[AusNOG] Happy new year / New rules for age-restricted internetand mobile content after the 20th of january 2008

Matthew Moyle-Croft mmc at internode.com.au
Fri Jan 4 18:15:04 EST 2008 

Bevan Slattery wrote:
>
> 'nogers,
>
>
> So, we'd need to do it ourselves - which would mean a high upfront 
> cost and added network complexity.   
>
>  
>
> If there is no vendor lock-in then it probably won't be as bad as 
> people make it out.  Anyone who has ever deployed a cache/proxy can 
> run a blacklist.  We ported our system across to the Cisco Cache 
> Engine and PIX line-up as well as others so it seamlessly intercepted 
> traffic without much configuration at all.  From memory they actually 
> ported it directly to the Cisco routers and even certain switches via 
> IOS after I left so you can push it from the router (yes the router 
> version probably runs like a dog, but that's Cisco for you).  Remote 
> updates yadda yadda yadda.  Same applied to squid (although had some 
> threading issues which limited bandwidth throughput -- which I believe 
> are largely resolved).  If they push out a http/ftp blacklist then 
> there are plenty of devices that it can work with without much fuss.
>
We've just ditched the last proxy because they didn't perform well 
enough for the traffic volumes, plus WCCP on a number of platforms Cisco 
makes suck - as well as keeping 5-10000 IPs in an ACL burns some of the 
hardware space on the line cards quickly.   Otherwise we'd have to buy 
all these DPI boxes which are expensive and evil.    It also burns space 
in racks, and STILL adds complexity.   Cripes - we'd need around 25 
caches (assuming they could each handle 1Gbps each) given 11 DSL pops, 
two per POP for redundancy (plus a few extra in Adelaide) and a lab one.  

Bevan, you're not actually helping by trying to dismiss our problem as 
trivial.   So, I'm not quite sure who you're trying to impress other 
than Conroy (almost said Coonan).
>
>  
>
> One big caveat is that this is on the basis that the government must 
> provide the list of sites directly to ISP's so they can inject them 
> into their own system.  There is no vendor lock-in.  If they do a 
> vendor lock-in, then all bets are off.  It is the governments 
> responsibility to provide the list and if there is a mandated system 
> then they should also provide the solution **and** pay for it.  A real 
> issue here is that when the government get's their list out it will be 
> embarrassing and shot down in flames as being grossly inadequate.  God 
> knows what will happen then.  It will be a complete joke and the same 
> filtering principles will apply (filter on the home PC's and parent 
> supervision).  Of course the another caveat is that in the instance 
> that they expand it to beyond http.
>
>  
>
> As for filtering peered traffic, if it is peered in Australia (say 
> PIPE), then R rated content is not allowed to be hosted in this 
> country anyway, so Australia's content should largely be pre-filtered 
> for [hardcore] porn via take-down notices.  Even if those interfaces 
> had to be filtered it's still not a killer.
>
So, I see no non-Oz prefixes via PIPE?   Bzzt.   I see a number of 
non-Oz prefixes via PIPE and other peering in Oz.

MMC

>  
>
> Cheers
>
>  
>
> [b]
>
>  
>
> PS:  I understand that the larger boys may have to deploy these 
> devices in each state.
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20080104/fa7980e9/attachment.html>

More information about the AusNOG mailing list