Re: Internet Surveillance and Boomerang Routing: A Call for Canadian Network Sovereignty
The topic of Canadian network sovereignty has been part of the Canadian conscience since the failure of CANNET back in the 1970s. Canadians citizens, on Canadian soil, already supply feeds directly to the NSA. Rerouting Internet traffic would make no difference. On Sat, Sep 7, 2013 at 3:08 PM, Paul Ferguson <fergdawgster@mykolab.com>wrote:
A Canadian ISP colleague of mine suggested that the NANOG constituency might be interested in this, given some recent 'revelations', so I forward it here for you perusal.
"Preliminary analysis of more than 25,000 traceroutes reveals a phenomenon we call ‘boomerang routing’ whereby Canadian-to-Canadian internet transmissions are routinely routed through the United States. Canadian originated transmissions that travel to a Canadian destination via a U.S. switching centre or carrier are subject to U.S. law - including the USA Patriot Act and FISAA. As a result, these transmissions expose Canadians to potential U.S. surveillance activities – a violation of Canadian network sovereignty."
http://lawprofessors.typepad.com/media_law_prof_blog/2013/09/routing-interne...
Cheers,
- ferg
-- Paul Ferguson Vice President, Threat Intelligence Internet Identity, Tacoma, Washington USA IID --> "Connect and Collaborate" --> www.internetidentity.com
-- Copyright 2013 Derek Andrew (excluding quotations) +1 306 966 4808 Information and Communications Technology University of Saskatchewan Peterson 120; 54 Innovation Boulevard Saskatoon,Saskatchewan,Canada. S7N 2V3 Timezone GMT-6 Typed but not read.
That notwithstanding, it's stupid to send traffic to/from one of the large $your_region/country incumbents via $not_your_region/country. It's just not good Internet. You make enough money already. Be a good netizen. It pays more in the long run and that's all you're really after for your shareholders anyway, right? On 2013-09-08, at 11:54 AM, Derek Andrew <Derek.Andrew@usask.ca> wrote:
The topic of Canadian network sovereignty has been part of the Canadian conscience since the failure of CANNET back in the 1970s.
Canadians citizens, on Canadian soil, already supply feeds directly to the NSA. Rerouting Internet traffic would make no difference.
On Sat, Sep 7, 2013 at 3:08 PM, Paul Ferguson <fergdawgster@mykolab.com>wrote:
A Canadian ISP colleague of mine suggested that the NANOG constituency might be interested in this, given some recent 'revelations', so I forward it here for you perusal.
"Preliminary analysis of more than 25,000 traceroutes reveals a phenomenon we call ‘boomerang routing’ whereby Canadian-to-Canadian internet transmissions are routinely routed through the United States. Canadian originated transmissions that travel to a Canadian destination via a U.S. switching centre or carrier are subject to U.S. law - including the USA Patriot Act and FISAA. As a result, these transmissions expose Canadians to potential U.S. surveillance activities – a violation of Canadian network sovereignty."
http://lawprofessors.typepad.com/media_law_prof_blog/2013/09/routing-interne...
Cheers,
- ferg
-- Paul Ferguson Vice President, Threat Intelligence Internet Identity, Tacoma, Washington USA IID --> "Connect and Collaborate" --> www.internetidentity.com
-- Copyright 2013 Derek Andrew (excluding quotations)
+1 306 966 4808 Information and Communications Technology University of Saskatchewan Peterson 120; 54 Innovation Boulevard Saskatoon,Saskatchewan,Canada. S7N 2V3 Timezone GMT-6
Typed but not read.
I'm confident that someone else may point this out, but I feel this is important enough to weigh in on .. Respectfully, I must disagree with any philosophy that perpetuates the archaic concept of political boundaries in the context of information flow. Calling it "stupid" to send traffic on any particular route because that route crosses political boundaries reflects a surrender to an old way of thought. While I can agree that the fact of crossing political boundaries introduces a very unwelcome artifact of exposing that traffic to adverse political effects, that doesn't mean that the desirable response is one of returning to nationalistic silos. Instead, the way forward is to protect the traffic rather than the boundaries. Due to political realities, that may indeed mean that a intra-national backup path is necessary. But to my mind, what's "just not good Internet" is the artificial restriction of traffic to solely intra-national primary paths. That mindset reflects a territoriality that's not our friend; I still dream of a fully interconnected world. So, I respectfully suggest that we work on fixing the problems and vulnerabilities that arise from the interconnectedness rather than hunkering down and fragmenting / forking. Yes, these are shameful and terrible problems that have come to our attention right now; still, we can move forward better together than apart, don't you think? ..Allen On Sep 9, 2013, at 10:43, Jason Lixfeld <jason@lixfeld.ca> wrote:
That notwithstanding, it's stupid to send traffic to/from one of the large $your_region/country incumbents via $not_your_region/country. It's just not good Internet. You make enough money already. Be a good netizen. It pays more in the long run and that's all you're really after for your shareholders anyway, right?
On 2013-09-08, at 11:54 AM, Derek Andrew <Derek.Andrew@usask.ca> wrote:
The topic of Canadian network sovereignty has been part of the Canadian conscience since the failure of CANNET back in the 1970s.
Canadians citizens, on Canadian soil, already supply feeds directly to the NSA. Rerouting Internet traffic would make no difference.
On Sat, Sep 7, 2013 at 3:08 PM, Paul Ferguson <fergdawgster@mykolab.com>wrote:
A Canadian ISP colleague of mine suggested that the NANOG constituency might be interested in this, given some recent 'revelations', so I forward it here for you perusal.
"Preliminary analysis of more than 25,000 traceroutes reveals a phenomenon we call ‘boomerang routing’ whereby Canadian-to-Canadian internet transmissions are routinely routed through the United States. Canadian originated transmissions that travel to a Canadian destination via a U.S. switching centre or carrier are subject to U.S. law - including the USA Patriot Act and FISAA. As a result, these transmissions expose Canadians to potential U.S. surveillance activities – a violation of Canadian network sovereignty."
http://lawprofessors.typepad.com/media_law_prof_blog/2013/09/routing-interne...
Cheers,
- ferg
-- Paul Ferguson Vice President, Threat Intelligence Internet Identity, Tacoma, Washington USA IID --> "Connect and Collaborate" --> www.internetidentity.com
-- Copyright 2013 Derek Andrew (excluding quotations)
+1 306 966 4808 Information and Communications Technology University of Saskatchewan Peterson 120; 54 Innovation Boulevard Saskatoon,Saskatchewan,Canada. S7N 2V3 Timezone GMT-6
Typed but not read.
On 9/9/13 7:43 AM, Jason Lixfeld wrote:
That notwithstanding, it's stupid to send traffic to/from one of the large $your_region/country incumbents via $not_your_region/country. It's just not good Internet.
yyz-yvr is faster via the united states. physics doesn't respect poltical boundries. You make enough money already. Be a
good netizen. It pays more in the long run and that's all you're really after for your shareholders anyway, right?
On 2013-09-08, at 11:54 AM, Derek Andrew <Derek.Andrew@usask.ca> wrote:
The topic of Canadian network sovereignty has been part of the Canadian conscience since the failure of CANNET back in the 1970s.
Canadians citizens, on Canadian soil, already supply feeds directly to the NSA. Rerouting Internet traffic would make no difference.
On Sat, Sep 7, 2013 at 3:08 PM, Paul Ferguson <fergdawgster@mykolab.com>wrote:
A Canadian ISP colleague of mine suggested that the NANOG constituency might be interested in this, given some recent 'revelations', so I forward it here for you perusal.
"Preliminary analysis of more than 25,000 traceroutes reveals a phenomenon we call ‘boomerang routing’ whereby Canadian-to-Canadian internet transmissions are routinely routed through the United States. Canadian originated transmissions that travel to a Canadian destination via a U.S. switching centre or carrier are subject to U.S. law - including the USA Patriot Act and FISAA. As a result, these transmissions expose Canadians to potential U.S. surveillance activities – a violation of Canadian network sovereignty."
http://lawprofessors.typepad.com/media_law_prof_blog/2013/09/routing-interne...
Cheers,
- ferg
-- Paul Ferguson Vice President, Threat Intelligence Internet Identity, Tacoma, Washington USA IID --> "Connect and Collaborate" --> www.internetidentity.com
-- Copyright 2013 Derek Andrew (excluding quotations)
+1 306 966 4808 Information and Communications Technology University of Saskatchewan Peterson 120; 54 Innovation Boulevard Saskatoon,Saskatchewan,Canada. S7N 2V3 Timezone GMT-6
Typed but not read.
On 2013-09-09, at 14:29, joel jaeggli <joelja@bogus.com> wrote:
On 9/9/13 7:43 AM, Jason Lixfeld wrote:
That notwithstanding, it's stupid to send traffic to/from one of the large $your_region/country incumbents via $not_your_region/country. It's just not good Internet.
yyz-yvr is faster via the united states. physics doesn't respect poltical boundries.
Not only physics, but geometry. Vancouver is further north than Seattle, but Toronto is further south than Portland. http://www.gcmap.com/mapui?P=YYZ-YVR Joe
Le 09/09/2013 21:16, Joe Abley a écrit :
On 2013-09-09, at 14:29, joel jaeggli <joelja@bogus.com> wrote:
That notwithstanding, it's stupid to send traffic to/from one of the large $your_region/country incumbents via $not_your_region/country. It's just not good Internet. yyz-yvr is faster via the united states. physics doesn't respect
On 9/9/13 7:43 AM, Jason Lixfeld wrote: poltical boundries. Not only physics, but geometry. Vancouver is further north than Seattle, but Toronto is further south than Portland.
Fiber path along great circle? Cool case. :) mh
Joe
On 9/9/13 12:43 PM, Michael Hallgren wrote:
Le 09/09/2013 21:16, Joe Abley a écrit :
On 2013-09-09, at 14:29, joel jaeggli <joelja@bogus.com> wrote:
That notwithstanding, it's stupid to send traffic to/from one of the large $your_region/country incumbents via $not_your_region/country. It's just not good Internet. yyz-yvr is faster via the united states. physics doesn't respect
On 9/9/13 7:43 AM, Jason Lixfeld wrote: poltical boundries. Not only physics, but geometry. Vancouver is further north than Seattle, but Toronto is further south than Portland.
Fiber path along great circle? Cool case. :)
YYZ-CHI-MSP-SEA-YVR is close enough. this is BNSF vs CN
mh
Joe
On 13-09-09 15:16, Joe Abley wrote:
Not only physics, but geometry. Vancouver is further north than Seattle, but Toronto is further south than Portland.
It is about sovereignty and the ability of one nation to decide for itself. In the past, because people were blind to the NSA operations, it didn't matter so much. But with past revelations, will the market start to demand routes that avoid the USA if the destination is not the USA ? Could the government set policies that end up making within-canada transit and peering more competitive than buying transit through the USA ? Lets reverse the situation for half a second. Say most traffic from USA to USA were to pass through Canada and Canada had the ability to spy on all USA traffic, including emails between congressman and their mistresses. Do you think the USA would let another nation spy on its traffic for half a second ? How can Bombardier compete against Boeing when the NSA captures Bombardier's emails etc and could potentially hand them over to Boeing?
On Sep 10, 2013, at 9:29 AM, Jean-Francois Mezei <jfmezei_nanog@vaxination.ca> wrote:
Will the market start to demand routes that avoid the USA if the destination is not the USA ?
Unlikely, all else being equal. The market demands the least expensive routes. Which is why we push for new IXPs on the Canadian side of the border, so that the _cheapest_ route will also be the _shortest_ route, and will remain within Canadian jurisdiction and the purview of Canadian personal privacy law, for instance.
It is about sovereignty and the ability of one nation to decide for itself. Could the government set policies that end up making within-canada transit and peering more competitive than buying transit through the USA ?
Note that this is an entirely different question, orthogonal to markets and economics. It is within the power of the Canadian sovereign government to do whatever wiretaps it likes within Canada, and share that information with other governments, for instance, and neither shortest paths nor least expensive paths will have any effect on that. That said, regulatory best-practice is generally held to be to either keep hands off the Internet entirely, or to make an ISP class license requirement that every service provider network deliver traffic that has source and destination addresses within a region, without passing the traffic across the border of the region. That's a technology-neutral way of saying that if you have a customer in a region, and someone else has a customer in the same region, you and they had better figure out a way of delivering that traffic through peering or local transit.
Lets reverse the situation for half a second. Say most traffic from USA to USA were to pass through Canada and Canada had the ability to spy on all USA traffic, including emails between congressman and their mistresses. Do you think the USA would let another nation spy on its traffic for half a second ?
Happens all the time. China Telecom has routers within the U.S. borders, and offers domestic routes across the U.S. Stands to reason that France Telecom, Deutsche Telekom, et cetera, would be doing the same thing for their respective sovereigns. All of this is just routine power-struggle, it's not an all-or-nothing thing, and absolutes are of little value in the discussion.
How can Bombardier compete against Boeing when the NSA captures Bombardier's emails etc and could potentially hand them over to Boeing?
The theory was that, paraphrasing _Brazil_, "this is the Department of Records, not the Department of Information Retrieval." Theoretically, the countries that collected and shared information did so for the benefit of the sovereign, not the benefit of the people or the benefit of capital, and did not share what they collected with the private sector. That has, however, been abused before: http://yro.slashdot.org/story/00/02/09/1845227/france-sues-us-and-uk-over-ec... Also of note: http://en.wikipedia.org/wiki/Canada–France_relations#Saint_Pierre_and_Miquelon_boundary_dispute So, not meaning to be a downer here, just pointing out that we should all be doing what we can, and not wasting too much energy on shocked outrage at the misbehavior of others. -Bill
On Tue, 10 Sep 2013 10:27:15 -0700, Bill Woodcock <woody@pch.net> said: > or to make an ISP class license requirement that every service > provider network deliver traffic that has source and destination > addresses within a region, without passing the traffic across > the border of the region. That's a technology-neutral way of > saying that if you have a customer in a region, and someone else > has a customer in the same region, you and they had better > figure out a way of delivering that traffic through peering or > local transit. That's historically the way it was in Canada, although it was original phrased in terms of the telegraph and persisted up until the beginnings of the commercial Internet when the rule was abolished. It's also the reason why, for example, the old trans-atlantic cables went from the UK to Nova Scotia before New York even though the bulk of the traffic was UK-US. Theoretically, traffic within the empire was not supposed to cross a third border. I believe the rationale behind this was to prevent eavesdropping. I have a pet theory that this rule was one of the main reasons that Canada has such a well developed telecommunications industry -- it was forced by law to develop it indiginously rather than just dumping telephone calls across the border into the 'states, which probably would have made more economic sense. When the rule was abolished in the early 1990s it wasn't clear if it should or should not apply to Internet traffic but leaving the answer entirely to market forces may have stunted the development of East-West capacity within Canada. Is this a good or a bad thing? I can remember back when there was a project in the 'states called Carnivore, and we had some American police -- I believe they were FBI -- come up and ask us politely if we'd like to put some of their machines on our network. Everybody pretty much uniformly said no. Shortly thereafter an American carrier showed up selling gigabit ethernet circuits to NYC for well below what was the going rate at the time and effectively pulled a lot of traffic that would otherwise have remained in country across the border. I've been outside of North America for a while now so I don't know first hand, but from the commentary on this list that trends appears to have continued... -w
William Waites <wwaites@tardis.ed.ac.uk> writes:
Is this a good or a bad thing? I can remember back when there was a project in the 'states called Carnivore, and we had some American police -- I believe they were FBI -- come up and ask us politely if we'd like to put some of their machines on our network. Everybody pretty much uniformly said no. Shortly thereafter an American carrier showed up selling gigabit ethernet circuits to NYC for well below what was the going rate at the time and effectively pulled a lot of traffic that would otherwise have remained in country across the border.
More attributable to the unintended consequences of some of the more draconian parts of http://en.wikipedia.org/wiki/PROTECT_Act_of_2003 than of Carnivore, actually. :) -r
From: Bill Woodcock [mailto:woody@pch.net] Subject: Re: Internet Surveillance and Boomerang Routing: A Call for Canadian Network Sovereignty
On Sep 10, 2013, at 9:29 AM, Jean-Francois Mezei <jfmezei_nanog@vaxination.ca> wrote:
Will the market start to demand routes that avoid the USA if the destination is not the USA ?
Unlikely, all else being equal. The market demands the least expensive routes. Which is why we push for new IXPs on the Canadian side of the border, so that the _cheapest_ route will also be the _shortest_ route, and will remain within Canadian jurisdiction and the purview of Canadian personal privacy law, for instance.
Maybe it's time to dust off some of those "reserved for future use" IP security options. It's almost as if someone saw this problem coming a long time ago. - Marsh https://tools.ietf.org/html/rfc791#page-17 Security This option provides a way for hosts to send security, compartmentation, handling restrictions, and TCC (closed user group) parameters. The format for this option is as follows: +--------+--------+---//---+---//---+---//---+---//---+ |10000010|00001011|SSS SSS|CCC CCC|HHH HHH| TCC | +--------+--------+---//---+---//---+---//---+---//---+ Type=130 Length=11 Security (S field): 16 bits Specifies one of 16 levels of security (eight of which are reserved for future use). 00000000 00000000 - Unclassified 11110001 00110101 - Confidential 01111000 10011010 - EFTO 10111100 01001101 - MMMM 01011110 00100110 - PROG 10101111 00010011 - Restricted 11010111 10001000 - Secret 01101011 11000101 - Top Secret 00110101 11100010 - (Reserved for future use) 10011010 11110001 - (Reserved for future use) 01001101 01111000 - (Reserved for future use) 00100100 10111101 - (Reserved for future use) 00010011 01011110 - (Reserved for future use) 10001001 10101111 - (Reserved for future use) 11000100 11010110 - (Reserved for future use) 11100010 01101011 - (Reserved for future use)
participants (11)
-
Allen McKinley Kitchen (gmail)
-
Bill Woodcock
-
Derek Andrew
-
Jason Lixfeld
-
Jean-Francois Mezei
-
Joe Abley
-
joel jaeggli
-
Marsh Ray
-
Michael Hallgren
-
Rob Seastrom
-
William Waites