FC: Reply to Panama requires ISPs to block Internet telephony

[Declan McCullagh <declan () well com>]

---

Date: Tue, 5 Nov 2002 10:59:09 +0100 (CET)
From: Thomas Shaddack <shaddack () ns arachne cz>
To: Declan McCullagh <declan () well com>
Subject: Re: FC: Panama requires ISPs to block Internet telephony

There are many many possible workarounds. Proxy approach is the simplest;
if you have an accomplice outside, you can get a proxy bouncer, using some
software like udpproxy; the same approach that is published all over the
Net for working around blocking UDP ports for ie. networked playing of
Quake. This can be defeated by blocking all UDP ports. Which will block
LOTS of functionality, including traceroute and remote logging.

Even then, we still have port 53, used for DNS; then Panama would have
three choices; breaking DNS functionality for everyone there (and possibly
around), biting the bullet and not doing anything, or mandating using a
recursive resolver of a Panama ISP and blocking all other UDP port 53
traffic.

But even then nothing is lost. We can employ various methods to
encapsulate UDP packets in ie. ICMP packets. Basically anything that works
like a datagram and gets from one side to the other one can carry the
telephony UDP packets as a payload. I suppose it should be easy to write
such trick ie. as an iptables module for Linux. The routers then would
have to examine the payload of every packet if there is no VoIP packet
encapsulated inside, which could be defeated even by simple XORing by a
constant; driving the necessary processing power by far out of reach of
equipment available in Panama, forcing the adversary to either outrageous
expenses or to give up.

For hardcore and sure solution, we can just set up a VPN with the other
side (been there done that when my ISP blocked all UDP over port 1024, I
suppose because a DoS attack, for about 3 days). This will work very well
and will not give the ISP other chance than blocking packets by TOS value
(Type Of Service, telling the routers that the voice packets have
priority), after which we can sacrifice a little comfort and not use TOS
(which we can do by rewriting the packet headers on firewall - again,
Linux iptables are excellent for this purpose), or experiment with the
values that don't cause problems. As a collateral damage, this filtering
would probably disable all streaming media, if not applied only to VPN
traffic. As added advantage, the VPN data are encrypted, so even snooping
on the packet content will not reveal the content of the communication.
You can even use this approach for tunneling to a proxy in another country
(operated by a mentioned accomplice outside), from where you'd have free
and "uncensored" access to the rest of the world.

Of course it is important to ask Panamian government to not violate
Internet standards. But the battle should be fought on both fronts; if
Panama will deploy the VoIP countermeasures, they should be rendered
irrelevant. If such law stands against technology, I know where I will put
my bets.

Knowledge is power.




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Declan McCullagh's photographs are at http://www.mccullagh.org/
-------------------------------------------------------------------------
Like Politech? Make a donation here: http://www.politechbot.com/donate/
Recent CNET News.com articles: http://news.search.com/search?q=declan
-------------------------------------------------------------------------