lets read the spec Verizon "Broadband Router"

[David Farber <dave () farber net>]

Begin forwarded message:

From: Bill Stewart <bill.stewart () pobox com>
Date: June 29, 2006 8:54:30 PM EDT
To: dave () farber net
Cc: "David P. Reed" <dpreed () reed com>, dewayne-net () warpspeed com
Subject: Re: more on Verizon "Broadband Router" the perfect Trojan Horse

David Reed fundamentally misreads the TR-069 standards document.
As far as I can tell, while it's written with the usual clarity
of a telecom standard designed by a committee with multiple goals,
it is *not* a design in which
- the user wants to read arbitrary web sites using a browser
- the router watches all the IP packets,
        deeply inspecting the protocols wrapped inside the
                HTTP or HTTPS layer inside the TCP layer
                inside the IP layer
        and redirects packets directed to some sites
- the ACS control system tells the router what to redirect.

In fact it appears to be a design in which
- the user wants to change features of their network service,
        or get their router fixed if it's broken, etc.
- browsers are the tool that everybody uses to talk to users
        (for instance, my home wireless and wired routers
        both use browsers as their interface)
- some of the changes require communicating with the router
        to set parameters, reboot the router, etc.
- some of the communications can be done by the ACS control system,
        but some of them can only be done from the user's LAN,
        either for security reasons or because something's wrong
        with the router or whatever.
- the user can browse to the ISP's web site,
        give the service provider information (upgrade requests,
        account numbers, etc.),
        get information such as activation codes or firmware URLs,
- the web site can redirect the user's browser to send that
        information to the router, which can do something direct
        or connect to the ACS for more instructions, etc.

In fact the whole Network Neutrality debate is filled with
people who don't understand the technology (including people
who should, and people on multiple sides of the debate)
extrapolating terrifying possible outcomes of various things,
ranging from Censorship by the Telco/NSA/Disney/Bush cabal
to the Death of Consumer Service Innovation Strangled at Birth
by the Red Tape of Astroturf-Driven Regulation.

If an ISP _wanted_ to control user web-browsing behavior,
it'd be much simpler and more cost-effective to do it centrally,
using DNS servers, transparent proxy and caching equipment,
PPPoE tunnels, and similar tools.
There are ISPs who do some of this, not for nefarious purposes,
but typically to quarantine virus-infected users and zombies
so that they can only access virus-cleanup sites,
or else to redirect users who haven't paid their bills
to the ISP's online billing site.

                Bill Stewart

Disclaimer: As usual, this message is entirely not intended
to speak for my employers, current or past,
and it's also not intended to speak for the TR-069 standards
committee.

--------------------------------------------------------------------



-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/