Routing public traffic across county boundaries in Europe
I think this is a pretty dumb question, because I presume this is how most organisations save money and provide resilience. What (if any) are the legal implications of taking internet destined traffic in one country and egressing it in another (with an ip block correctly marked for the correct country). Somebody mentioned to me the other day that they thought the Dutch government didn't allow an ISP to take internet traffic from a Dutch citizen and egress in another country because it makes it easy for the local country to snoop. I've done lots of searching and have our legal council investigating but I thought someone here might be able to point me in the direction of any legislation? (I'll summarise any off-list replies)... Thanks, -- Andy Loukes Senior Systems Architect The Cloud Networks http://www.thecloud.net/content.asp?section=1&content=32
Andy, I've always wondered this as well. Similar scenario, although not necessarily egress in a foreign country, but transiting through. For a brief period, we had an OC48 that carried packets on our network between Chicago and Seattle that traversed a router of ours in Vancouver, BC Canada. Any legal minds here that may know the answer? Randy
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Andy Loukes Sent: Thursday, July 26, 2007 3:53 AM To: nanog@merit.edu Subject: Routing public traffic across county boundaries in Europe
I think this is a pretty dumb question, because I presume this is how most organisations save money and provide resilience.
What (if any) are the legal implications of taking internet destined traffic in one country and egressing it in another (with an ip block correctly marked for the correct country).
Somebody mentioned to me the other day that they thought the Dutch government didn't allow an ISP to take internet traffic from a Dutch citizen and egress in another country because it makes it easy for the local country to snoop.
I've done lots of searching and have our legal council investigating but I thought someone here might be able to point me in the direction of any legislation?
(I'll summarise any off-list replies)... Thanks, -- Andy Loukes
Senior Systems Architect The Cloud Networks http://www.thecloud.net/content.asp?section=1&content=32
On Thu, Jul 26, 2007 at 08:52:55AM +0100, Andy Loukes wrote:
What (if any) are the legal implications of taking internet destined traffic in one country and egressing it in another (with an ip block correctly marked for the correct country).
Somebody mentioned to me the other day that they thought the Dutch government didn't allow an ISP to take internet traffic from a Dutch citizen and egress in another country because it makes it easy for the local country to snoop.
I'm not in a position where I would know for sure, but I'd be surprised if it were the case, in a atmosphere of European common market and police cooperation and all European police-judiciary trust all other European police-judiciary even more than the ones of US states do (as in a Dutch judge can issue a arrest warrant and French / German / ... police will execute it without intervention of a French / German / ... judge, nor decision by any administration, ... Possibly, it could be construed as a violation of the concept of European common market, and thus it is forbidden to forbid. What I would expect is that you still have to obey lawful intercept legislation, so you need to interconnect with the government "black box" rooms, and these are at the major IXs in the country. (And I've repeatedly heard that in the Netherlands, for some time in the past at least, the way the ISPs got rid of the lawful intercept obligation was to have the AMS-IX send a copy of *all* the traffic to the government black box. Not that they had to do that, but it was the easiest / cheapest way.) If there were any such obligation, I'd expect the real reason not to be "the egress country can snoop", but "it is harder for the originating country to snoop". Also, I've heard that Canada had (maybe still has) this legislation forbidding you to route intra-Canadian *telephone* traffic through another country. Something about else nobody would build a intercontinental coast-to-coast Canadian network, would just send long-distance traffic to the USA, go to other coast and send it back to Canada and being this dependent on a foreign country, that's bad. -- Lionel
On 7/27/07, Lionel Elie Mamane <lionel@mamane.lu> wrote:
What I would expect is that you still have to obey lawful intercept legislation, so you need to interconnect with the government "black box" rooms, and these are at the major IXs in the country. (And I've repeatedly heard that in the Netherlands, for some time in the past at least, the way the ISPs got rid of the lawful intercept obligation was to have the AMS-IX send a copy of *all* the traffic to the government black box. Not that they had to do that, but it was the easiest / cheapest way.)
Easiest/cheapest for the Dutch ISPs. Not for the government though! AMS-IX can be 200GBits a second, so I wonder if this was an exercise in killing the snoopers with kindness. If there were any such obligation, I'd expect the real reason not to
be "the egress country can snoop", but "it is harder for the originating country to snoop".
Perhaps. The French and German govts are not keen on their officials using Blackberrys 'cos all European BlackBerry traffic goes via a building near my house (single point of failure? we don't need no stinkin' redundancy!) in London.
On Jul 27, 2007, at 6:14 AM, Lionel Elie Mamane wrote: [...]
(And I've repeatedly heard that in the Netherlands, for some time in the past at least, the way the ISPs got rid of the lawful intercept obligation was to have the AMS-IX send a copy of *all* the traffic to the government black box. Not that they had to do that, but it was the easiest / cheapest way.)
[...] That is complete and utter nonsens. That never ever happend. As everybody can see in the public member list [1] on the AMS-IX website, the Dutch police (AS16147) is connected via 100Mbit/s port. They are just another member, nothing more nothing less. Encrypted and signed tapped traffic from lawful interceptions may be send from the Dutch ISPs to the police via peering. That traffic may go over AMS-IX indeed. The Dutch ISP are obligated to apply these taps on *access-lines* after some form of legal order. They have to have the the right procedures and equipment to do that (at their own costs) [2]. -- Arien -- Arien Vijn Amsterdam Internet Exchange [1] http://www.ams-ix.net/connected/?expanded=1 [2] (In Dutch) http://www.agentschap-telecom.nl/informatie/aftappen/ paginas/faq.html
On July 27, 2007 at 06:14 lionel@mamane.lu (Lionel Elie Mamane) wrote:
Also, I've heard that Canada had (maybe still has) this legislation forbidding you to route intra-Canadian *telephone* traffic through another country. Something about else nobody would build a intercontinental coast-to-coast Canadian network, would just send long-distance traffic to the USA, go to other coast and send it back to Canada and being this dependent on a foreign country, that's bad.
OTOH, the spirit of the Bretton Woods conferences at the end of WWII on preventing a repeat was that such critical industrial interdependencies were fundamental to dissuading nations from going to war on one another. So far the idea has worked pretty well, exceptions excepted. Obviously YMMV. -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Login: Nationwide Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
participants (6)
-
Alexander Harrowell -
Andy Loukes -
Arien Vijn -
Barry Shein -
Lionel Elie Mamane -
Randy Epstein