http://en.rian.ru/russia/20050428/39757635.html
The Federal Security Service proposes setting new rules for Internet
providers so that it could prevent the spread of extremist ideas, track
down illegal online operations, and get access to databases with mobile
telephone subscribers' details, such as e-mail addresses, Frolov said.
There should be compulsory registration of mobile phone users with
Internet connectivity.
There should be compulsory registration of mobile phone users with
Internet connectivity.
does this mean that someone who does not use a mobile phone, normally, must
register before borrowing one to make a single call?
(you said user, not instrument, so i'm assuming the answer is yes.)
d/
http://en.rian.ru/russia/20050428/39757635.html
The Federal Security Service proposes setting new rules for Internet
providers so that it could prevent the spread of extremist ideas, track
down illegal online operations, and get access to databases with mobile
telephone subscribers' details, such as e-mail addresses, Frolov said.
There should be compulsory registration of mobile phone users with
Internet connectivity.
This makes Russia sound like some insane place where Big Brother
spies on the communications of all citizens, like in the United States.
However, the last paragraph in the article makes Russia sound
like a more sane place where people realize that the Internet
doesn't need lots of special laws, rather like Canada.
The Ministry of Information Technologies and Communications is
opposed to the idea of adopting a separate law on Internet operations.
Speaking at today's panel discussion in the Federation Council, Deputy
Minister Boris Antonyuk said the use of the Internet could be regulated
by more general laws already in effect, including those dealing with
advertising, the protection of consumer rights, and administrative
offenses.
--Michael Dillon
> The Federal Security Service proposes setting new rules for Internet
This makes Russia sound like some insane place where Big Brother
spies on the communications of all citizens, like in the United States.
Here's a hint.. the FSB is the rebadged version of the old KGB
Trust me, they have a lot of experience snooping on the communication
of their citizens
The Ministry of Information Technologies and Communications is
opposed to the idea of adopting a separate law on Internet operations.
Speaking at today's panel discussion in the Federation Council, Deputy
Minister Boris Antonyuk said the use of the Internet could be regulatedby more general laws already in effect, including those dealing with
advertising, the protection of consumer rights, and administrative
offenses.
Some of it yes. The rest of it is uniquely internet related.
India is still learning that you cant use the Indian Posts and
Telegraphs Act, which was promulgated in the late 1890s, to try
regulate the telephony system and the internet all that efficiently.
Sure, there's the IT act of 2000, which is a basic copy and paste from
the Singapore IT act among other laws, but that still has a lot of
crossover with the old P&T act.
This makes Russia sound like some insane place where Big Brother
spies on the communications of all citizens,
The changes there in last 4 years seem to be in that direction. Plus also their system of people spying on their friends and co-workers (donosi) was never fully dismantled and people involved were not banned from public
office and government like it happened in Chech and other Eastern European countries.
like in the United States.
Neither Russian nor US government announcements are good for Internet,
if it is to stay as means of international cooperation and unrestricted
information exchange.
However, the last paragraph in the article makes Russia sound
like a more sane place where people realize that the Internet
doesn't need lots of special laws, rather like Canada.
Its not always about exact laws and in Russia laws are meant to be "reinterpreted" (that is what Putin said 
by each court. In any case, courts there are mostly controlled by executive branch (and so is
parliament as of year ago), the transition to democracy in Russia was stopped half way in mid 90s and is now fully reversed in direction with active and former KGB officers largely responsible for that.
Controlling the media is always important for totalitarian regime as
means of controlling the society at large. First most important media is still TV and steps to control all national channels was first thing done by Putin starting in 2001 and now TV is fully under governmental control in Russia. Next most important media are newspapers and then Internet. The attempts to control are being done by requiring all newspapers and all internet media sites (!!!) to be registered with ministry of press (now office in cultural ministry) and while its not all under control (yet), the steps are being taken to restrict what newspapers say if they want to keep being published. But latest trend of blogger sites are not subject
to media laws and that is why this new announcement of need to control what is being said on the Internet is coming up now.
Frankly, I think they are too ambitious if they think they can actually control the internet and what people in Russia can say (and same at even
stronger scale for US) - Internet there is not that of China and its too
difficult or too late to change developed infrastructure, so I believe
it'll most likely stay open as means of open personal communication exchange and possibly 20-30 years from now that will be the decisive factor in Russian government's downfall, but for right now its all going into the direction of totalitarian regime, something like that of Chile in 1980s...
I've seen some Cisco security presentations that include sinkholes composed of an ingress and egress router, interconnected with a switch. The switch provides access for tools such as packet analyzers, IDS, routing analyzers, etc. The multiple routers also provide more horsepower for inspection, filtering, and overhead-imposing measurements such as NetFlow.
I am unclear about the BGP relationship between the two routers, which are meant to be treated as one subsystem. The ingress router (with respect to the outside) clearly has to have its BGP isolated from the rest of the AS, so it can't be part of the iBGP mesh.
My assumption is that the ingress router has to be either a confederation AS, or router reflector client, talking to the egress router. The latter is part of the main iBGP mesh, although it could be a client in a next hierarchical reflection cluster. Do any of these iBGP arrangements impact having the sinkhole ingress with an anycast address?
Is this a correct architectural assumption? Can anyone point me to, or provide a representative configuration?
I also wanted to confirm the failure modes under which static ARP between the routers is desirable.
Howard
I've seen some Cisco security presentations that include sinkholes
composed of an ingress and egress router, interconnected with a
switch. The switch provides access for tools such as packet
analyzers, IDS, routing analyzers, etc. The multiple routers also
provide more horsepower for inspection, filtering, and
overhead-imposing measurements such as NetFlow.
the multiple routers could just be a way to get a MAC to the ingress
router for delivery over the ethernet... a sun/linux/bsd/*unix box might
provide the same function. (please logging, analysis, ids, flow
collection)
I am unclear about the BGP relationship between the two routers,
which are meant to be treated as one subsystem. The ingress router
(with respect to the outside) clearly has to have its BGP isolated
from the rest of the AS, so it can't be part of the iBGP mesh.
why can't it be part of the ibgp mesh? I'm not sure I see why that would
be BAD, aside from it bouncing under load and affecting all ibgp
neighbors... so, aside from route-churn and neighbor setup/teardown churn
what other reasons?
I've seen some Cisco security presentations that include sinkholes
composed of an ingress and egress router, interconnected with a
switch. The switch provides access for tools such as packet
analyzers, IDS, routing analyzers, etc. The multiple routers also
provide more horsepower for inspection, filtering, and
overhead-imposing measurements such as NetFlow.the multiple routers could just be a way to get a MAC to the ingress
router for delivery over the ethernet... a sun/linux/bsd/*unix box might
provide the same function. (please logging, analysis, ids, flow
collection)
The architecture described doesn't have the two routers treating the Ethernet as a destination:
SinkholeIn--->Switch------>SinkholeOut
>
analyzers
I am unclear about the BGP relationship between the two routers,
which are meant to be treated as one subsystem. The ingress router
(with respect to the outside) clearly has to have its BGP isolated
from the rest of the AS, so it can't be part of the iBGP mesh.why can't it be part of the ibgp mesh? I'm not sure I see why that would
be BAD, aside from it bouncing under load and affecting all ibgp
neighbors... so, aside from route-churn and neighbor setup/teardown churn
what other reasons?
The most basic is whether I am diverting a maliciously inserted route to it from the edge router.
>
>>
>> I've seen some Cisco security presentations that include sinkholes
>> composed of an ingress and egress router, interconnected with a
>> switch. The switch provides access for tools such as packet
>> analyzers, IDS, routing analyzers, etc. The multiple routers also
>> provide more horsepower for inspection, filtering, and
>> overhead-imposing measurements such as NetFlow.
>
>the multiple routers could just be a way to get a MAC to the ingress
>router for delivery over the ethernet... a sun/linux/bsd/*unix box might
>provide the same function. (please logging, analysis, ids, flow
>collection)The architecture described doesn't have the two routers treating the
Ethernet as a destination:SinkholeIn--->Switch------>SinkholeOut
>
>
analyzers
hrm, 'sinkhole' to me always means 'hole' not 'sinkpassthrough'. normally
if we do this we just drop the traffic in a hole we can look at, then
release the route later after analysis. With the 'in/out' concept you have
to provide a manner to tunnel away from the hole, else you end up looping
back through it indefinitely (or so it would seem).
>
>>
>> I am unclear about the BGP relationship between the two routers,
>> which are meant to be treated as one subsystem. The ingress router
>> (with respect to the outside) clearly has to have its BGP isolated
>> from the rest of the AS, so it can't be part of the iBGP mesh.
>>
>
>why can't it be part of the ibgp mesh? I'm not sure I see why that would
>be BAD, aside from it bouncing under load and affecting all ibgp
>neighbors... so, aside from route-churn and neighbor setup/teardown churn
>what other reasons?The most basic is whether I am diverting a maliciously inserted route
to it from the edge router.
uhm, so you put a /32 into the sinkhole all traffic to that destination in
your network heads there. What 'maliciously inserted route' are you
talking about? something a customer of yours sends you?