North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: YouTube IP Hijacking

  • From: Steve Gibbard
  • Date: Tue Feb 26 15:19:10 2008

On Tue, 26 Feb 2008, Tomas L. Byrnes wrote:

(first quoting Dave Pooser -- quote order changed by scg)
At the risk of being a stereotypical American liberal, I'll
point out two significant reasons flying is safer than it
used to be in the US are Federal regulation and post-accident
lawsuits. If there were an organization like the FAA that had
the power to "ground" AS17557 until their network engineers
completed a week's refresher course, there'd be significantly
better change management techniques in play. If YouTube were
currently suing Pakistani Telecom for eighty-seven gazillion
dollars-- and were widely considered a lock to win their
lawsuit-- suddenly a whole lot of other ISPs would magically
find the training budget to make sure THEIR engineers didn't
expose THEM to that sort of liability.

Since the US has no jurisdiction over 17557, other than for the US govt. to force ISPs to refuse to accept any advertisements with 17557 or any other AS that didn't meet some regulatory requirements in the path, how would you propose that the regulatory environment you envision work?

American Airlines isn't the right straw-man here, Pakistan International
Airlines is. The only reason THEY meet anyone else's standards is that
they wouldn't be allowed to use the airspace or land if they didn't.

I sent Tomas some private mail complaining about some of the things he was posting yesterday, but I think Dave's posting was spot on and Tomas's follow-up is adding an important point.

As far as I can piece together from what's been reported and argued here, there were three responsible parties: The Pakistani Government who ordered YouTube blocked, Pakistan Telecom who implemented a lawful order but overshot their government's jurisdiction, and PCCW who accepted the announcements and passed them on to the world.

From a technical perspective, this is pretty cut and dried. Networks
should be careful what they announce, but sometimes aren't. Upstream providers should be careful what they accept, but sometimes aren't. Systems and policies to improve filtering sometimes cause more problems than they solve, especially when relying on a central source for authentication, and those costs are borne by the party trying to be responsible. Intentional leaks are harder to guard against than unintentional ones. Those hit hard by route leaks generally aren't the party responsible for the leak, so incentives to be careful are lacking.

But this case also brings up a bunch of interesting policy and legal questions, which I'm less or not at all qualified to answer.

This was a legally required routing announcement in Pakistan, and there was presumably a desire that other Pakistani ISPs be able to see the announcement. What if any responsibility do those following a lawful order have to keep the results of that order from being seen outside of their government's jurisdiction?

What legal responsibility did PCCW have here, and in what countries? Given that they've got network infrastructure in the United States and around the world, they're presumably vulnerable to lawsuits in the US and elsewhere if Hong Kong law isn't sufficient.

How will Google respond? Route leaks happen from time to time. Usually they're of relatively little consequence, and people clean them up and get back to work. I don't know how much revenue YouTube brings in over the course of a couple of hours, but it wouldn't surprise me if they could claim to have lost millions of dollars. PCCW has deep pockets, and Google has lots of lawyers. Will Google sue? If not, will it be because they think they don't have a case, because they value other relationships they have with PCCW, or because they're worried about establishing a precedent that would make them liable for their own engineers' errors?

If Google did sue, would that lead to some BGP certification requirements for ISPs to get liability insurance? If such an insurance requirement didn't affect ISPs like Pakistan Telecom, would having it become a requirement for the international ISPs that tend to provide international transit be sufficient?

(And then, of course, the really scary questions: What would such a certification process look like, and how many of us would be able to pass?)