Re: Russian government’s disconnection test
--- surfer@mauigateway.com wrote: From: "Scott Weeks" <surfer@mauigateway.com> Anyone got any technical info on how Russia plans to execute a disconnection test of the internet? ------------------------------------ Got crickets, so now I have to respond to my own post on what I just found out about it. Is that like talking to yourself? :) https://www.npr.org/2019/11/01/775366588/russian-law-takes-effect-that-gives... "The "sovereign Internet law," as the government calls it, greatly enhances the Kremlin's control over the Web. It was passed earlier this year and allows Russia's government to cut off the Internet completely or from traffic outside Russia "in an emergency," as the BBC reported. But some of the applications could be more subtle, like the ability to block a single post." "The equipment would conduct what's known as "deep packet inspection," an advanced way to filter network traffic. "Regardless of what the government intends, some experts think it would be technically difficult for Russia to actually close its network if it wanted to, because of the sheer number of its international connections." "What I found was that there were hundreds of existing Internet exchange points in Russia, some of which have hundreds of participants...Many of them are international network providers, he says, so "basically it's challenging — if not impossible, I think — to completely isolate the Russian Internet." Belson says that the requirement for Internet service providers to install tracking software will very likely also be challenging in practice. He adds that it will be difficult to get hundreds of providers to deploy it and hard to coordinate that they're all filtering the same content. scott
I guess if all telecoms and carriers in Russia (or say China) are under strong government control/oversight, its fairly easy from a technology standpoint to block the outside world. The thing that I always wonder about is the ability for citizens to bypass the restriction via satellite internet nowadays. I guess they need a law to make that illegal too, if found purchasing satellite internet gear, off to the gulag! On the other hand, if Russia disconnected from the outside world, how would all their trolls and bot farms get any work done?
On Nov 1, 2019, at 7:02 PM, Scott Weeks <surfer@mauigateway.com> wrote:
--- surfer@mauigateway.com wrote: From: "Scott Weeks" <surfer@mauigateway.com>
Anyone got any technical info on how Russia plans to execute a disconnection test of the internet? ------------------------------------
Got crickets, so now I have to respond to my own post on what I just found out about it. Is that like talking to yourself? :)
https://www.npr.org/2019/11/01/775366588/russian-law-takes-effect-that-gives...
"The "sovereign Internet law," as the government calls it, greatly enhances the Kremlin's control over the Web. It was passed earlier this year and allows Russia's government to cut off the Internet completely or from traffic outside Russia "in an emergency," as the BBC reported. But some of the applications could be more subtle, like the ability to block a single post."
"The equipment would conduct what's known as "deep packet inspection," an advanced way to filter network traffic.
"Regardless of what the government intends, some experts think it would be technically difficult for Russia to actually close its network if it wanted to, because of the sheer number of its international connections."
"What I found was that there were hundreds of existing Internet exchange points in Russia, some of which have hundreds of participants...Many of them are international network providers, he says, so "basically it's challenging — if not impossible, I think — to completely isolate the Russian Internet."
Belson says that the requirement for Internet service providers to install tracking software will very likely also be challenging in practice. He adds that it will be difficult to get hundreds of providers to deploy it and hard to coordinate that they're all filtering the same content.
scott
On Fri, 1 Nov 2019, John Von Essen wrote:
The thing that I always wonder about is the ability for citizens to bypass the restriction via satellite internet nowadays. I guess they need a law to make that illegal too, if found purchasing satellite internet gear, off to the gulag!
Essentially all international telecommunications treaties, including for satellites, were originally written during the cold war. Those treaties all have ways for sovereign nations to 'revoke' permission to operate in their jurisdiction, again including satellite downlinks. While there will be some leakage, just like during the cold war, my guess -- if a sovereign nation invokes those treaty terms it would cut-off around 95% to 97% of ordinary public communications from/to that territory. There might be some 'rogue' links, and military/government links that aren't cut-off. Since the Bill Clinton Administration, the U.S. has had an official government policy *NOT* to invoke those treaty terms. But doesn't prevent other countries from invoking them.
On the other hand, if Russia disconnected from the outside world, how would all their trolls and bot farms get any work done?
Already out-sourced to bulletproof hosting providers and so on, around the world ... again much like during the cold war.
Unpopular opinion: other countries should do the same. If somehow all the transatlantic (and/or transpacific) cables are offline; will the whole internet outside of the US stop working, too? AWS and all the other providers have DCs all over the world, but would they still work if they can't contact the mothership, and for how long? (Has any of this ever been tested?) I would imagine that the internet is a whole less resilient today in 2019 than it was back in the day before the cloud takeover. You often can't even install OSS without an internet connection anymore. Would Golang stop working? What else? Would you and/or your corporation be able to access your own email? All these things may seem silly, until you actually encounter the situation where you're offline, and it's too late to do anything. C. On Fri, 1 Nov 2019 at 18:04, Scott Weeks <surfer@mauigateway.com> wrote:
--- surfer@mauigateway.com wrote: From: "Scott Weeks" <surfer@mauigateway.com>
Anyone got any technical info on how Russia plans to execute a disconnection test of the internet? ------------------------------------
Got crickets, so now I have to respond to my own post on what I just found out about it. Is that like talking to yourself? :)
https://www.npr.org/2019/11/01/775366588/russian-law-takes-effect-that-gives...
"The "sovereign Internet law," as the government calls it, greatly enhances the Kremlin's control over the Web. It was passed earlier this year and allows Russia's government to cut off the Internet completely or from traffic outside Russia "in an emergency," as the BBC reported. But some of the applications could be more subtle, like the ability to block a single post."
"The equipment would conduct what's known as "deep packet inspection," an advanced way to filter network traffic.
"Regardless of what the government intends, some experts think it would be technically difficult for Russia to actually close its network if it wanted to, because of the sheer number of its international connections."
"What I found was that there were hundreds of existing Internet exchange points in Russia, some of which have hundreds of participants...Many of them are international network providers, he says, so "basically it's challenging — if not impossible, I think — to completely isolate the Russian Internet."
Belson says that the requirement for Internet service providers to install tracking software will very likely also be challenging in practice. He adds that it will be difficult to get hundreds of providers to deploy it and hard to coordinate that they're all filtering the same content.
scott
On Nov 1, 2019, at 8:15 PM, Constantine A. Murenin <mureninc@gmail.com> wrote:
If somehow all the transatlantic (and/or transpacific) cables are offline; will the whole internet outside of the US stop working, too?
This has nothing to do with cables, and everything to do with information control and politics.
On Fri, 1 Nov 2019, Fred Baker wrote:
This has nothing to do with cables, and everything to do with information control and politics.
I agree with Fred, but trying to keep this on a technical list. Has anyone compared the network resiliancy and reliability in countries with centralized control with similar situated countries with decentralized networks? For example, various developing countries have been doing deals to build out network infrastructure which follow the Great Firewall approach to network architecture. I'm not certain if its always a deliberate decision, but often the economics of Walled Garden networks make them attractive. There are enough developing countries around the world doing this, it should be possible to measure differences in reliability between countries.
Sean Donelan wrote on 02/11/2019 19:32:
Has anyone compared the network resiliancy and reliability in countries with centralized control with similar situated countries with decentralized networks?
US-EU connectivity is curious. E.g. how many active transatlantic EU-US cable systems are there? How many active transatlantic cable systems are there which are less than 15 years old? How many active transatlantic cable systems are there which are less than 15 years old and which don't pass through the UK, which will be outside the EU in a couple of months time? How many planned new US-EU cable systems terminate solely in the UK? Answers: 19, 3, 2, 0.
I agree with Fred, but trying to keep this on a technical list.
International connectivity is intrinsically linked to both politics and economics - always has been. Nick
Peace, On Sat, Nov 2, 2019 at 3:16 AM Constantine A. Murenin <mureninc@gmail.com> wrote:
If somehow all the transatlantic (and/or transpacific) cables are offline
...then probably a horrific global disaster has occurred, and a sudden degradation of the Internet connectivity would be about the least of your problems. -- Töma
I would imagine that the internet is a whole less resilient today in 2019 than it was back in the day before the cloud takeover.
It's far *more* resilient now than it has ever been. More sub-sea cables. Multiple routes across continents. The very fact that there are AWS/Azure/Google Cloud data centers located around the globe makes anything hosted there even more resilient, not less (and for the most part, I still prefer on prem DC so I'm not even pushing "To the cloud!"). - Mike Bolitho On Fri, Nov 1, 2019 at 5:16 PM Constantine A. Murenin <mureninc@gmail.com> wrote:
Unpopular opinion: other countries should do the same.
If somehow all the transatlantic (and/or transpacific) cables are offline; will the whole internet outside of the US stop working, too?
AWS and all the other providers have DCs all over the world, but would they still work if they can't contact the mothership, and for how long? (Has any of this ever been tested?)
I would imagine that the internet is a whole less resilient today in 2019 than it was back in the day before the cloud takeover. You often can't even install OSS without an internet connection anymore. Would Golang stop working? What else?
Would you and/or your corporation be able to access your own email? All these things may seem silly, until you actually encounter the situation where you're offline, and it's too late to do anything.
C.
On Fri, 1 Nov 2019 at 18:04, Scott Weeks <surfer@mauigateway.com> wrote:
--- surfer@mauigateway.com wrote: From: "Scott Weeks" <surfer@mauigateway.com>
Anyone got any technical info on how Russia plans to execute a disconnection test of the internet? ------------------------------------
Got crickets, so now I have to respond to my own post on what I just found out about it. Is that like talking to yourself? :)
https://www.npr.org/2019/11/01/775366588/russian-law-takes-effect-that-gives...
"The "sovereign Internet law," as the government calls it, greatly enhances the Kremlin's control over the Web. It was passed earlier this year and allows Russia's government to cut off the Internet completely or from traffic outside Russia "in an emergency," as the BBC reported. But some of the applications could be more subtle, like the ability to block a single post."
"The equipment would conduct what's known as "deep packet inspection," an advanced way to filter network traffic.
"Regardless of what the government intends, some experts think it would be technically difficult for Russia to actually close its network if it wanted to, because of the sheer number of its international connections."
"What I found was that there were hundreds of existing Internet exchange points in Russia, some of which have hundreds of participants...Many of them are international network providers, he says, so "basically it's challenging — if not impossible, I think — to completely isolate the Russian Internet."
Belson says that the requirement for Internet service providers to install tracking software will very likely also be challenging in practice. He adds that it will be difficult to get hundreds of providers to deploy it and hard to coordinate that they're all filtering the same content.
scott
Peace, On Sat, Nov 2, 2019 at 7:20 PM Mike Bolitho <mikebolitho@gmail.com> wrote:
I would imagine that the internet is a whole less resilient today in 2019 than it was back in the day before the cloud takeover. It's far more resilient now than it has ever been. More sub-sea cables. Multiple routes across continents.
Constantine is probably right in that the *World Wide Web* engineering is now sorta less resilient to an arbitrary failure than it used to be. One glorious example of that would probably be the "left-pad" incident circa 2016. The *Internet*, however, is different from the WWW, and it's undoubtedly much more stable today. -- Töma
I think the disconnect idea is actually a good one... I don't know that I want to DO IT, but :) it certainly seems like a reasonable disaster recovery planning exercise :) (likely doing it is the only way to really suss out the problems though) On Sat, Nov 2, 2019 at 12:19 PM Mike Bolitho <mikebolitho@gmail.com> wrote:
I would imagine that the internet is a whole less resilient today in 2019 than it was back in the day before the cloud takeover.
It's far more resilient now than it has ever been. More sub-sea cables. Multiple routes across continents. The very fact that there are AWS/Azure/Google Cloud data centers located around the globe makes anything hosted there even more resilient, not less (and for the most part, I still prefer on prem DC so I'm not even pushing "To the cloud!").
"as long as the customers (who need global reachability) build their cloud applications/etc without just sticking everything in the equivalent of us-east" :) There are a LOT of folk who ' tossed it in the cloud, all good now?' and .. .sadly did not plan on disaster/global-reachability very well :(
- Mike Bolitho
On Fri, Nov 1, 2019 at 5:16 PM Constantine A. Murenin <mureninc@gmail.com> wrote:
Unpopular opinion: other countries should do the same.
If somehow all the transatlantic (and/or transpacific) cables are offline; will the whole internet outside of the US stop working, too?
AWS and all the other providers have DCs all over the world, but would they still work if they can't contact the mothership, and for how long? (Has any of this ever been tested?)
I would imagine that the internet is a whole less resilient today in 2019 than it was back in the day before the cloud takeover. You often can't even install OSS without an internet connection anymore. Would Golang stop working? What else?
Would you and/or your corporation be able to access your own email? All these things may seem silly, until you actually encounter the situation where you're offline, and it's too late to do anything.
C.
On Fri, 1 Nov 2019 at 18:04, Scott Weeks <surfer@mauigateway.com> wrote:
--- surfer@mauigateway.com wrote: From: "Scott Weeks" <surfer@mauigateway.com>
Anyone got any technical info on how Russia plans to execute a disconnection test of the internet? ------------------------------------
Got crickets, so now I have to respond to my own post on what I just found out about it. Is that like talking to yourself? :)
https://www.npr.org/2019/11/01/775366588/russian-law-takes-effect-that-gives...
"The "sovereign Internet law," as the government calls it, greatly enhances the Kremlin's control over the Web. It was passed earlier this year and allows Russia's government to cut off the Internet completely or from traffic outside Russia "in an emergency," as the BBC reported. But some of the applications could be more subtle, like the ability to block a single post."
"The equipment would conduct what's known as "deep packet inspection," an advanced way to filter network traffic.
"Regardless of what the government intends, some experts think it would be technically difficult for Russia to actually close its network if it wanted to, because of the sheer number of its international connections."
"What I found was that there were hundreds of existing Internet exchange points in Russia, some of which have hundreds of participants...Many of them are international network providers, he says, so "basically it's challenging — if not impossible, I think — to completely isolate the Russian Internet."
Belson says that the requirement for Internet service providers to install tracking software will very likely also be challenging in practice. He adds that it will be difficult to get hundreds of providers to deploy it and hard to coordinate that they're all filtering the same content.
scott
On Sat, 02 Nov 2019 14:49:58 -0400, Christopher Morrow said:
I think the disconnect idea is actually a good one... I don't know that I want to DO IT, but :) it certainly seems like a reasonable disaster recovery planning exercise :) (likely doing it is the only way to really suss out the problems though)
Some of us remember disconnecting the uplink when the Morris Worm first started wandering around, and then wondering how we were going to get news of the details so we could patch our boxen so it would be safe to reconnect the cable to the router.... As more systems moved to secure update distribution schemes with only allowing vendor-signed patches from https:// secured trusted sites, we may find ourselves in a similar "don't dare be only, but have to be to fix the problem" mess if a worm gets loose... (Yes, you can probably ACL the router. Not the sort of thing you want to be doing at oh-dark-thirty if you don't know what ACL is safe to use and you are cut off from a lot of info sources...)
On Sat, Nov 02, 2019 at 09:18:36AM -0700, Mike Bolitho wrote:
The very fact that there are AWS/Azure/Google Cloud data centers located around the globe makes anything hosted there even more resilient, not less (and for the most part, I still prefer on prem DC so I'm not even pushing "To the cloud!").
No, this fact makes everything far less resilient, because it means "one stop shopping" for attackers. It also makes the available attacker budget much greater, since the ROI increases every time more resources are concentrated in fewer places. ---rsk
participants (12)
-
Christopher Morrow
-
Constantine A. Murenin
-
Fred Baker
-
John Von Essen
-
Mike Bolitho
-
Nathan Angelacos
-
Nick Hilliard
-
Rich Kulawiec
-
Scott Weeks
-
Sean Donelan
-
Töma Gavrichenkov
-
Valdis Klētnieks