industry capability linx traceability best current practice
DESCRIPTION
Industry Capability LINX Traceability Best Current Practice. Keith Mitchell [email protected] Executive Chairman London Internet Exchange ACPO Scotland Internet Awareness Seminar 8th Nov 1999. Overview. Background, History, Motivation Principles IP addresses Dial-up users Applications - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Industry Capability LINX Traceability Best Current Practice](https://reader036.vdocument.in/reader036/viewer/2022062321/5681408a550346895dac1672/html5/thumbnails/1.jpg)
Industry CapabilityIndustry CapabilityLINX TraceabilityLINX Traceability
Best Current PracticeBest Current Practice
Keith [email protected]
Executive Chairman
London Internet Exchange
ACPO Scotland Internet Awareness Seminar
8th Nov 1999
![Page 2: Industry Capability LINX Traceability Best Current Practice](https://reader036.vdocument.in/reader036/viewer/2022062321/5681408a550346895dac1672/html5/thumbnails/2.jpg)
OverviewOverview
• Background, History, Motivation
• Principles
• IP addresses
• Dial-up users
• Applications
• Domain Name System
![Page 3: Industry Capability LINX Traceability Best Current Practice](https://reader036.vdocument.in/reader036/viewer/2022062321/5681408a550346895dac1672/html5/thumbnails/3.jpg)
LINX ExperiencesLINX Experiences
• LINX is UK national Internet Exchange Point (IXP)
• 5 years old today !
• Brings together and represents88 largest UK/EU ISPs
• Also performs self-regulatory “non-core” activities
![Page 4: Industry Capability LINX Traceability Best Current Practice](https://reader036.vdocument.in/reader036/viewer/2022062321/5681408a550346895dac1672/html5/thumbnails/4.jpg)
Industry CapabilitiesIndustry Capabilities
• Much work originated and motivated by ACPO/ISP/Government forum
• Two important documents
• Industry Capabilities– see www.ispa.org.uk
• Traceability BCP– today’s talk
![Page 5: Industry Capability LINX Traceability Best Current Practice](https://reader036.vdocument.in/reader036/viewer/2022062321/5681408a550346895dac1672/html5/thumbnails/5.jpg)
LINX Non-Core ActivitiesLINX Non-Core Activities
• Content Regulation– Illegal material
• Law Enforcement– Helping investigations
• UBM Regulation– “spam”
• Telecomms Regulation– Oftel
![Page 6: Industry Capability LINX Traceability Best Current Practice](https://reader036.vdocument.in/reader036/viewer/2022062321/5681408a550346895dac1672/html5/thumbnails/6.jpg)
LINX & RegulationLINX & Regulation
• Funding, and policy & management oversight of Internet Watch
• Defines “good practice”, but only mandatory requirements concern IXP
• Becoming involved in network abuse• 3 Best Current Practice documents
published earlier this year:
http://www.linx.net/noncore/bcp/
![Page 7: Industry Capability LINX Traceability Best Current Practice](https://reader036.vdocument.in/reader036/viewer/2022062321/5681408a550346895dac1672/html5/thumbnails/7.jpg)
LINX BCP DocumentsLINX BCP Documents
• Published:– Traceability– Illegal Material– Unsolicited E-mail (UBE = “spam”)
• Planned:– Internet User Privacy– Direct E-mail use
![Page 8: Industry Capability LINX Traceability Best Current Practice](https://reader036.vdocument.in/reader036/viewer/2022062321/5681408a550346895dac1672/html5/thumbnails/8.jpg)
Internet Watch FoundationInternet Watch Foundation
• Voluntary funding from large ISPs directly, and small/medium via associations
• Operates hot-line for reporting illegal material - 0845 600 8844
• Working on content rating schemes (ICRA, INCORE projects)
• http://www.internetwatch.org.uk
![Page 9: Industry Capability LINX Traceability Best Current Practice](https://reader036.vdocument.in/reader036/viewer/2022062321/5681408a550346895dac1672/html5/thumbnails/9.jpg)
Key IWF PrincipleKey IWF Principle
• UK ISPs supporting IWF are not held responsible for illegal content on their systems, provided:– it was placed there by customers– they have no prior knowledge of it – they take appropriate action when
they do learn of it• n.b This is an informal agreement, not
upheld by UK law
![Page 10: Industry Capability LINX Traceability Best Current Practice](https://reader036.vdocument.in/reader036/viewer/2022062321/5681408a550346895dac1672/html5/thumbnails/10.jpg)
TraceabilityTraceability
• Principle of who did what & when on the Internet
• Key element of making individuals responsible for their actions
• Rest of talk outlines contents of LINX “Best Common Practice” document for ISP industry
![Page 11: Industry Capability LINX Traceability Best Current Practice](https://reader036.vdocument.in/reader036/viewer/2022062321/5681408a550346895dac1672/html5/thumbnails/11.jpg)
Uses of TraceabilityUses of Traceability
• Finding out sources of:– Illegal content
(e.g. paedophile material)
– Denial of Service attacks
– Unsolicited Bulk Messaging (“spam”)
– Hacking, fraudulent access
![Page 12: Industry Capability LINX Traceability Best Current Practice](https://reader036.vdocument.in/reader036/viewer/2022062321/5681408a550346895dac1672/html5/thumbnails/12.jpg)
Traceability in PracticeTraceability in Practice• Complete knowledge is 100%
possible in theory
• but practice will fall short of this
• BCP document defines how to make practice closer to theory
• Traceability is currently exception– ideally the norm– legitimate anonymity an exception
![Page 13: Industry Capability LINX Traceability Best Current Practice](https://reader036.vdocument.in/reader036/viewer/2022062321/5681408a550346895dac1672/html5/thumbnails/13.jpg)
Traceability ObstaclesTraceability Obstacles
• Vendor support
• Passing information between ISPs and carriers, e.g.– across national borders– caller id
• Unregistered trial etc accounts
• 3rd party relaying (e-mail)
![Page 14: Industry Capability LINX Traceability Best Current Practice](https://reader036.vdocument.in/reader036/viewer/2022062321/5681408a550346895dac1672/html5/thumbnails/14.jpg)
IP AddressesIP Addresses• All Internet activity has to come
from some IP address– Starting point of any tracing exercise
• Need to map from this through:– domain name system– one or more ISPs– authentication system– public telephone network
• to user
![Page 15: Industry Capability LINX Traceability Best Current Practice](https://reader036.vdocument.in/reader036/viewer/2022062321/5681408a550346895dac1672/html5/thumbnails/15.jpg)
IP Address SpoofingIP Address Spoofing
• Need to ensure traffic is coming from where its source address claims - easy to fake
• Most applications require duplex communication, so spoof abuse scope limited:– Denial of Service attacks– “Single shot” attacks– Session sequence number interpolation
![Page 16: Industry Capability LINX Traceability Best Current Practice](https://reader036.vdocument.in/reader036/viewer/2022062321/5681408a550346895dac1672/html5/thumbnails/16.jpg)
Spoof PreventionSpoof Prevention• Static source address filters:
– between backbone and “edge” routers in ISP’s backbone
– performance impact– hard to scale elsewhere, e.g.
between providers
• Dynamic filters:– per-user per dial-in session
• More info in RFC 2267
![Page 17: Industry Capability LINX Traceability Best Current Practice](https://reader036.vdocument.in/reader036/viewer/2022062321/5681408a550346895dac1672/html5/thumbnails/17.jpg)
Dial-up UsersDial-up Users
• Use of per-session dynamic IP address allocation is efficient
• but makes traceability harder
• User accounts and access numbers common to many dial-in routers
• Need to reliably map from:– (IP address, time) to (user)
![Page 18: Industry Capability LINX Traceability Best Current Practice](https://reader036.vdocument.in/reader036/viewer/2022062321/5681408a550346895dac1672/html5/thumbnails/18.jpg)
Dial-in AuthenticationDial-in Authentication
• RADIUS authentication logs usually have info required, but:– need time synchronisation (NTP)– records can be lost (UDP)– vendor record format variations
• Alternatives include:– syslog, dynamic DNS, finger/telnet,
SNMP
![Page 19: Industry Capability LINX Traceability Best Current Practice](https://reader036.vdocument.in/reader036/viewer/2022062321/5681408a550346895dac1672/html5/thumbnails/19.jpg)
Unregistered UsersUnregistered Users
• e.g.– free trials– “pay as you go” services– public access terminals
• Pose particular traceability problems
• but there are ways to offer these services with safeguards
![Page 20: Industry Capability LINX Traceability Best Current Practice](https://reader036.vdocument.in/reader036/viewer/2022062321/5681408a550346895dac1672/html5/thumbnails/20.jpg)
De-Anonymising UsersDe-Anonymising Users
• Credit card check
• Voice phone call back
• Fax phone call back
• Avoid shared accounts
• Digital certificates
• Caller Id or CLI
![Page 21: Industry Capability LINX Traceability Best Current Practice](https://reader036.vdocument.in/reader036/viewer/2022062321/5681408a550346895dac1672/html5/thumbnails/21.jpg)
Caller Id (CLI)Caller Id (CLI)
• Ideally phone number being used to make modem call passes through telephony carriers and dial-in router to ISP’s logfiles
• Some issues in practice:– carriers– router vendors– users
![Page 22: Industry Capability LINX Traceability Best Current Practice](https://reader036.vdocument.in/reader036/viewer/2022062321/5681408a550346895dac1672/html5/thumbnails/22.jpg)
Caller Id IssuesCaller Id Issues
• Not all carriers present full CLI– regulatory intervention needed ?
• Not all dial-in routers:– accept or log CLI– differentiate withheld vs unavailable
• ISPs who are not carriers get user (possibly modified) CLI rather than network CLI
![Page 23: Industry Capability LINX Traceability Best Current Practice](https://reader036.vdocument.in/reader036/viewer/2022062321/5681408a550346895dac1672/html5/thumbnails/23.jpg)
““Pay as you go” ServicesPay as you go” Services
• e.g. BTclick, FreeServe et al
• Need to be able to:– require and log CLI– block payphone, international,
prepaid calls– maintain frequent abuser phone
number blacklist– identify IP address ranges used for
this
![Page 24: Industry Capability LINX Traceability Best Current Practice](https://reader036.vdocument.in/reader036/viewer/2022062321/5681408a550346895dac1672/html5/thumbnails/24.jpg)
E-Mail TraceabilityE-Mail Traceability
• Very easy to make e-mail untraceable via fake headers
• Default config of many mail servers dumb in this respect
• Some routine precautions can tackle this
• Modern servers which are wise to this are available
![Page 25: Industry Capability LINX Traceability Best Current Practice](https://reader036.vdocument.in/reader036/viewer/2022062321/5681408a550346895dac1672/html5/thumbnails/25.jpg)
E-mail Server ConfigE-mail Server Config• Make sure actual IP addresses are
stamped on headers
• Disable 3rd-party relaying !
• Consider using SMAP, Exim software
• Source filter which IP addresses can connect to SMTP port
• Domain Name verification– valid ?– forward/reverse match ?
![Page 26: Industry Capability LINX Traceability Best Current Practice](https://reader036.vdocument.in/reader036/viewer/2022062321/5681408a550346895dac1672/html5/thumbnails/26.jpg)
USENET News ServersUSENET News Servers
• Always add X-NNTP-Posting-Host: header
• Restrict posting from customer addresses only
• Heavily restrict use of mail2news– Always add X-Mail2news: header
• Importance of synchronised & verified time/date stamping
![Page 27: Industry Capability LINX Traceability Best Current Practice](https://reader036.vdocument.in/reader036/viewer/2022062321/5681408a550346895dac1672/html5/thumbnails/27.jpg)
Domain Name ServersDomain Name Servers
• in-addr address to name mapping critical when tracing
• important to ensure server security
• in theory dynamic DNS update could insert user name into reverse lookup for session duration - hard in practice
![Page 28: Industry Capability LINX Traceability Best Current Practice](https://reader036.vdocument.in/reader036/viewer/2022062321/5681408a550346895dac1672/html5/thumbnails/28.jpg)
User PrivacyUser Privacy
• Laws to protect privacy of ISPs’ customers must be respected– e.g. ECHR, Data Protection Acts, IOCA
• “Big Brother” PR is bad both for business and co-operation
• LINX has set up Internet User Privacy Forum to engage in constructive dialog with activtists
• See http://www.iupf.org.uk
![Page 29: Industry Capability LINX Traceability Best Current Practice](https://reader036.vdocument.in/reader036/viewer/2022062321/5681408a550346895dac1672/html5/thumbnails/29.jpg)
Possible Future WorkPossible Future Work
• Inter-provider issues
• IRC & “chat”
• Corrections, improvements
• Feedback welcome !
![Page 30: Industry Capability LINX Traceability Best Current Practice](https://reader036.vdocument.in/reader036/viewer/2022062321/5681408a550346895dac1672/html5/thumbnails/30.jpg)
ConclusionsConclusions
• You can’t solve the whole problem
• ..but straightforward measures can make a big difference
• Legal protection of legitimate users’ privacy must be addressed
• The industry can take a responsible lead throughco-operation