ISPs and full packet inspection
Luke S. Crawford
lsc at prgmr.com
Thu May 24 21:25:58 UTC 2012
On Thu, May 24, 2012 at 08:50:47AM -0400, not common wrote:
> Hello,
>
> I am looking for some guidance on full packet inspection at the ISP level.
>
> Is there any regulations that prohibit or provide guidance on this?
Unless you are absolutely huge, and maybe even then, you need to worry
more about how your customers will perceive this than how law enforcement
will perceive this. (I mean, you want to follow the law, sure, but
even if it's legal, if it cheeses the customers? well, you have a
problem.) More to the point, like most on this list, law
isn't my field.
In my experience? customers get really, really uncomfortable with you
doing, well, almost anything below the headers. I was talking about doing
a inward facing snort IDS (to detect compromised hosts before I got complaints)
and got so far as a prototype where I shared the info I recorded about each
IP with the customer in question, but talking to customers? this idea
was extremely offensive, so the project was quashed.
Now, generally speaking, customers are much more okay with you going through
the IP headers. For instance, instead of using an IDS, I could, say, count
the number of outgoing connections destined for port 22 or 25, or the same
but count how many unique destinations they use (e.g. to avoid MX host
or ssh tunneling false positives... both of those use cases would have
a lot of connections on those ports, but to a small number of remote hosts.)
>From what I've heard customers say, this would likely cause less offense
than using snort or the like to do full packet inspection. (it wouldn't
be completely inoffensive, but I think that if I wiped the logs often
and shared my data with the customer, it sounds like something that
customers would tolerate.) I haven't prototyped that system yet,
though, so eh, who knows.
More information about the NANOG
mailing list