--- Date: Tue, 5 Nov 2002 10:59:09 +0100 (CET) From: Thomas Shaddack <shaddackat_private> To: Declan McCullagh <declanat_private> Subject: Re: FC: Panama requires ISPs to block Internet telephony There are many many possible workarounds. Proxy approach is the simplest; if you have an accomplice outside, you can get a proxy bouncer, using some software like udpproxy; the same approach that is published all over the Net for working around blocking UDP ports for ie. networked playing of Quake. This can be defeated by blocking all UDP ports. Which will block LOTS of functionality, including traceroute and remote logging. Even then, we still have port 53, used for DNS; then Panama would have three choices; breaking DNS functionality for everyone there (and possibly around), biting the bullet and not doing anything, or mandating using a recursive resolver of a Panama ISP and blocking all other UDP port 53 traffic. But even then nothing is lost. We can employ various methods to encapsulate UDP packets in ie. ICMP packets. Basically anything that works like a datagram and gets from one side to the other one can carry the telephony UDP packets as a payload. I suppose it should be easy to write such trick ie. as an iptables module for Linux. The routers then would have to examine the payload of every packet if there is no VoIP packet encapsulated inside, which could be defeated even by simple XORing by a constant; driving the necessary processing power by far out of reach of equipment available in Panama, forcing the adversary to either outrageous expenses or to give up. For hardcore and sure solution, we can just set up a VPN with the other side (been there done that when my ISP blocked all UDP over port 1024, I suppose because a DoS attack, for about 3 days). This will work very well and will not give the ISP other chance than blocking packets by TOS value (Type Of Service, telling the routers that the voice packets have priority), after which we can sacrifice a little comfort and not use TOS (which we can do by rewriting the packet headers on firewall - again, Linux iptables are excellent for this purpose), or experiment with the values that don't cause problems. As a collateral damage, this filtering would probably disable all streaming media, if not applied only to VPN traffic. As added advantage, the VPN data are encrypted, so even snooping on the packet content will not reveal the content of the communication. You can even use this approach for tunneling to a proxy in another country (operated by a mentioned accomplice outside), from where you'd have free and "uncensored" access to the rest of the world. Of course it is important to ask Panamian government to not violate Internet standards. But the battle should be fought on both fronts; if Panama will deploy the VoIP countermeasures, they should be rendered irrelevant. If such law stands against technology, I know where I will put my bets. Knowledge is power. ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ Declan McCullagh's photographs are at http://www.mccullagh.org/ ------------------------------------------------------------------------- Like Politech? Make a donation here: http://www.politechbot.com/donate/ Recent CNET News.com articles: http://news.search.com/search?q=declan -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Nov 06 2002 - 21:43:09 PST