YouTube IP Hijacking

• Previous message (by thread): YouTube IP Hijacking
• Next message (by thread): YouTube IP Hijacking
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 26 Feb 2008, Tomas L. Byrnes wrote:

> (first quoting Dave Pooser -- quote order changed by scg)
>> At the risk of being a stereotypical American liberal, I'll
>> point out two significant reasons flying is safer than it
>> used to be in the US are Federal regulation and post-accident
>> lawsuits. If there were an organization like the FAA that had
>> the power to "ground" AS17557 until their network engineers
>> completed a week's refresher course, there'd be significantly
>> better change management techniques in play. If YouTube were
>> currently suing Pakistani Telecom for eighty-seven gazillion
>> dollars-- and were widely considered a lock to win their
>> lawsuit-- suddenly a whole lot of other ISPs would magically
>> find the training budget to make sure THEIR engineers didn't
>> expose THEM to that sort of liability.
>
> Since the US has no jurisdiction over 17557, other than for the US govt.
> to force ISPs to refuse to accept any advertisements with 17557 or any
> other AS that didn't meet some regulatory requirements in the path, how
> would you propose that the regulatory environment you envision work?
>
> American Airlines isn't the right straw-man here, Pakistan International
> Airlines is. The only reason THEY meet anyone else's standards is that
> they wouldn't be allowed to use the airspace or land if they didn't.

I sent Tomas some private mail complaining about some of the things he was 
posting yesterday, but I think Dave's posting was spot on and Tomas's 
follow-up is adding an important point.

As far as I can piece together from what's been reported and argued here, 
there were three responsible parties:  The Pakistani Government who 
ordered YouTube blocked, Pakistan Telecom who implemented a lawful order 
but overshot their government's jurisdiction, and PCCW who accepted the 
announcements and passed them on to the world.

>From a technical perspective, this is pretty cut and dried.  Networks 
should be careful what they announce, but sometimes aren't.  Upstream 
providers should be careful what they accept, but sometimes aren't. 
Systems and policies to improve filtering sometimes cause more problems 
than they solve, especially when relying on a central source for 
authentication, and those costs are borne by the party trying to be 
responsible.  Intentional leaks are harder to guard against than 
unintentional ones.  Those hit hard by route leaks generally aren't the 
party responsible for the leak, so incentives to be careful are lacking.

But this case also brings up a bunch of interesting policy and legal 
questions, which I'm less or not at all qualified to answer.

This was a legally required routing announcement in Pakistan, and there 
was presumably a desire that other Pakistani ISPs be able to see the 
announcement.  What if any responsibility do those following a lawful 
order have to keep the results of that order from being seen outside of 
their government's jurisdiction?

What legal responsibility did PCCW have here, and in what countries? 
Given that they've got network infrastructure in the United States and 
around the world, they're presumably vulnerable to lawsuits in the US and 
elsewhere if Hong Kong law isn't sufficient.

How will Google respond?  Route leaks happen from time to time.  Usually 
they're of relatively little consequence, and people clean them up and get 
back to work.  I don't know how much revenue YouTube brings in over the 
course of a couple of hours, but it wouldn't surprise me if they could 
claim to have lost millions of dollars.  PCCW has deep pockets, and Google 
has lots of lawyers.  Will Google sue?  If not, will it be because they 
think they don't have a case, because they value other relationships they 
have with PCCW, or because they're worried about establishing a precedent 
that would make them liable for their own engineers' errors?

If Google did sue, would that lead to some BGP certification requirements 
for ISPs to get liability insurance?  If such an insurance requirement 
didn't affect ISPs like Pakistan Telecom, would having it become a 
requirement for the international ISPs that tend to provide international 
transit be sufficient?

(And then, of course, the really scary questions:  What would such a 
certification process look like, and how many of us would be able to 
pass?)

-Steve

• Previous message (by thread): YouTube IP Hijacking
• Next message (by thread): YouTube IP Hijacking
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]