Federal Security Bureau asks for more authority to control Internet
http://en.rian.ru/russia/20050428/39757635.html The Federal Security Service proposes setting new rules for Internet providers so that it could prevent the spread of extremist ideas, track down illegal online operations, and get access to databases with mobile telephone subscribers' details, such as e-mail addresses, Frolov said. There should be compulsory registration of mobile phone users with Internet connectivity.
There should be compulsory registration of mobile phone users with Internet connectivity.
does this mean that someone who does not use a mobile phone, normally, must register before borrowing one to make a single call? (you said user, not instrument, so i'm assuming the answer is yes.) d/ --- Dave Crocker Brandenburg InternetWorking +1.408.246.8253 dcrocker a t ... WE'VE MOVED to: www.bbiw.net
http://en.rian.ru/russia/20050428/39757635.html
The Federal Security Service proposes setting new rules for Internet providers so that it could prevent the spread of extremist ideas, track down illegal online operations, and get access to databases with mobile telephone subscribers' details, such as e-mail addresses, Frolov said. There should be compulsory registration of mobile phone users with Internet connectivity.
This makes Russia sound like some insane place where Big Brother spies on the communications of all citizens, like in the United States. However, the last paragraph in the article makes Russia sound like a more sane place where people realize that the Internet doesn't need lots of special laws, rather like Canada. The Ministry of Information Technologies and Communications is opposed to the idea of adopting a separate law on Internet operations. Speaking at today's panel discussion in the Federation Council, Deputy Minister Boris Antonyuk said the use of the Internet could be regulated by more general laws already in effect, including those dealing with advertising, the protection of consumer rights, and administrative offenses. --Michael Dillon
On 4/29/05, Michael.Dillon@radianz.com <Michael.Dillon@radianz.com> wrote:
The Federal Security Service proposes setting new rules for Internet
This makes Russia sound like some insane place where Big Brother spies on the communications of all citizens, like in the United States.
Here's a hint.. the FSB is the rebadged version of the old KGB Trust me, they have a lot of experience snooping on the communication of their citizens
The Ministry of Information Technologies and Communications is opposed to the idea of adopting a separate law on Internet operations. Speaking at today's panel discussion in the Federation Council, Deputy Minister Boris Antonyuk said the use of the Internet could be regulated
by more general laws already in effect, including those dealing with advertising, the protection of consumer rights, and administrative offenses.
Some of it yes. The rest of it is uniquely internet related. India is still learning that you cant use the Indian Posts and Telegraphs Act, which was promulgated in the late 1890s, to try regulate the telephony system and the internet all that efficiently. Sure, there's the IT act of 2000, which is a basic copy and paste from the Singapore IT act among other laws, but that still has a lot of crossover with the old P&T act. -- Suresh Ramasubramanian (ops.lists@gmail.com)
On Fri, 29 Apr 2005 Michael.Dillon@radianz.com wrote:
This makes Russia sound like some insane place where Big Brother spies on the communications of all citizens,
The changes there in last 4 years seem to be in that direction. Plus also their system of people spying on their friends and co-workers (donosi) was never fully dismantled and people involved were not banned from public office and government like it happened in Chech and other Eastern European countries.
like in the United States.
Neither Russian nor US government announcements are good for Internet, if it is to stay as means of international cooperation and unrestricted information exchange.
However, the last paragraph in the article makes Russia sound like a more sane place where people realize that the Internet doesn't need lots of special laws, rather like Canada.
Its not always about exact laws and in Russia laws are meant to be "reinterpreted" (that is what Putin said :) by each court. In any case, courts there are mostly controlled by executive branch (and so is parliament as of year ago), the transition to democracy in Russia was stopped half way in mid 90s and is now fully reversed in direction with active and former KGB officers largely responsible for that. Controlling the media is always important for totalitarian regime as means of controlling the society at large. First most important media is still TV and steps to control all national channels was first thing done by Putin starting in 2001 and now TV is fully under governmental control in Russia. Next most important media are newspapers and then Internet. The attempts to control are being done by requiring all newspapers and all internet media sites (!!!) to be registered with ministry of press (now office in cultural ministry) and while its not all under control (yet), the steps are being taken to restrict what newspapers say if they want to keep being published. But latest trend of blogger sites are not subject to media laws and that is why this new announcement of need to control what is being said on the Internet is coming up now. Frankly, I think they are too ambitious if they think they can actually control the internet and what people in Russia can say (and same at even stronger scale for US) - Internet there is not that of China and its too difficult or too late to change developed infrastructure, so I believe it'll most likely stay open as means of open personal communication exchange and possibly 20-30 years from now that will be the decisive factor in Russian government's downfall, but for right now its all going into the direction of totalitarian regime, something like that of Chile in 1980s... -- William Leibzon Elan Networks william@elan.net
I've seen some Cisco security presentations that include sinkholes composed of an ingress and egress router, interconnected with a switch. The switch provides access for tools such as packet analyzers, IDS, routing analyzers, etc. The multiple routers also provide more horsepower for inspection, filtering, and overhead-imposing measurements such as NetFlow. I am unclear about the BGP relationship between the two routers, which are meant to be treated as one subsystem. The ingress router (with respect to the outside) clearly has to have its BGP isolated from the rest of the AS, so it can't be part of the iBGP mesh. My assumption is that the ingress router has to be either a confederation AS, or router reflector client, talking to the egress router. The latter is part of the main iBGP mesh, although it could be a client in a next hierarchical reflection cluster. Do any of these iBGP arrangements impact having the sinkhole ingress with an anycast address? Is this a correct architectural assumption? Can anyone point me to, or provide a representative configuration? I also wanted to confirm the failure modes under which static ARP between the routers is desirable. Howard
On Fri, 29 Apr 2005, Howard C. Berkowitz wrote:
I've seen some Cisco security presentations that include sinkholes composed of an ingress and egress router, interconnected with a switch. The switch provides access for tools such as packet analyzers, IDS, routing analyzers, etc. The multiple routers also provide more horsepower for inspection, filtering, and overhead-imposing measurements such as NetFlow.
the multiple routers could just be a way to get a MAC to the ingress router for delivery over the ethernet... a sun/linux/bsd/*unix box might provide the same function. (please logging, analysis, ids, flow collection)
I am unclear about the BGP relationship between the two routers, which are meant to be treated as one subsystem. The ingress router (with respect to the outside) clearly has to have its BGP isolated from the rest of the AS, so it can't be part of the iBGP mesh.
why can't it be part of the ibgp mesh? I'm not sure I see why that would be BAD, aside from it bouncing under load and affecting all ibgp neighbors... so, aside from route-churn and neighbor setup/teardown churn what other reasons?
At 1:34 PM +0000 4/29/05, Christopher L. Morrow wrote:
On Fri, 29 Apr 2005, Howard C. Berkowitz wrote:
I've seen some Cisco security presentations that include sinkholes composed of an ingress and egress router, interconnected with a switch. The switch provides access for tools such as packet analyzers, IDS, routing analyzers, etc. The multiple routers also provide more horsepower for inspection, filtering, and overhead-imposing measurements such as NetFlow.
the multiple routers could just be a way to get a MAC to the ingress router for delivery over the ethernet... a sun/linux/bsd/*unix box might provide the same function. (please logging, analysis, ids, flow collection)
The architecture described doesn't have the two routers treating the Ethernet as a destination: SinkholeIn--->Switch------>SinkholeOut | | analyzers
I am unclear about the BGP relationship between the two routers, which are meant to be treated as one subsystem. The ingress router (with respect to the outside) clearly has to have its BGP isolated from the rest of the AS, so it can't be part of the iBGP mesh.
why can't it be part of the ibgp mesh? I'm not sure I see why that would be BAD, aside from it bouncing under load and affecting all ibgp neighbors... so, aside from route-churn and neighbor setup/teardown churn what other reasons?
The most basic is whether I am diverting a maliciously inserted route to it from the edge router.
On Fri, 29 Apr 2005, Howard C. Berkowitz wrote:
At 1:34 PM +0000 4/29/05, Christopher L. Morrow wrote:
On Fri, 29 Apr 2005, Howard C. Berkowitz wrote:
I've seen some Cisco security presentations that include sinkholes composed of an ingress and egress router, interconnected with a switch. The switch provides access for tools such as packet analyzers, IDS, routing analyzers, etc. The multiple routers also provide more horsepower for inspection, filtering, and overhead-imposing measurements such as NetFlow.
the multiple routers could just be a way to get a MAC to the ingress router for delivery over the ethernet... a sun/linux/bsd/*unix box might provide the same function. (please logging, analysis, ids, flow collection)
The architecture described doesn't have the two routers treating the Ethernet as a destination:
SinkholeIn--->Switch------>SinkholeOut | | analyzers
hrm, 'sinkhole' to me always means 'hole' not 'sinkpassthrough'. normally if we do this we just drop the traffic in a hole we can look at, then release the route later after analysis. With the 'in/out' concept you have to provide a manner to tunnel away from the hole, else you end up looping back through it indefinitely (or so it would seem).
I am unclear about the BGP relationship between the two routers, which are meant to be treated as one subsystem. The ingress router (with respect to the outside) clearly has to have its BGP isolated from the rest of the AS, so it can't be part of the iBGP mesh.
why can't it be part of the ibgp mesh? I'm not sure I see why that would be BAD, aside from it bouncing under load and affecting all ibgp neighbors... so, aside from route-churn and neighbor setup/teardown churn what other reasons?
The most basic is whether I am diverting a maliciously inserted route to it from the edge router.
uhm, so you put a /32 into the sinkhole all traffic to that destination in your network heads there. What 'maliciously inserted route' are you talking about? something a customer of yours sends you?
participants (7)
-
Christopher L. Morrow
-
Dave Crocker
-
Howard C. Berkowitz
-
Michael.Dillon@radianz.com
-
Sean Donelan
-
Suresh Ramasubramanian
-
william(at)elan.net