Interesting People mailing list archives
Re: osed data retention law WAS Republicans propose data retention laws etc
From: David Farber <dave () farber net>
Date: Mon, 23 Feb 2009 09:57:07 -0500
Begin forwarded message: From: Tom Goltz <tgoltz () quietsoftware com> Date: February 23, 2009 9:15:47 AM EST To: Jim Thompson <jim () netgate com>Cc: David Farber <dave () farber net>, "Steven M. Bellovin" <smb () cs columbia edu > Subject: Re: [IP] Re: osed data retention law WAS Republicans propose data retention laws etc
At 07:16 AM 2/23/2009, Jim Thompson wrote:
Note that the government could require an 802.1x/WEP or WPA compliant authentication (which could be done semi-anonymously), punting the log to a machine in a much more stable location. Most of the half-decent wireless routers on the market today (including the WRT54 series) will perform enough 802.1x and RADIUS to allow sufficient logs to be kept to comply with the legal requirements of this (not yet a) law.
In my opinion, the solution that you propose is actually HARDER than modifying the router firmware to perform internal logging, for the following reasons:
First, it requires each ISP to setup and maintain a RADIUS authentication server reachable across their entire network.
Second, it requires the ISP to attempt to support literally hundreds of different consumer routers, each of which support a subtly different sub-set of RADIUS/802.1x authentication. Keep in mind that RADIUS support is NOT a core feature in the consumer market, so it's far from clear that the claimed support actually WORKS.
Third, it doesn't address the ability of the owner of the router to reconfigure the router to sneak an unauthorized computer onto the network.
In order to fully implement remote authentication / logging, you pretty much have to mandate that ALL routers will be replaced by units owned, controlled and locked down by the ISP's without the ability for the end-user to make core configuration changes, or to replace the firmware. In other words, you would have to outlaw the use of ALL existing wireless routers.
I'm not saying I'm in-favor of the idea, or the law. I *AM* stating that Mr. Goltz (*) is wrong, and that those who espouse that DHCP logs are (or were, or even are not) the answer are looking "too far down the stack". Its got nothing to do with the write-performance of the flash.
Compared to shoehorning log-to-flash into the existing routers, I believe your proposed solution is MUCH harder to implement. You assume that all of these existing routers have/can be fitted with 802.1x/RADIUS authentication that works at all, and functions in pretty much the same manner across all the various units. I believe that assumption to be incorrect. Talk to someone who's ever tried to implement centralized authentication for a distributed wireless network if you want the bad and the ugly - there are GOOD reasons why such networks usually have a standardized hardware monoculture.
ANY law that attempts to legally mandate logging and monitoring of people using equipment under the full control of those same users is going to be problematic (no matter HOW you implement it!). The question then becomes: Are we willing as a nation to ban the possession and use of privately-owned networking equipment in order to "save the children"? No doubt to be shortly to be followed by equally sweeping restrictions on the ownership and operation of computers themselves. The USSR licensed and regulated the possession of photocopiers, why shouldn't we do the same with computers?
The people writing this bill simply do not understand how the Internet operates, and appear to be thinking in terms of a network more along the lines of the Bell System of the 1970's, with strong central control and even stronger control over endpoint equipment.
------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- Re: osed data retention law WAS Republicans propose data retention laws etc David Farber (Feb 22)
- <Possible follow-ups>
- osed data retention law WAS Republicans propose data retention laws etc David Farber (Feb 22)
- Re: osed data retention law WAS Republicans propose data retention laws etc David Farber (Feb 23)
- Re: osed data retention law WAS Republicans propose data retention laws etc David Farber (Feb 23)