ISPs and full packet inspection
Hello, I am looking for some guidance on full packet inspection at the ISP level. Is there any regulations that prohibit or provide guidance on this?
Asking for legal advice on NANOG is probably a REALLY REALLY bad idea. Talk to a lawyer in the area(s) you do business. -jim On Thu, May 24, 2012 at 9:50 AM, not common <notcommonmistakes@gmail.com> wrote:
Hello,
I am looking for some guidance on full packet inspection at the ISP level.
Is there any regulations that prohibit or provide guidance on this?
You should be discussing this with inside counsel. Not NANOG. -Hammer- "I was a normal American nerd" -Jack Herer On 5/24/2012 7:50 AM, not common wrote:
Hello,
I am looking for some guidance on full packet inspection at the ISP level.
Is there any regulations that prohibit or provide guidance on this? .
Thanks guys, I am looking for stuff to bring to my legal team (which is one guy, that can't spell IP) and VPs. There has to be some thing out there or is this really a hands of topic? On Thu, May 24, 2012 at 8:58 AM, -Hammer- <bhmccie@gmail.com> wrote:
You should be discussing this with inside counsel. Not NANOG.
-Hammer-
"I was a normal American nerd" -Jack Herer
On 5/24/2012 7:50 AM, not common wrote:
Hello,
I am looking for some guidance on full packet inspection at the ISP level.
Is there any regulations that prohibit or provide guidance on this? .
might I suggest you consider replacing your legal team. On 05/24/12 09:13, not common wrote:
Thanks guys, I am looking for stuff to bring to my legal team (which is one guy, that can't spell IP) and VPs.
There has to be some thing out there or is this really a hands of topic?
On Thu, May 24, 2012 at 8:58 AM, -Hammer- <bhmccie@gmail.com> wrote:
You should be discussing this with inside counsel. Not NANOG.
-Hammer-
"I was a normal American nerd" -Jack Herer
On 5/24/2012 7:50 AM, not common wrote:
Hello,
I am looking for some guidance on full packet inspection at the ISP level.
Is there any regulations that prohibit or provide guidance on this? .
The problem is that it is strictly a jurisdictional question. I'm not trying to throw it back at you. But I can't advise you w/o knowing the specifics of your ISP which I don't want to know. Does that make sense? What country? State? Where's your customer base? Do you have multiple carriers? Do you service DOD? Outside of US? Do you service EU? SWIFT (Financial wires?) etc? Mainly consumer? Commercial? The list could go on. If you are being prodded by legal on this question then my advice would be to tell them that they have to provide that direction. If you are being prodded by technology my advice would be to direct them to legal. You should be picking up a pattern here.... -Hammer- "I was a normal American nerd" -Jack Herer On 5/24/2012 8:13 AM, not common wrote:
Thanks guys, I am looking for stuff to bring to my legal team (which is one guy, that can't spell IP) and VPs.
There has to be some thing out there or is this really a hands of topic?
On Thu, May 24, 2012 at 8:58 AM, -Hammer- <bhmccie@gmail.com <mailto:bhmccie@gmail.com>> wrote:
You should be discussing this with inside counsel. Not NANOG.
-Hammer-
"I was a normal American nerd" -Jack Herer
On 5/24/2012 7:50 AM, not common wrote:
Hello,
I am looking for some guidance on full packet inspection at the ISP level.
Is there any regulations that prohibit or provide guidance on this? .
And if your legal can't figure it out that is exactly what "outside counsel" is for. -Hammer- "I was a normal American nerd" -Jack Herer On 5/24/2012 8:22 AM, -Hammer- wrote:
The problem is that it is strictly a jurisdictional question. I'm not trying to throw it back at you. But I can't advise you w/o knowing the specifics of your ISP which I don't want to know. Does that make sense? What country? State? Where's your customer base? Do you have multiple carriers? Do you service DOD? Outside of US? Do you service EU? SWIFT (Financial wires?) etc? Mainly consumer? Commercial? The list could go on.
If you are being prodded by legal on this question then my advice would be to tell them that they have to provide that direction.
If you are being prodded by technology my advice would be to direct them to legal.
You should be picking up a pattern here.... -Hammer-
"I was a normal American nerd" -Jack Herer
On 5/24/2012 8:13 AM, not common wrote:
Thanks guys, I am looking for stuff to bring to my legal team (which is one guy, that can't spell IP) and VPs.
There has to be some thing out there or is this really a hands of topic?
On Thu, May 24, 2012 at 8:58 AM, -Hammer- <bhmccie@gmail.com <mailto:bhmccie@gmail.com>> wrote:
You should be discussing this with inside counsel. Not NANOG.
-Hammer-
"I was a normal American nerd" -Jack Herer
On 5/24/2012 7:50 AM, not common wrote:
Hello,
I am looking for some guidance on full packet inspection at the ISP level.
Is there any regulations that prohibit or provide guidance on this? .
On May 24, 2012, at 9:13 AM, not common wrote:
Thanks guys, I am looking for stuff to bring to my legal team (which is one guy, that can't spell IP) and VPs.
One reasonably balanced and relatively recent overview for your legal folks to get oriented: <http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1628024> If that does not suffice, you have a more serious issue. Best wishes, /John
On Thu, 24 May 2012 09:13:16 -0400, not common said:
Thanks guys, I am looking for stuff to bring to my legal team (which is one guy, that can't spell IP) and VPs.
You probably want to fix that legal team. If you're an ISP and your legal eagle doesn't understand networking, you're opening yourself up to a world of hurt.
There has to be some thing out there or is this really a hands of topic?
There's a whole mess of applicable laws. Patrick Darden just posed a good intro as I was writing this.
Thank you all, this will get me started and @Hammer, I see the trend your talking about. Cheers, On Thu, May 24, 2012 at 9:24 AM, <valdis.kletnieks@vt.edu> wrote:
On Thu, 24 May 2012 09:13:16 -0400, not common said:
Thanks guys, I am looking for stuff to bring to my legal team (which is one guy, that can't spell IP) and VPs.
You probably want to fix that legal team. If you're an ISP and your legal eagle doesn't understand networking, you're opening yourself up to a world of hurt.
There has to be some thing out there or is this really a hands of topic?
There's a whole mess of applicable laws. Patrick Darden just posed a good intro as I was writing this.
Inside counsel should engage with outside counsel in this case. Part of being a professional in many fields is knowing how to engage the right people (e.g.: doctors that refer you to an expert). - jared On May 24, 2012, at 9:13 AM, not common wrote:
Thanks guys, I am looking for stuff to bring to my legal team (which is one guy, that can't spell IP) and VPs.
There has to be some thing out there or is this really a hands of topic?
----- Original Message -----
From: "not common" <notcommonmistakes@gmail.com>
Thanks guys, I am looking for stuff to bring to my legal team (which is one guy, that can't spell IP) and VPs.
My professional advice (IANAL) is that your inside counsel needs to find appropriate outside counsel well versed in this topic, and your VPs need to pay them. This is a Bet The Company topic. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
0. General Reference http://en.wikipedia.org/wiki/Deep_packet_inspection#DPI_at_network.2FInterne... e.g. Lawful Intercept 1. network neutrality -- lots of possible laws coming up, http://en.wikipedia.org/wiki/Network_neutrality#Law_in_the_United_States http://www.sans.org/reading_room/whitepapers/policyissues/net-neutrality-res... 2. intellectual property -- all the sopa/pipa/etc. specifically privacy invasion http://en.wikipedia.org/wiki/Stop_Online_Piracy_Act#Deep-packet_inspection_a... 3. principle of implied responsibility -- if you change a data stream, it is implied you are responsible for it (i.e. administratively, editorially, etc.) 4. Check out the CISSP legal domain. Especially resources and references for it. Someone on your team should have this certification. http://www.amazon.com/CISSP-Boxed-Set-All---One/dp/0071768459/ref=sr_1_1?ie=UTF8&qid=1337865477&sr=8-1 5. The EFF might be able to help you. WRT Privacy espec. 6. SANS has tons of references. www.sans.org 7. Get with a lawyer who is network-aware. Good luck with that. Maybe try to find a lawyer with a CISSP cert? --Patrick Darden On 05/24/2012 08:50 AM, not common wrote:
Hello,
I am looking for some guidance on full packet inspection at the ISP level.
Is there any regulations that prohibit or provide guidance on this?
Very nice Patrick -Hammer- "I was a normal American nerd" -Jack Herer On 5/24/2012 8:19 AM, Patrick Darden wrote:
0. General Reference http://en.wikipedia.org/wiki/Deep_packet_inspection#DPI_at_network.2FInterne... e.g. Lawful Intercept
1. network neutrality -- lots of possible laws coming up, http://en.wikipedia.org/wiki/Network_neutrality#Law_in_the_United_States http://www.sans.org/reading_room/whitepapers/policyissues/net-neutrality-res...
2. intellectual property -- all the sopa/pipa/etc. specifically privacy invasion http://en.wikipedia.org/wiki/Stop_Online_Piracy_Act#Deep-packet_inspection_a...
3. principle of implied responsibility -- if you change a data stream, it is implied you are responsible for it (i.e. administratively, editorially, etc.)
4. Check out the CISSP legal domain. Especially resources and references for it. Someone on your team should have this certification. http://www.amazon.com/CISSP-Boxed-Set-All---One/dp/0071768459/ref=sr_1_1?ie=UTF8&qid=1337865477&sr=8-1
5. The EFF might be able to help you. WRT Privacy espec.
6. SANS has tons of references. www.sans.org
7. Get with a lawyer who is network-aware. Good luck with that. Maybe try to find a lawyer with a CISSP cert?
--Patrick Darden
On 05/24/2012 08:50 AM, not common wrote:
Hello,
I am looking for some guidance on full packet inspection at the ISP level.
Is there any regulations that prohibit or provide guidance on this?
.
On Thu, May 24, 2012 at 08:50:47AM -0400, not common wrote:
Hello,
I am looking for some guidance on full packet inspection at the ISP level.
Is there any regulations that prohibit or provide guidance on this?
From what I've heard customers say, this would likely cause less offense
Unless you are absolutely huge, and maybe even then, you need to worry more about how your customers will perceive this than how law enforcement will perceive this. (I mean, you want to follow the law, sure, but even if it's legal, if it cheeses the customers? well, you have a problem.) More to the point, like most on this list, law isn't my field. In my experience? customers get really, really uncomfortable with you doing, well, almost anything below the headers. I was talking about doing a inward facing snort IDS (to detect compromised hosts before I got complaints) and got so far as a prototype where I shared the info I recorded about each IP with the customer in question, but talking to customers? this idea was extremely offensive, so the project was quashed. Now, generally speaking, customers are much more okay with you going through the IP headers. For instance, instead of using an IDS, I could, say, count the number of outgoing connections destined for port 22 or 25, or the same but count how many unique destinations they use (e.g. to avoid MX host or ssh tunneling false positives... both of those use cases would have a lot of connections on those ports, but to a small number of remote hosts.) than using snort or the like to do full packet inspection. (it wouldn't be completely inoffensive, but I think that if I wiped the logs often and shared my data with the customer, it sounds like something that customers would tolerate.) I haven't prototyped that system yet, though, so eh, who knows.
I've seen this come up on at least three different cop shows so I wouldn't recommend it. It's also not cool. Packets wanna be free man.. ;) Just my 2c 2012/5/24 not common <notcommonmistakes@gmail.com>
Hello,
I am looking for some guidance on full packet inspection at the ISP level.
Is there any regulations that prohibit or provide guidance on this?
On a lighter note, did you know that your company can hold some of us liable depending on what advice we give you and how far you run with it. Just a thought... Overall, I wouldn't choose nanog over google/wikipedia/GROKLAW unless it is something really specific operationally. This isn't really one of those topics. Any lawyer worth his luxury sedan should be able to do his own research. Most of the laws were written by lawyers and judges that don't understand IP (Internet Protocol or Intellectual Property) either so your legal team is in good company. 2012/5/24 not common <notcommonmistakes@gmail.com>
Hello,
I am looking for some guidance on full packet inspection at the ISP level.
Is there any regulations that prohibit or provide guidance on this?
I am looking for some guidance on full packet inspection at the ISP level. Aside from any legal issue; there is a "respectable practices" issue. Even if there is no regulation that prohibits something does not mean it is OK. Your customers' deserve to be made aware of any full packet capture practices that may impact traffic to/from network
On 5/24/12, not common <notcommonmistakes@gmail.com> wrote: [snip they own/manage, before packet capture occurs, especially when there is data retention, or human examination/analysis based on contents of large numbers of packets; otherwise there is a risk you will be in trouble, for some definition of "in trouble" that depends on the circumstances. Because your packet interception can put your user at risk; proprietary information can be disclosed. And most ISP customers intend to purchase network connectivity service, not "record all my traffic without telling me" service .. Are you prepared to explicitly explain to your customers, both existing, and new ones, before they are allowed to buy or continue service from you -- under what circumstances you intercept full packets, whose packets do you capture, what packets do you capture, how many packets / how long will you capture their packets, what do you do with their contents after you capture them, how long do you keep data, what security controls do you have in place to prevent unauthorized access to their packets and ensure timely destruction of sensitive data? If the answer is NO, that you have poor planning, or your privacy practices are not solid enough to reveal to your customers with confidence, then save the money on consulting lawyers, by choosing NOT to implement interception and capture of full packets.
Is there any regulations that prohibit or provide guidance on this? -- -JH
On Thu, May 24, 2012 at 08:37:52PM -0500, Jimmy Hess wrote:
I am looking for some guidance on full packet inspection at the ISP level. Aside from any legal issue; there is a "respectable practices" issue. Even if there is no regulation that prohibits something does not mean it is OK. Your customers' deserve to be made aware of any full packet capture practices that may impact traffic to/from network
On 5/24/12, not common <notcommonmistakes@gmail.com> wrote: [snip they own/manage, before packet capture occurs, especially when there is data retention, or human examination/analysis based on contents of large numbers of packets; otherwise there is a risk you will be in trouble, for some definition of "in trouble" that depends on the circumstances.
Because your packet interception can put your user at risk; proprietary information can be disclosed. And most ISP customers intend to purchase network connectivity service, not "record all my traffic without telling me" service ..
If you need a call center to handle this just let me know... :) since your call volume is going to spike through the roof.
Are you prepared to explicitly explain to your customers, both existing, and new ones, before they are allowed to buy or continue service from you -- under what circumstances you intercept full packets, whose packets do you capture, what packets do you capture, how many packets / how long will you capture their packets, what do you do with their contents after you capture them, how long do you keep data, what security controls do you have in place to prevent unauthorized access to their packets and ensure timely destruction of sensitive data?
If the answer is NO, that you have poor planning, or your privacy practices are not solid enough to reveal to your customers with confidence, then save the money on consulting lawyers, by choosing NOT to implement interception and capture of full packets.
Is there any regulations that prohibit or provide guidance on this? -- -JH
-- - (2^(N-1))
On Thu, 24 May 2012, Jimmy Hess wrote:
On 5/24/12, not common <notcommonmistakes@gmail.com> wrote: [snip
I am looking for some guidance on full packet inspection at the ISP level.
Aside from all of the business and legal sticking points that others have mentioned, there are also the technical aspects of capturing, storing, transporting, analyzing, and managing those packets, and the appliances that do the heavy lifting. As your traffic grows, that problem scales 1:1 linearly, at best, and more likely n:1 linearly, or worse. The added overhead of the infrastructure needed to support this will also make it more difficult to be price-competitive with your peers. Your sales/marketing/executive staff would have their work cut out for them in trying to explain to existing and prospective customers not only where the value-add is for them, but why that would be worth the significant recurring costs you'd have to charge to cover your overhead and/or maintain your profit margin. jms
----- Original Message -----
From: "Justin M. Streiner" <streiner@cluebyfour.org>
Aside from all of the business and legal sticking points that others have mentioned, there are also the technical aspects of capturing, storing, transporting, analyzing, and managing those packets, and the appliances that do the heavy lifting. As your traffic grows, that problem scales 1:1 linearly, at best, and more likely n:1 linearly, or worse. The added overhead of the infrastructure needed to support this will also make it more difficult to be price-competitive with your peers.
TL:DR; The reasons for doing this on any kind of general basis have to be *EXCEPTIONALLY* compelling to make a business case for it, apart from any possible legal ramifications. I used asterisks *and* capital letters; that's about an order of magnitude. Don't forget staffing. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
From: not common [mailto:notcommonmistakes@gmail.com]
Hello,
I am looking for some guidance on full packet inspection at the ISP level.
Is there any regulations that prohibit or provide guidance on this?
Your better to discuss use cases than technology. E.g. do you plan to do per-user behavioural targeted advertising? To secure the network from DNS changer malware? To block slammer worm? To deploy a session border controller? To deploy a carrier-grade NAT (LSN)? To collect bank information and profit? To enhance the QoS of VoIP? To deploy a transparent web or video cache? All of them use packet inspection. All can be achieved w/o packet inspection. All of them vary wildly in how people would react :) So... phrase your question and 'guidance' around the use case, not the method you plan to achieve it today.
participants (15)
-
-Hammer- -
Don Bowman -
Gabriel Blanchard -
Jared Mauch -
Jason Hellenthal -
Jay Ashworth -
jim deleskie -
Jimmy Hess -
John Curran -
Justin M. Streiner -
Keegan Holley -
Luke S. Crawford -
not common -
Patrick Darden -
valdis.kletnieks@vt.edu