FC: Reply to Panama requires ISPs to block Internet telephony

From: Declan McCullagh (declanat_private)
Date: Wed Nov 06 2002 - 08:56:03 PST

  • Next message: Declan McCullagh: "FC: SpamCop reportedly backs down, removes Politech from blacklist?"

    ---
    
    Date: Tue, 5 Nov 2002 10:59:09 +0100 (CET)
    From: Thomas Shaddack <shaddackat_private>
    To: Declan McCullagh <declanat_private>
    Subject: Re: FC: Panama requires ISPs to block Internet telephony
    
    There are many many possible workarounds. Proxy approach is the simplest;
    if you have an accomplice outside, you can get a proxy bouncer, using some
    software like udpproxy; the same approach that is published all over the
    Net for working around blocking UDP ports for ie. networked playing of
    Quake. This can be defeated by blocking all UDP ports. Which will block
    LOTS of functionality, including traceroute and remote logging.
    
    Even then, we still have port 53, used for DNS; then Panama would have
    three choices; breaking DNS functionality for everyone there (and possibly
    around), biting the bullet and not doing anything, or mandating using a
    recursive resolver of a Panama ISP and blocking all other UDP port 53
    traffic.
    
    But even then nothing is lost. We can employ various methods to
    encapsulate UDP packets in ie. ICMP packets. Basically anything that works
    like a datagram and gets from one side to the other one can carry the
    telephony UDP packets as a payload. I suppose it should be easy to write
    such trick ie. as an iptables module for Linux. The routers then would
    have to examine the payload of every packet if there is no VoIP packet
    encapsulated inside, which could be defeated even by simple XORing by a
    constant; driving the necessary processing power by far out of reach of
    equipment available in Panama, forcing the adversary to either outrageous
    expenses or to give up.
    
    For hardcore and sure solution, we can just set up a VPN with the other
    side (been there done that when my ISP blocked all UDP over port 1024, I
    suppose because a DoS attack, for about 3 days). This will work very well
    and will not give the ISP other chance than blocking packets by TOS value
    (Type Of Service, telling the routers that the voice packets have
    priority), after which we can sacrifice a little comfort and not use TOS
    (which we can do by rewriting the packet headers on firewall - again,
    Linux iptables are excellent for this purpose), or experiment with the
    values that don't cause problems. As a collateral damage, this filtering
    would probably disable all streaming media, if not applied only to VPN
    traffic. As added advantage, the VPN data are encrypted, so even snooping
    on the packet content will not reveal the content of the communication.
    You can even use this approach for tunneling to a proxy in another country
    (operated by a mentioned accomplice outside), from where you'd have free
    and "uncensored" access to the rest of the world.
    
    Of course it is important to ask Panamian government to not violate
    Internet standards. But the battle should be fought on both fronts; if
    Panama will deploy the VoIP countermeasures, they should be rendered
    irrelevant. If such law stands against technology, I know where I will put
    my bets.
    
    Knowledge is power.
    
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    -------------------------------------------------------------------------
    Like Politech? Make a donation here: http://www.politechbot.com/donate/
    Recent CNET News.com articles: http://news.search.com/search?q=declan
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Wed Nov 06 2002 - 21:43:09 PST