Mastering the Internet

Richard Clayton ukcrypto at chiark.greenend.org.uk
Mon, 4 May 2009 13:54:05 +0100 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In article <87zldu5d0z.fsf@mid.deneb.enyo.de>, Florian Weimer
<fw@deneb.enyo.de> writes

>most routers deployed on the Internet already have that
>capability.  IPFIX/Netflow export functionality is very common, and
>there are also monitor ports and (E)RSPAN, which provide payload
>access.  

Last week I asked some people who would know (and I promised not to say
who I asked or where we were sitting at the time)...  and they said
quite clearly that the current consultation is about DPI and not about
Netflow. viz: fairly advanced capabilities.

Apparently this has not been made clear within the consultation because
that would confuse people !

viz: the capability envisaged is of reconstructing the streams of data
which is flowing back and forth between users and "third parties" (ie:
hotmail/gmail/facebook/bebo &c) and then extracting "traffic data" from
within those streams of data (and discarding the rest)

They consider your login name for hotmail/gmail/facebook/bebo &c to be
traffic data, along with details of who when and how much you are
communicating with through these systems. They do not consider whatever
you say within these systems to be comms data but content.

What this means is that they can look for distinctive strings like this
(sent by Google):

,["ti","Inbox",5,0,5,"in:inbox",[]
,"b55",-1,0,5,0,[]
,,]
,["tb",0,5,["120b041b431b018d","120b041b431b018d","120b041b431b018d",1,0
,["^all","^i"]
,[]
,"\u003cspan class\u003d\"yP\" email\u003d\"sender@example.co.uk\"\u003e
Winston Smith\u003c/span\u003e","\u0026raquo;\u0026nbsp;","This is a
subject line","This is the start of the content\u0026hellip;",0,"","",
"Apr 16","Thu, Apr 16, 2009 at 7:47 PM",1239907677680002,,[]
,0,0,[]
,,[]
,]

and pick out and record the sender details and the time and date, but
not the "This is a subject line" and "This is the start of the content".

Essentially this is equivalent to what they'd get from SMTP logs, but
there isn't the tedious need to nip over to Mountain View for a copy of
those -- Google helpfully provides them in an easy-to-parse way

Similarly for Facebook, Bebo etc (quite what sort of radicals they think
are using Bebo escapes me, but it keeps being mentioned).

>I think that for diagnostic purposes, capacity planning etc.,
>it's also legal to use them.

Yes, ISPs use Netflow a lot for monitoring their networks. You can also
go looking for various types of abuse with it as well (tracking
customers who have become part of a botnet etc). All entirely lawful if
it is being done by the ISP themselves for network protection reasons.

- -- 
richard                                                   Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary 
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBSf7lbZoAxkTY1oPiEQLcMQCfS/PT1a08RcdWlz7xl+x6gHYLVEgAn2xe
sgU3qDauiS2uTPMznz1gDjhg
=Rjmh
-----END PGP SIGNATURE-----