but before it does it has a drastic effect on the NetFlow server. So if anyone else is keeping complete NetFlows of every router in your network and wondering why they've grown so much over the past few weeks... find everything to UDP destination 1434 and get someone to contact the customer *sigh* In Australia you aren't -required- to keep anything, but anything you do happen to have/keep (eg. proxy logs, NetFlow, mail logs, RADIUS logs, etc) you are required to hand over on a proper request. And if you do happen to keep reasonable logs and co-operate with authorities where required (very rare that it's actually required), then they're unlikely to do something unkind such as take your ISP's servers as "potential evidence" for six months, which of course they'd be perfectly entitled to do (after months of careful analysis they may find some old logs that have been written over 100 times by carefully removing each magnetic signal to reveal traces of the one before, for example - so it's a justified but far from idea action). I've never had an unreasonable or intrusive request from the authorities, even as an example when a suspected murderer who had contacted his alleged victim(s) via the internet had left his email on the server they did not request his email as that was beyond the bounds of what they are comfortable to request (fortunately - because we would have had to consult the lawyers on the legality of releasing actual communications content; the analogy of the envelope and the contents is an often used one, in traditional mail the writing on the envelope is essentially public knowledge but the contents of the envelope are subject to strict privacy laws. NetFlow inspects packet headers - envelope. Proxy logs contain only the size and address of requests - envelope. Similarly mail logs; address, return address, size, etc - envelope details again. But mailbox contents correspond to envelope contents, so they're a much harder question). The authorities are usually quite understanding that logs are quite large, and if they have a request they must get it to us quickly to expect a useful response. And the response is has been in 100% of cases that we've identified a customer who happens to be a Net Cafe... so they get to go and try their luck on getting a Net Cafe to identify a customer from their proxy logs and customer records (yeah, sure). Note that caller ID is very special here. Specifically, the caller ID used to connect to an account must NOT be revealed to the account holder (think: account holder checks usage, finds out who did it, and goes over to go kill person responsible for large bill), and must ONLY be revealed to responsible authorities with some very specific paperwork. This is contrary to, for example, Singapore (where our parent company operates), where each customer sees the caller ID details on their online usage summary. As to extremes of lawful interception - try Singapore and China. Singapore Govt require the use of a proxy (if the proxies are all down, the internet is down), so I'd assume they also require keeping of the proxy logs. I don't know if it's still the case, but it used to be that Singapore had a "banned list" for the proxies and China took things to a further extreme by having an "ok sites list" rather than a "banned list". David. -- David Luyer Phone: +61 3 9674 7525 Network Development Manager P A C I F I C Fax: +61 3 9699 8693 Pacific Internet (Australia) I N T E R N E T Mobile: +61 4 1111 BYTE http://www.pacific.net.au/ NASDAQ: PCNTF