Re: osed data retention law WAS Republicans propose data retention laws etc

[David Farber <dave () farber net>]

Begin forwarded message:

From: Tom Goltz <tgoltz () quietsoftware com>
Date: February 23, 2009 9:15:47 AM EST
To: Jim Thompson <jim () netgate com>
Cc: David Farber <dave () farber net>, "Steven M. Bellovin" <smb () cs columbia edu 
>
Subject: Re: [IP] Re:   osed data retention law  WAS   Republicans  
propose data retention laws etc

At 07:16 AM 2/23/2009, Jim Thompson wrote:
> Note that the government could require an 802.1x/WEP  or WPA compliant
> authentication (which could be done semi-anonymously), punting the log
> to a machine in a much more stable location.   Most of the half-decent
> wireless routers on the market today (including the WRT54 series) will
> perform enough 802.1x and RADIUS to allow sufficient logs to be kept
> to comply with the legal requirements of this (not yet a) law.

In my opinion, the solution that you propose is actually HARDER than  
modifying the router firmware to perform internal logging, for the  
following reasons:

First, it requires each ISP to setup and maintain a RADIUS  
authentication server reachable across their entire network.

Second, it requires the ISP to attempt to support literally hundreds  
of different consumer routers, each of which support a subtly  
different sub-set of RADIUS/802.1x authentication.  Keep in mind that  
RADIUS support is NOT a core feature in the consumer market, so it's  
far from clear that the claimed support actually WORKS.

Third, it doesn't address the ability of the owner of the router to  
reconfigure the router to sneak an unauthorized computer onto the  
network.

In order to fully implement remote authentication / logging, you  
pretty much have to mandate that ALL routers will be replaced by units  
owned, controlled and locked down by the ISP's without the ability for  
the end-user to make core configuration changes, or to replace the  
firmware.  In other words, you would have to outlaw the use of ALL  
existing wireless routers.

> I'm not saying I'm in-favor of the idea, or the law.  I *AM* stating
> that Mr. Goltz (*) is wrong, and that those who espouse that DHCP logs
> are (or were, or even are not) the answer are looking "too far down
> the stack".  Its got nothing to do with
> the write-performance of the flash.

Compared to shoehorning log-to-flash into the existing routers, I  
believe your proposed solution is MUCH harder to implement.  You  
assume that all of these existing routers have/can be fitted with  
802.1x/RADIUS authentication that works at all, and functions in  
pretty much the same manner across all the various units.  I believe  
that assumption to be incorrect.  Talk to someone who's ever tried to  
implement centralized authentication for a distributed wireless  
network if you want the bad and the ugly - there are GOOD reasons why  
such networks usually have a standardized hardware monoculture.

ANY law that attempts to legally mandate logging and monitoring of  
people using equipment under the full control of those same users is  
going to be problematic (no matter HOW you implement it!).  The  
question then becomes: Are we willing as a nation to ban the  
possession and use of privately-owned networking equipment in order to  
"save the children"?  No doubt to be shortly to be followed by equally  
sweeping restrictions on the ownership and operation of computers  
themselves.  The USSR licensed and regulated the possession of  
photocopiers, why shouldn't we do the same with computers?

The people writing this bill simply do not understand how the Internet  
operates, and appear to be thinking in terms of a network more along  
the lines of the Bell System of the 1970's, with strong central  
control and even stronger control over endpoint equipment.






-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com