NDAA passed: Internet and Online Streaming Services Emergency Alert Study

The House on Monday and the Senate on Friday have overriden the President's veto of the National Defense Authorization Act for Fiscal Year 2021 passing it into law.

Among the NDAA's various sections, it includes the Reliable Emergency Alert Distribution Improvement (READI) Act. The READI Act includes a study and report for Emergency Alerts via the internet and streaming services.

SEC. 9201. RELIABLE EMERGENCY ALERT DISTRIBUTION IMPROVEMENT.
[...]
(e) INTERNET AND ONLINE STREAMING SERVICES EMERGENCY ALERT EXAMINATION.—
(1) STUDY.—Not later than 180 days after the date of
enactment of this Act, and after providing public notice and
opportunity for comment, the Commission shall complete an
inquiry to examine the feasibility of updating the Emergency
Alert System to enable or improve alerts to consumers provided
through the internet, including through streaming services.

How would that even work? Force a pop up into web traffic? What if the end users is using an app on a phone?

How would that even work? Force a pop up into web traffic?

That's not going to play nicely at all in a world of https://

What if the end users is using an app on a phone?

I'm having a hard time thinking of what app I could *possibly* be using on a
phone where I wouldn't want an interruption for a tornado or active shooter
alert.

This was discussed in detail a while ago - I'm pretty sure the general
consensus was that having the phone/game console/smart home control center/
whatever would be running an alert endpoint app that would talk to the ISP/
cellphone tower and register for alerts and then DTRT to notify the relevant
carbon-based life forms.

Like any other "commission-based study".
Remember, the action is :
"after providing public notice and opportunity for comment,
the Commission shall complete an inquiry to examine the feasibility"

Any eventual action requiring intervention of the operators (access or service) is not yet defined, and will follow at a later date (if ever).

Sean Donelan wrote:

the Commission shall complete an
inquiry to examine the feasibility of updating the Emergency
Alert System to enable or improve alerts to consumers provided
through the internet, including through streaming services.

It is trivially easy to have a dedicated UDP port to receive
broadcast packets for such purposes, as "through streaming
services" is not the requirement.

As streaming services are often offered from distant places
including foreign locations, generations of emergency alert
packets *MUST* be responsibility of *LOCAL* ISPs.

A problem is that home routers may filter the broadcast
packets from ISPs, but the routers may be upgraded or
some device to snoop the alert packets may be placed between
ISPs and the routers.

            Masataka Ohta

Hi,

I mean, if you know where you are, it's trivial to ask various services that already exist (in most cases, in some form) if there are emergency alerts for your location. It wouldn't be hard to make this a pubsub type system so that a device can just subscribe to it and be notified if it happens over a "NAT is everywhere" friendly long-term TCP session with TCP and occasionally application-level keepalives.

Media streaming devices could essentially do this now. The governments which publish this information could help by running services that make this data more readily available in standard formats and with well-known locations and APIs. IDK if they currently do that.

This is, IMO, how the Internet is supposed to work. Somebody makes content available. If you want it, ask them for it. The network just moves the data.

ISPs are not typically in the business of flinging unsolicited traffic at endpoints. We're not cable companies (or at least some of us are not). And, as you point out, unsolicited UDP traffic is almost guaranteed to get dropped even if you have end-to-end address transparency as stateful firewalls are quite common even then.

What the ISP can potentially help a lot with is having some easily-discovered service to provide the ISP's notion of "where am I (probably)?". I wouldn't expect E911 levels of granularity on this, or at least I don't think that's a reasonable request to make of most ISPs as that would require live data from DHCP, billing, etc. all to be put together in ways that could be difficult and cause security or privacy concerns.

What I think IS feasible is something along the lines of a response that says "Well, the gear you're terminated on hosts customers within this city or zip code or whatever, so that's where you probably are." This is largely static data that you can infer based on large IP swaths (many ISPs already essentially put it in their synthesized rDNS) for many common configurations and is sufficient for filtering most kinds of emergency alerts.

Devices which have GPS can obviously supplement/replace with their own location data. Devices which have access to Wi-Fi/Bluetooth beacon location databases can largely do the same. This is almost guaranteed to be more accurate AND more precise.

Hi,

How would that even work? Force a pop up into web traffic? What if the end
users is using an app on a phone?

Most, if not all, mobile devices connected to cellular already have that option. On
my iphone it's under settings->notifications->government alerts. There are three
separate options: Amber alerts, Emergency alerts, and Public Safety alerts.

Personally, I have all three turned off after receiving nonsens alerts. Amber alerts
for children abducted in Los Angeles, only 600km (~450 miles) from the Bay Area,
where I live, for example. Or a "public safety" alert telling me that there are
too many people in the local Trader Joe's, 2 miles from my home.

Aliens always invade New York, so I'm safe up here

Thanks,

Sabri

Hi,

How would that even work? Force a pop up into web traffic? What if the end
users is using an app on a phone?

Most, if not all, mobile devices connected to cellular already have that option. On
my iphone it's under settings->notifications->government alerts. There are three
separate options: Amber alerts, Emergency alerts, and Public Safety alerts.

I wonder if that is wired in with the earthquake alerts i think you can get these days.

Personally, I have all three turned off after receiving nonsens alerts. Amber alerts
for children abducted in Los Angeles, only 600km (~450 miles) from the Bay Area,
where I live, for example. Or a "public safety" alert telling me that there are
too many people in the local Trader Joe's, 2 miles from my home.

Aliens always invade New York, so I'm safe up here

I beg your pardon, they have a bizarre fascination with Golden Gate Bridge. It's the oversized monkeys that like New York.

Mike

I do hope that they consider the certainty that this will be subjected
to abuse the moment it goes live.

---rsk

I think the challenge here is that there’s a category of people
who don’t have cell phones, who don’t have cable TV, but
receive content over their internet connection. I happen to
live with someone like that, so I know it’s a non-zero portion
of the population.

For them, cell based alerts don’t reach them, and cable TV
inserted alerts don’t reach them.

Thus, the question of “can we reach them via IP-based
alerting?”

I think it’s a good investigation to undertake, as there’s
clearly a population that is left out of the current alerting
systems we have in place.

Matt

Emergency alerts are also on OTA TV (and radio), not just cable. People whose sole communications device is a computer can subscribe to FEMA'S IPAWS feed. People who can't (or don't want to) do that can use a weather radio (despite the name, NWS broadcasts all hazards alerts, not just weather). The most likely answer to "how do we get streaming services to provide emergency alerts?" is to make them redistribute the IPAWS feed and update their software to make the updates human-readable. It would probably be cheaper to just tell people where to find free IPAWS software instead of making every streaming service add the feature, and, as a last resort, give people who need them free weather radios.

The FEMA IPAWS system doesn’t seem well-suited for end-users to
subscribe to it. Of note is the specific restriction:

• Providers cannot stress IPAWS servers with excessive requests.

Which might hint that the FEMA servers aren’t intended to support
hundreds of thousands of individuals connecting directly to them
to request alert data.

It doesn’t look like there’s currently any internet-capable way of
consuming the IPAWS feed, at least that a quick search engine
dive turns up. Wondering if any of the folks here know of providers
that have signed up with FEMA to redistribute the IPAWS feed
for free? (Yes, I found WeatherMessage, but their pricing and
platform restrictions made them a non-starter).

Thanks!

Matt

That's a good point, though I still say a better solution is to improve the server capacity, put out apps for major platforms, and an API so smaller platforms can use it too. Making every streaming service do it is not a great way to do redundancy.

Sean Donelan wrote:

the Commission shall complete an
inquiry to examine the feasibility of updating the Emergency
Alert System to enable or improve alerts to consumers provided
through the internet, including through streaming services.

It is trivially easy to have a dedicated UDP port to receive
broadcast packets for such purposes, as "through streaming
services" is not the requirement.

but "including" is...

And I don't see that opening up a UDP port on every end-user device to receive some sort of broadcast (unicast?) is going to be great security. Someone will find away to exploit it.

As streaming services are often offered from distant places
including foreign locations, generations of emergency alert
packets *MUST* be responsibility of *LOCAL* ISPs.

A problem is that home routers may filter the broadcast
packets from ISPs, but the routers may be upgraded or
some device to snoop the alert packets may be placed between
ISPs and the routers.

I think you're overthinking this.

In my mind it's simple. The streaming companies need to have a channel within their streaming system to get a message to a 'currently active customer' (emergency popup notification that appears when their app is open or their website is active with an authenticated user). The streaming company will also know the location of their customer (billing information) so will know what geographic locations are relevant to that customer.

Local Authorities can feed emergency broadcast information to the streaming companies tagged with a geolocation and the streaming company will only rebroadcast it to those customers who are interested in that geolocation.

Providing for network-layer alerts of this nature is overcomplicated and unnecessary - as was pointed out there are existing means to do this (cellphone emergency broadcasts, weather radio service, etc) and the intent appears to be to simply add another channel for those who might not be able to receive the other. Asking the likes of Netflix to be able to channel an brief emergency notifcation across a relevantly-located customers streaming service doesn't actually seem that complex, and because it's all 'in band' it requires no specific intervention from the underlying network operator.

Mark.

Let's just go back to air-raid sirens.

I'm old enough to remember when they were tested every day at noon,
which also told you it was noon (lunch!)

We'd say heaven help us if The Enemy attacked at noon.

From: "Valdis Klētnieks" <valdis.kletnieks@vt.edu>
To: "Matt Hoppes" <mattlists@rivervalleyinternet.net>
Cc: nanog@nanog.org

How would that even work? Force a pop up into web traffic?

That's not going to play nicely at all in a world of https://

What if the end users is using an app on a phone?

I'm having a hard time thinking of what app I could *possibly* be using on a
phone where I wouldn't want an interruption for a tornado or active shooter
alert.

This would probably -- on phones, at least -- involve tightening up the deployment
of CMAS/WEA, and the apps that catch it, which are pretty crappy right now; at least
the one on my LG-V20 is.

This was discussed in detail a while ago - I'm pretty sure the general
consensus was that having the phone/game console/smart home control center/
whatever would be running an alert endpoint app that would talk to the ISP/
cellphone tower and register for alerts and then DTRT to notify the relevant
carbon-based life forms.

Yeah, I designed most of this about 10 years ago, and couldn't figure out
where to wedge it in.

Cheers,
-- jra

From: "Masataka Ohta" <mohta@necom830.hpcl.titech.ac.jp>
To: nanog@nanog.org

Sean Donelan wrote:

the Commission shall complete an
inquiry to examine the feasibility of updating the Emergency
Alert System to enable or improve alerts to consumers provided
through the internet, including through streaming services.

It is trivially easy to have a dedicated UDP port to receive
broadcast packets for such purposes, as "through streaming
services" is not the requirement.

Though, sadly, 911/udp is taken, and by someone who may not exist
anymore.

Who owns the <1024 post list these days, IANA?

As streaming services are often offered from distant places
including foreign locations, generations of emergency alert
packets *MUST* be responsibility of *LOCAL* ISPs.

A problem is that home routers may filter the broadcast
packets from ISPs, but the routers may be upgraded or
some device to snoop the alert packets may be placed between
ISPs and the routers.

Yup; it's messy, and in many many different ways. Won't be a snapshot
rollout. Not a bad idea, though, if implemented correctly; time to dig
out my notes, I guess.

Cheers,
-- jra

Yeah: This is probably best done by either requiring the streaming services to
know where their customers' location is and relay a copy of any pertinent data
to end users through their applications or to web browsers through headers,
Or by having native software included with the OS on internet-connected devices
to query a region-specific URL at a regular interval.

This is much fewer packets if the data can be transferred over the headers of
HTTPS connections which applications on end devices already make to
various websites.

The UDP port method is inefficient, at least if meet the requirements
that would seem reasonable for emergency alert distribution on streaming
devices (much the same as for other media...).

1. There should never be extra steps from an end user to "activate"
emergency alerts -
except steps which the device enforces must be done, before any
content can be played.
Notions such as computer users choosing to subscribe to IPAWS fail,
at least, until
some mechanism enforces that they do so.

2. If the device is able to view content, then emergency alerts must
be working.
The function to play alerts should not be able to be disabled and
should resist tampering.
If either an alert has been received, or emergency alerts would not be able to
be received, then the normal play of content must be interrupted - the ability
to access content should be disabled and be not allowed by the device's
application or operating system until after it can be confirmed that all alerts
have been fully played, or the error has been corrected.

Problem is that UDP packets to X port could be easily intercepted and dropped by
devices such as firewalls. Merely broadcasting the UDP port during an alert
would not be enough, then; it would call for a regular broadcast to
this port by
every ISP to every user every few minutes, even when there are no
alerts to relay.

That would seem to be necessary for devices to be able to verify that
alerts would
be working and are not being tampered or interfered with. Devices would need
to be designed to verify the latest UDP broadcast has been received
and Self-Disable
with an error message if too much time has passed with no update
packet on that port;
some type of crypto system would also be needed to verify that messages are
authentic, and have not been forged, replayed, or altered.

The regular UDP broadcast could not be only during an emergency, then, it
would need to be every few minutes, otherwise the devices would have no way
of ensuring their ability to receive alerts - that's a massive number
of UDP messages
to consider..

I’ve already had to spike one widely announced WAN UDP protocol that someone had proposed without thinking through security and DDOS features. Please don’t let’s try that trick again.

We have perfectly good approaches that don’t involve insecure untraceable transport layers. This isn’t 1985. TCP and something SSL encrypted - HTTPS comes to mind, even if it gets its own port (11911 is available…).

-george