As for blocking addresses using BGP routing, unlikely. Modifying route tables on routers to block sites is like using a sledge hammer to crack open a nut. Too dangerous and unnecessary. The Pakistan guys cited in the example didn’t have a filtering system in place so tried to be a bit cute. Standard ACL modifications would have been a better option. You only change route tables on routers if absolutely necessary, and a smart admin always leaves themselves a back door (for the very reason that it is always the admin who has to get in the car at 2 AM to go onsite and fix the issue)

System Engineers will always be able to communicate/config the routers (unless the router is without power)

Yes, routers are usually configured using a browser. But they never use Port 80 (the http port). Usually there is a vender allocated system port that is utilised that allows the Comms Engineer to log in and view/edit the configuration of the router remotely.

So even if the blacklist was stopping all port traffic on Port 80 (http) and 443 (the https port), the admin can still fix the router remotely by using port 1567 (or equivalent)

As for the black list being encrypted, unlikey. If you think checking the blacklist every time someone tries to connect to a URL is going to be slow, it will be really slow if you add the decrypting process. Plus you would have to give the decryption key to the ISP Admins anyway so they can configure the router to decrypt the list

There are lots of reasons why the filtering should not go ahead but these aren’t the reasons. Personally, I just think the fact that by using a oversea’s proxy (remote computer which acts as a relay to grab content, which any 15 year old kid know how to configure in IE), the filter will be bypassed makes the whole exercise a bit of a waste of money. The blacklist could try to block these proxys as well, but there are thousands of them and they will never get them all. Makes it harder to track the real criminals on the web as well as these proxy’s hide the true IP address of the bad guy’s computer.

Scott, why would the blacklist only apply to ports 80 and 443? HTTP servers can be run on almost any port, and surely the evildoers will think to host their forbidden content on, say, port 81…

The second tier, which is opt-in, opt-out or whatever Conroy says at the time, which seems to depend on which way the winds of criticism are blowing that week, might well be a commercially-available list — but we simply don’t know because the entire process is backwards. Instead of having a clear policy and saying “block this”, we have random tests of whatever gets put forward, and presumably we’ll see a policy built from that which will whatever is easiest to sell politically at the time.

Does anyone think this is a sensible way to run anything?

This entire internet filtering “policy” is an episode of “The Hollowmen” writ large, but with poorer editing.

CH raises a god point, too. Fast Flux techniques can flip the hidden nasties around the internet in minutes. ACMA’s bureaucracy will take… how long to catch up?

The joke is that politicians, who can barely use a computer at all, are trying to decide how to block internet traffic and argue with network engineers wiht 20 years’ experience. Look up “Dunning-Kruger Effect” some time: thisis a classic example.

To: minister@dbcde.gov.au
Subject: internet censorship

Dear Minister Conroy

You have responded to my email with a long letter. I quote from page one:

‘Freedom of speech is fundamentally important in a democratic society. For may years however, most Australians have accepted that there is some material which is not acceptable, particularly for children.’

Minister, I am over fifty years old and I have no children. I DO NOT accept that limiting MY choices about what I see/read in my home is an acceptable way of policing what children see/read elsewhere. As for what is acceptable for adults like me, I can make that decision myself. I can, for example, configure Google to ensure that I’m not fed results I am not comfortable with. I can also decide whether a photo of an aborted foetus is what I want to look at (there are legitimate reasons why I might want to).

Please do not send me another multi-page explanation (I’m sure your public servants have better things to do than send me replies). Please just take my views into account.

Yours sincerely

Hopefully the absurdness of implementing the filter will ultimately sink it.

I wish I could agree (I _SINCERELY_ WISH I could agree with you. Unfortunately I have two problems with your statement:

1) In too many instances routers in critical parts of network infrastucture do NOT have out-of-band management, even HTTP services on non-standard ports. (As an asside, very few large commercial networks allow web-based managemend of routers - command line & configuration-management-systems are usually the go.)

2) The problem that Stilgherrian is stating is one where the core routing table is being modified. _IF_ the trials were only inspecting HTTP web traffic, then your point would be valid. The trials have, however, been expanded to include IM and P2P services. Implementing these would require the parsing off ALL traffic to the affected IP addresses. Not just HTTP traffic.

At this point, the scope of the problem becomes much larger - because the policy routing simply diverts ALL traffic to marked addresses to the filtering box.

Nasty things can now happen.

And this leaves asside all the questions about IP Address to URL mapping & anyone using malware hiding techniques (see http://en.wikipedia.org/wiki/Fast_flux for an example)

That actually reinforces my argument: Google’s list is totally within their control. The ACMA blacklist will be supplied by ACMA and then implemented by the filter vendors in “black boxes” over which the ISPs themselves have no direct control. That adds yet another layer of communication and coordination, i.e. another slowdown and another place where mistakes can happen.

While systems administrators don’t connect to the routers using HTTP on port 80, they do still need to connect remotely somehow. If the routing tables get screwed up then even the BGP packets won’t get through.