nanog mailing list archives
Re: ISPs and full packet inspection
From: "Luke S. Crawford" <lsc () prgmr com>
Date: Thu, 24 May 2012 17:25:58 -0400
On Thu, May 24, 2012 at 08:50:47AM -0400, not common wrote:
Hello, I am looking for some guidance on full packet inspection at the ISP level. Is there any regulations that prohibit or provide guidance on this?
Unless you are absolutely huge, and maybe even then, you need to worry more about how your customers will perceive this than how law enforcement will perceive this. (I mean, you want to follow the law, sure, but even if it's legal, if it cheeses the customers? well, you have a problem.) More to the point, like most on this list, law isn't my field. In my experience? customers get really, really uncomfortable with you doing, well, almost anything below the headers. I was talking about doing a inward facing snort IDS (to detect compromised hosts before I got complaints) and got so far as a prototype where I shared the info I recorded about each IP with the customer in question, but talking to customers? this idea was extremely offensive, so the project was quashed. Now, generally speaking, customers are much more okay with you going through the IP headers. For instance, instead of using an IDS, I could, say, count the number of outgoing connections destined for port 22 or 25, or the same but count how many unique destinations they use (e.g. to avoid MX host or ssh tunneling false positives... both of those use cases would have a lot of connections on those ports, but to a small number of remote hosts.)
From what I've heard customers say, this would likely cause less offense
than using snort or the like to do full packet inspection. (it wouldn't be completely inoffensive, but I think that if I wiped the logs often and shared my data with the customer, it sounds like something that customers would tolerate.) I haven't prototyped that system yet, though, so eh, who knows.
Current thread:
- Re: ISPs and full packet inspection, (continued)
- Re: ISPs and full packet inspection Gabriel Blanchard (May 24)
- Re: ISPs and full packet inspection -Hammer- (May 24)
- Re: ISPs and full packet inspection -Hammer- (May 24)
- Re: ISPs and full packet inspection John Curran (May 24)
- Re: ISPs and full packet inspection valdis . kletnieks (May 24)
- Re: ISPs and full packet inspection not common (May 24)
- Re: ISPs and full packet inspection Jared Mauch (May 24)
- Re: ISPs and full packet inspection Jay Ashworth (May 24)
- Re: ISPs and full packet inspection -Hammer- (May 24)
- Re: ISPs and full packet inspection Jason Hellenthal (May 24)
- Re: ISPs and full packet inspection Justin M. Streiner (May 24)
- Re: ISPs and full packet inspection Jay Ashworth (May 24)
- Re: ISPs and full packet inspection Randy Bush (May 29)