About this blog…

I am employed by Netnod as head of engineering, research and development and am among other things chair of the Security and Stability Advisory Committee at ICANN. You can find CV and photos of me at this page.

As I wear so many hats, I find it being necessary to somewhere express my personal view on things. This is the location where that happens. Postings on this blog, or at Facebook, Twitter etc, falls under this policy.

The views expressed on this post are mine and do not necessarily reflect the views of Netnod or any other of the organisations I have connections to.

Fiberanslutning till hemmet

Många får erbjudande om att bli anslutna med fiber till den fastighet där de bor. Erbjudandet innebär oftast att man genom att man betalar en avgift får fiber ansluten och att det via denna fiber levereras ett antal tjänster. De olika leverantörerna försöker bräcka varandra vad gäller olika tjänsteutbud när oavsett hur intressant och viktigt det är också är viktigt att veta hur fibern kan användas. Tex efter det att man sagt upp de tjänster man vid den tidpunkten tycker är trista eller dyra eller både och. Eller när man vill ha en Internetaccess med lite annorlunda karaktäristik som kan levereras pga att leverantören (som har monopol på att lysa i fibern) inte kan erbjuda det.

Exempel på det senare är tex det som syns i anmälan till Konkurrensverket där Bahnhof och Skanova tillsammans anmälde Sundbybergs Stadsnät för att Bahnhof som Internterleverantör i Stadsnätet inte kunde leverera IPv6 och inte heller mer än 1GBps. Ett fall som Konkurrensverket lade ner. Flera andra monopolister i form av tillhandahållare av Stadsnät har liknande problem, även om slutkund kan välja mellan olika tjänster i dessa s.k. öppna nät.

Det som därför är viktigt, förutom tjänsteutbudet, är vilka villkor som gäller för fiberanslutningen. Det är ändå fastighetsägaren (i varje fall för småhus, villor) som gör en substantiell investering i fiberanslutning till en fastighet, en anslutning som bör kunna användas i tjugo- trettio år eller mer.

Här är en lista på frågor som jag anser att man ska kunna fråga och den som vill installera fiber bör kunna svara på dem, skriftligen. Och genom att jämföra svaren på dessa frågor kan man se vilken fibertillhandahållare som är bäst.

Installation:

  • Var är noden där aktiv utrustning kan placeras i andra änden?

    Det är bra att känna till var noden finns. Ju längre bort desto större risk det blir problem med fibern. Men, ju större noden är (ju fler fastigheter kopplade till samma nod) desto billigare för operatör att producera tjänster.

  • Är fibern svetsad hela vägen, eller är den patchad?

    Det är bättre kvalitet om den är svetsad, dvs utan skarvar. Men det behöver inte vara dåligt att den är patchad, dvs skarvad.

  • Om den är patchad, var?

    Återigen, bra att veta.

  • Hur många fiber dras?

    Det är bra om det finns fiber som inte används. Dels kan någon gå sönder, dels kan man vilja använda dubbelt den dagen man ska byta operatör som lyser i fibern.

  • Vilken typ av fiber?

    Här kan svaret vara ganska olika. Olika antal fiber, olika förläggningstrknik. Annat än single mode är fel.

  • Om ni använder fibern för att leverera tjänster till mig, hur många fiber använder ni?

    Det går att lysa åt båda hållen på olika frekvenser (olika färg) i samma fiber, dvs enbart en används. Man kan också använda två (en åt varje håll), ibland går tv i separata fiber. Ju fler som används desto färre i reserv.

  • Om det är draget fler än en fiber, är de dragna i samma kanalisation hela vägen, eller finns det diversitet?

    Om de olika fibrerna går olika vägar kan tex en grävskopa i samma tugga inte kapa alla fiber. Detta kan tex fixad med patchar här och var vilket för att reparation är enklare.

  • Om det finns diversitet, hur är den byggd?

    Se ovan.

  • Kommer mätprotokoll delges mig?

    I en fiber lyser man med laser. Ju mer ljus som kommer igenom desto bättre fiber (mindre dämpning). Varje skarv (oavsett om den svetsas eller patchas) dämpar. Om fibern från början är dålig kanske den måste bytas tidigare efter reparationer än en bra fiber. Man vill alltså se hur bra ens fiber är.

    Det är bra om man mäter i båda riktningar och på flera frekvenser (flera färger), speciellt om enbart en fiber används.

  • Om något sker som teoretisk kan förändra dämpningen i fibern, kommer fiberägaren automatiskt mäta om fibern?

    Det är bra om man alltid har tillgång till aktuellt mätprotokoll. Dämpning mäts i dB, och den skall vara så låg som möjligt.

  • Om fibern mäts om, innebär det någon kostnad för mig som fastighetsägare?

    Om man måste betala för att få fibern mätt är det bra att veta. Vissa installatörer ger protokoll gratis, som del av installationen.

  • Om det behövs fler fibrer, kan de installeras i ny eller samma kanalisation?

    Om man behöver fler fibrer än det som installerats är det bra om man kan installera fler i kanalisationen utan att gräva upp marken igen.

Avtal:

  • Vilken livstid beräknas fibern ha?

    Lite trick-fråga men hänger ihop med följdfrågorna. 25 år ska vara ok och kunna diskuteras. Minst.

  • Kan ni erbjuda ett avtal för fibern skilt från avtal för de tjänster som erbjuds?

    Naturligtvis är det bättre om detta går.

  • Vilka skulle avtalsparterna vara?

    Antagligen fiberägaren (vem det nu är) och fastighetsägaren. Dvs potentiellt varken den part som lyser i fibern eller den som bor i fastigheten.

  • Vilken avtalstid kan jag som fastighetsägare ha med fiberägaren för att garantera villkor för fibern under fiberns livstid?

    Gärna samma antal år som diskuterad ovan. Eller 5 år med automatisk förlängning “så länge fibern fungerar”.

  • Kan några av de punkter här, eller andra, inkluderas i ett sådant avtal?

    Ju fler desto bättre.

  • Vilka villkor finns mellan mig som fastighetsägare och fiberägaren, i ett potentiellt separat avtal respektive i det avtal ni nu erbjuder mig?

    Bra att veta, eller hur?

Användning:

  • Om det går, vad kostar det att hyra svartfiber i accessnätet av idag?

    Pris i Sverige ligger mellan 70 och 150kr/fastighet/mån. Ju lägre desto bättre. Detta betalar alltså den som levererar tjänster, och priset bör vara lika för alla.

  • Om det går, vem hyr man i så fall svartfiber av?

    Antagligen ägaren av fibern.

  • Vad kostar det idag att hyra in sig med utrustning i den nod där fibern termineras?

    Ska förhoppningsvis vara inkluderad i priset för hyra av fiber.

  • Om några hyr svartfiber i detta området, vilka är det?

    Det är bra om det finns fler än en, för då kan man som slutkund välja mellan fler än ett alternativ redan nu.

  • Om några hyr svartfiber, är det mellan noder eller också accessnät som hyrs och hyrs ut?

    Det är ganska vanligt att hyra fiber mellan noder (för pris/meter) men mindre vanligt att hyra i accessnät (för pris/hushåll).

Underhåll:

  • Kommer fibern finnas i något kartsystem?

    Detta är absolut nödvändigt. Se nedan.

  • Om så är fallet, vilket eller vilka?

    Det bästa är i fiberägaren, i kommunens och i det system som kallas Caesar.

  • Om någon begär utmärkning av kanalisation, vem märker ut kabeln på respektive utanför min fastighet?

    Det ska fiberägaren göra, oavsett om det är på fastigheten eller inte.

  • Vad innebär begäran av utmärkning för kostnader?

    Detta är bra att veta, för det ska läggas till ev kostnad för grävningsarbete i framtiden. En del gör det gratis.

  • Om fibern går av på respektive utanför min fastighet, vart ska den felanmälas?

    Detta är bra att veta, och man vill inte det är annorlunda process beroende på var fibern gått av. Man vill fiberägaren tar helhetsansvar till s.k. odf i byggnaden där fibern terminernas. Möjligtvis med motkrav som ska vara kända.

  • Hur snabbt repareras en fysisk skada på fibern efter en felanmälan på respektive utanför min fastighet?

    Bra att veta. Ju lägre desto bättre. Och som ovan ingen skillnad beroende på var fibern är trasig.

  • Om fibern blir avgrävd (eller på annat sätt skadas) av tredje part, vilka blir parter i en tvist vad gäller ersättning på respektive utanför min fastighet?

    Detta vill man ska vara mellan fiberägaren och tredje part. Inte fastighetsägaren.

  • Om jag vill termineringspunkt på min fastighet skall flyttas, hur långt i förväg skall det anmälas, vilka möjligheter till detta finns efter installation och vad kostar det?

    Detta ska vara känt. Man måste räkna med att behöva göra någon ändring under fiberns livslängd. Se också ovan om skarvning och dämpning.

  • Om ni aktiverar fibern, vilken övervakning finns det?

    Det är bra om det upptäcks om fibern inte fungerar som avsett, utan att man felanmäler.

Mailman and HTTPS

So Frobbit! this last weekend started to use HTTPS “all over the place” thanks to Let’s Encrypt. The launch will be gradual because there are so many software packages that are completely broken in design, have bugs, errors, do not use proper libraries, tries to do things on their own, do not follow RFCs and what not.

One such package is Mailman (don’t even get me started on WordPress).

The important information can be found here.

Note that you must do the following if you have multiple virtual domains (as Frobbit! has):

# $prefix/bin/withlist -l -r fix_url listname -u list_web_domain

Because of this, when running hundreds of mailing lists in tons of domains, the following is what can make your day simpler (on Debian, adjust paths accordingly):

# for i in `grep unsubscribe /var/lib/mailman/data/virtual-mailman | awk '{ print $1 }'`; do
     echo $i
     A=`echo $i | sed 's/-unsubscribe.*$//'`
     B=`echo $i | sed 's/^.*@//'`
     withlist -l -r fix_url $A -u $B
  done

How I run email – Updated version

I have earlier described how I manage my email. That was a kind of abstract description, so let me explain again, this time with explicit examples from my use of the excellent email client MailMate on Mac.

To start with, I use IMAP and sort email in different mailboxes. The filters are updated with the help of Sieve. The implementation of a Sieve client I use is RoundCube in turn implemented as a WebMail client at my Email Hosting provider Frobbit!. As the filtering is not really interesting for this posting, I am not diving into that here.

I also use a few different email accounts. One for private email, one for work, and one archive. The interesting thing is the archive. My goal is to in the archive store all email that is more than one year old in one mailbox per month. This limits the number of “active” email to a small portion of all email I use, and specifically limits the number of email messages per mailbox.

 

Screen Shot 2016-02-10 at 08.26.14

Here is what the list of mailboxes look like. The blue folders are real IMAP folders while the purple ones are virtual mailboxes. The virtual mailboxes are created with the help of rules. If I try to first describe the flow of messages, it is like this:

 

 

email-flow

Incoming mail is filtered via anti spam filters and filters that place email in various mailboxes. For example it is common I use one mailbox per email mailing list. I use Sieve as the language to control the filters on the server, and the Sieve client is the RoundCube web interface.

I have email in multiple IMAP accounts, and archiving is to one specific IMAP account. Because of this, the virtual mailbox with Mail last year is only based on mailboxes. There are no “Conditions”.

Screen Shot 2016-02-10 at 20.02.20

On the other hand, what is more important is the virtual mailbox that selects the subset of this not archived email. It selects email messages from the virtual mailbox called Mail last year (which in reality is not the mail last year, but all email not being archived) that I believe is important. The settings are in both Mailboxes and Conditions.

Condition important mail

The Conditions section is much more interesting:

important-mail

I have hidden some data I can not share, but I hope the information is clear enough.

The selection consists of two parts. Both must be True for the mail to be classified as Important, and because of that visible in this virtual mailbox. The first selection say that none of the tests must be true, and the tests are simply email addresses that I think send non-interesting mail. The second say that any of the requirements must be true, and that is a list of whitelist email addresses. Both can of course include senders and receivers as you can see.

From this mailbox I then select Unread email, and this mailbox with Unread Important is what I work with. All the time. That mailbox just must be empty. I either resolve issues immediately, or mark the email as Flagged.

I have a specific other virtual mailbox that include all Flagged messages:

Screen Shot 2016-02-10 at 20.58.00

This virtual mailbox include all tasks, i.e. my Todo list. Yeah, that should be empty, but is not…

There is one more virtual mailbox I want to describe, and that is the one with email messages that are to be archived.

First I select messages from the Mail last year mailbox:

Screen Shot 2016-02-10 at 21.01.08

Then I select messages that are not flagged, and older than a year (i.e. that should not be there):

Screen Shot 2016-02-10 at 21.01.14

And finally, I create sub mailboxes named in the form YYYY-MM:

Screen Shot 2016-02-10 at 21.00.28

And the result is…well…so that it is easy to act on it. Yes, I could have actions as well, but I have decided to move messages manually into the archive. I normally do that about once every month. As you can see below, I have 4929 email messages that should be filed into the Archive mailbox named 2015-02:

Screen Shot 2016-02-10 at 21.00.05

I hope that explains a bit on how one can (I do) manage my email, which to summarize include:

  1. Receive email
  2. Filter away as much spam as possible
  3. Sort into mailboxes
  4. Select messages I think are important
  5. Go through the unread important messages
  6. Flag messages or act and mark read
  7. Keep virtual folder with unread important messages empty
  8. Go through other unread messages when there is time
  9. Use the virtual mailbox with flagged messages as a Todo List
  10. Archive all old email that is not flagged

Blocking the Internet is a dangerous path for Sweden

Today Feb 7, 2016, I am together with Anders Ahlqvist, Swedish Police, and Jon Karlung, CEO of the ISP Bahnhof, writing an article in Swedish on why blocking is the wrong path forward. You can find the article in Swedish here, and below a translation to English made by myself.

The proposal on blocking IP addresses has more explosive power than the government realizes. Development in that direction could lead us in the direction of censorship of the Internet that prevails in countries like Turkey. Moreover, the tactic is counterproductive when it comes to law enforcement, writes Anders Ahlqvist, Swedish Police, Patrik Fältström, Netnod, and Jon Karlung, Bahnhof.

DEBATE | INTERNET

Anyone who takes out his smartphone in Turkey to go in to Twitter sometimes occasionally end up in a void. The site is out there, but the internet provider has blocked access on the orders of the government. Could something like that happen in Sweden?

Not today. The free world does not apply the statutory censorship of the internet, or as it is called in the jargon: the blocking of IP addresses. To communicate freely is not only a human right – it characterizes a prosperous and open society. Illegal content is fought today through targeted action against the actor, not the blocking of internet traffic.

But the road to hell is, as you know, bordered by both good intentions and unnoticed investigations. The government decided at the meeting of 24 September 2015 to appoint a committee, “Re-regulation of the gaming market” (Dir. 2015:95), where the investigator was commissioned to find a model for a new licensing system.

The background is of course the relationship between the state, public health and the loss of tax revenue as far as gambling outside Sweden entails. The directives for the investigation is stating that “anyone who acts in the Swedish gaming market will do it with the competent state, and actors without permission to be shut out.” It is important to think about what this means in practice.

The key words here are “… the parties without permission are to be locked out.” Or, as the investigator Håkan Hallstedt wrote in an e-mail to the Internet operator Bahnhof: “As in the last investigation about gaming in 2008, the question of IP blocking is brought up again.

The three of us who sign this Article have different views on many IT issues, such as the current data retention directive and management of user data. The Police and Bahnhof has even had major conflicts. But this is precisely why we have chosen to join together and warn of the path that the investigation, based on the directions from the government, seems to take. First the target would be foreign gambling sites, but who knows which pages on the Internet are to be blocked the next time? There is an obvious risk that new applications are constantly proposed and that the blocking is expanded.

The fact is also that the tactic of blocking IP addresses is not only wrong in principle but often ineffective and at worst counterproductive. Many regular users learn to react in the same way as when the resistance movements in dictatorships resort to technological means to get around the digital barriers: through encryption and so-called VPN services for anonymous surfing.

Blocking sites can be compared to holding up a curtain in front of something a person does not want to know of. But the material is still there. The only way to stop the services and information is at the source, to suspend the service or remove the illegal content. This means in practice to strike at the servers where the material is.

We could otherwise get the worst of both worlds, where we opened Pandora’s box regarding blocking of the Internet while many users still can reach out to illegal material. This has also been pointed out by both the National Post and Telecom Agency in a consultation response the last time the proposal on IP blocking was up, and by the ICANN Security and Stability Advisory Committee in its document SAC 050. Blocking the Internet is a desktop product that does not give the desired effect.

In order to maintain its leading role as an IT nation, Sweden needs to retain the view that a free Internet is a fundamental right. The police should also get the right resources to fight crime for real, rather than to hold up a curtain in front of the information we do not want to see. Operators shall ensure that the data traffic moving – not to be the state’s gatekeepers.

We are convinced that it is possible to find effective tools that provide the ability to prosecute crimes. To actually stop illegal content we need cooperation and the ability to move information between operators and the police, and do so in an efficient, reliable and secure manner. Because the Internet is global, we also need to strengthen cooperation across borders. Here, efficiency, accuracy and type of crime investigated must always be balanced against the fundamental rights of privacy and freedom of expression.

Let us not go down the same dangerous road that Turkey and other authoritarian states have done. Do not build a digital version of the Chinese wall around Sweden!

Patrik Fältström
Netnod

Anders Ahlqvist
Detective Superintendent, National Operations Department

Jon Karlung
CEO Bahnhof

Felaktigt beslut om incidentrapportering?

Idag beskrivs i Svenska Dagbladet i en artikel det beslut som förväntas i Riksdagen relaterat till incidentrapportering.

Låt mig vara tydlig: Jag tycker med min nu 30-åriga erfarenhet av att driva Internet operativt att Regeringen inte tänkt riktigt rätt.

Först måste man bestämma och förklara VAD man vill ska hända, vad ska göras av “den centrala organisationen som ska hjälpa till”.

Sedan kan man förklara varför man behöver viss information för att göra det man ska göra.

Här har man inte gjort någondera. Förutom att berätta att “allt ska bli bra bara det rapporteras saker”. Jasså, hurdå?

Vad gäller den första frågan är svaret inte så svårt. Vi behöver olika typer av hjälp före, under och efter en incident. Och det av olika organisationer. I Sverige, pga hur små vi är, behövs framför allt hjälp efter och före incidenter, och där har jag sedan 1997 argumenterat för en IT-Haverikommission. Denna måste dock vara helt oberoende och separerad från alla organisationer som har någon typ av tillsynsansvar eller regler, och aldrig utpeka skuld. Bara beskriva vad som hände, varför och vad som bör göras för att minska risk upprepning sker. Deras rapport kan användas av andra myndigheter som grund för deras bedömning av ändring av verktyg som styr, inklusive men inte begränsat till upphandling och tillsyn.

Under en incident krävs framför allt snabb enkel kommunikation mellan de som behöver utbyta information under en incident, och där är naturligtvis polis och privat sektor inblandade. Detta sitter hårt fast i de idag trasiga avtal för MLAT och (naturligtvis) Datalagringsdirektivet. Denna skrivbordsprodukt som visst hjälper i vissa fall, men är att använda icke-optimala verktyg för mycket speciella operationer.

Nej, jag är besviken. Framför allt på avsaknad av att lyssna på de som arbetar operativt i privat sektor.

Uppdatering: Jag tycker f.ö. man ska läsa det remissvar som IIS skickade in på utredningen. Den utredning där IIS Säkerhetschef Anne-Marie Eklund Lövinder satt med som expert. Dock fick inte experter lämna in särskilt yttrande, vilket är märkligt, varför just IIS svar är så viktigt att beakta.

Security and things…

The polarized discussions related to “bad things on the net” continues. Everyone from the Prime Minister of Sweden talking about how powerful tool viruses controlled by the police would be, to the Anonymous attacking Daesh on the net.

I have been kind of silent the last week just because I have not had any idea where to start. To explain how naive and silly I think the discussion is. Unfortunately lead by advisors to lobbyists that have once again succeeded to make ministers say stupid things. And as we are in the situation we are, whatever stupidity is proposed will probably be implemented. So silly.

To know what tools are needed (and with tools I imply everything from legislative to technical) we must always start by looking at what problems we want to solve? What are the issues? And knowing that, we can start look at what tools are needed, what tools exists (and might have to be modified) and what new tools are needed.

I classify the need for tools in four categories:

1. Identify who is (was) communicating

The one that knows who is using an IP-address, logged into a social media service, did send an email etc is the one that provide the service in question. In some cases to get more data more than one provider must be contacted (mapping username to IP address, and then IP-address to location). In some cases when something has happened, there is the need for knowing not who is using an IP-address or was at a specific geographic location but who did use a specific IP address or were at a specific location.

Many people think this is the implementation of the data retention directive we have today, but I disagree. The data is to be stored for too long time, the wrong data is stored, and there is not enough qualification and oversight on the requests themselves.

I think data is to be stored for say 48 hours. All data. Then deleted. Requests can only come from law enforcement, and only with connection to crime of certain level. With oversight by third party to flag if the tool is misused. It is also required for law enforcement in one country to request data from provider of service in a different country, i.e. cross border exchange of data must be possible. Today, slow expedition of requests require data to be stored for much longer time.

2. Gather information about one party that communicates

Given a specific person, IP address or social media account is believed to be involved in certain activities, communication to/from that endpoint must be possible to be redirected to whoever requests that information.

This could be an extension or adoption of the current legislations and rules related to wiretap, and just like knowing who uses an end point, third party oversight over how the tool is in use is important.

The difference between [1] above and this is that in this case only information about one (of many) end points is collected, and that the end point is specifically suspected of having some relationship with some crime of a certain level. There must of course be requirements on crime level, what to do with overflow information, for how long time data can be collected and such.

3. Look at all communication

To find bad fish in the sea, it is interesting for some parties to look at all communication. No, this does not have to be intrusion of integrity. It all have to do with what and how the fishing is done. And what is done with the data collected. Some fishing might fall into other categories ([1] and [2] above), some might just look for changes in traffic pattern and instead result in suspicion that result in further work according to category [2] above.

The way to keep this under control is to just like other categories have third party oversight, and set specific rules for what fishing is allowed. Similar to fishing for, well, real fish in the Baltic Sea. Too small cod, and the fishing is illegal.

In Sweden we have the famous FRA Legislation but we have also seen that the oversight have in a number of cases hit on the fact the fishing has not followed the rules. That of course decreases the trust in the party providing the service.

4. Stop certain communication

If it is detected that some bad communication exists, the only really effective way of blocking that is to take down the service. To take down the service at the end point. Not to block! This requires, just like for [2], the ability for law enforcement in one State to communicate efficiently with law enforcement in another. And that rules and procedures are set up properly so that it is predictable on what happens if laws, rules, regulation and norms are different in the two states.

And of course that a third party is overlooking how the tool is used. Just like with the other mechanisms sought for.

Other comments

The proposed use of spying software at the end points is something I definitely do not believe in. We already have seen some impact on for example the Blue Coat incident explained by Citizen Labs. It is also the case that criminals always can use encryption software, voice messages inside games and what not. We will never be able to catch that. This implies forbidding encryption, requiring back doors, master keys and what not is just not useful. Steve Bellovin that have I have worked with in IETF a lot explains this really well in a CNN interview.

Instead, we must use the tools mentioned above and only those tools. And watch what happens. Catch the fish when they make mistakes. And use the tools we already have and can use. Like validating the biometric information in our passports. In USA they started checking biometric information, and validate passports are not lost, directly after 9/11, but in EU? In EU we talk about doing that at the Schengen border today. How silly is that?

It is also as mentioned above important to ensure third parties do have oversight over the use of these tools. This because the tools themselves are not by themselves dangerous. The use is. And because of this, it is important what rules exists for the use, what crime is to be required and who can request use of them. The data collected definitely have implications on privacy, so it is information not to be given out ad-hoc. The request must be authenticated and authorised.

Let me take a parallel example. The 112/911 service in Sweden, SOS Alarm, wanted to be able to send text messages to all cellphones in a specific area. This was suggested to be solved by having servers run by SOS Alarm into which all cellphone providers where to send location data. How dangerous is not that? The solution I now think is implemented is instead that SOS Alarm should be able to send a message plus a polygon that describes a geographical area to each cellphone provider. The cellphone provider send the message to all phones within that area, and report back to SOS Alarm how many phones received the message and how many phones where in the area. The information on what location each phone has do not leave the telco. Much better!

Conclusion

I am dead tired over having lobbyists and popular interest driving their agenda. That in many cases do not help us solving the issues we have in the society. I also do not think we are helped by people wearing tinfoil hats. I am also tired over politicians making statements without thinking of what words they are using, because if we in our country can use those words as arguments to change what tools are in use, then the same words can be used in more difficult states. Sure, there is a difference between our state and states where for example journalism and criticism is not allowed, but this must be taken into account when making official statements. I do not see that have been made.

There are definite steps that must be taken. Now. By Sweden, by countries in EU, by members in the Schengen agreement.

But having State controlled viruses is not the right solution. Forbidding encryption is not the right solution. Having back doors in soft- and hardware is not the right solution.

Giving the right tools to the right parties on the other hand, that is what we should do.

Can we please get a modern sound discussion about this?

Effective deployment of broadband?

I see in the Swedish Newspaper SvD an article where the minister of IT, Kaplan, states the new directive regarding access to ducts will be revolutionary for broadband deployment. Sure, it might be better than the situation today, but unfortunately not give the boost that he is talking about.

What is needed for the society is high quality Internet Access. Nothing more, nothing less. For an internet service provider to be able to provide that, it either need good radio access, or good transmission. For good radio access, good transmission is required to the base station. So regardless of whether radio or cable is used for the last few feet, good transmission over fibre is needed.

Question is then how to implement this transmission over fiber. Well, first of all the fibre is required, and the fibre is in turn deployed in a duct that is in the ground. Ground-Duct-Fibre-Transmission-Internet. Five different things.

Different.

We have taken the decision that regarding investments and deployment, market economy forces should steer, control innovation and investment. Because of this, it is better the more competition we can get. And ultimately we based on this should have competition regarding every of these five things.

But each piece of land (what I call ground above) is by definition owned by one party. So we can only get competition in four of the five things (given we have decided where to provide Internet). This new directive that Minister Kaplan talks about ensures a. that the Ducts can be deployed and b. that the Ducts should be shared.

That is good, but far from enough. It is in fact counter productive. And the 90% cost savings he is talking about is the difference between digging down your own ducts and fibre compared with providing your fibre in existing ducts.

For me the directive is a failure.

The real savings we get if we share all passive infrastructure. Also the fibre. Specifically savings for the society. Remember that we do have requirements to share passive infrastructure for copper based wire. And that EU in general say that regulation should be technology neutral. So why is not fibre to be shared? Why is not the regulation applied in a technology neutral way? Of course because fibre owners do not want the fibre to be shared. They do not want a low barrier to entry. They first wanted everyone to be forced to provide fibre and ducts, but after negotiations they gave up on ducts, as long as the fibre do not have to be shared.

What is important is that one always separate the passive infrastructure from the active. Including if you provide both layers yourself. As the passive and active infrastructure have different payback time. Active infrastructure must be replaced at least as bandwidth requirements increase…double every 18 months, and too many have too long payback time. They keep old equipment, that have a lack of features.

Price pressure (both regarding hardware, robustness, resilience and staff) make it easy to provide for the end user noticeable differentiated services. Because of this noticeable difference, and price pressure, competition and innovation is required.

Passive infrastructure on the other hand have a lifespan of tens of years. Depreciation time for fibre can be 20 years or more. And that is one of the ways to calculate the real cost there is for fibre.

Passive infrastructure must be shared!

That said, of course, if someone want to deploy their own fibre, have their own ducts, and what not, that should not be prohibited. And here I admit the directive helps, at the same time as it increases the risk fibre is not shared.

The low barrier of entry should be regarding the ability to provision your own active infrastructure!

 

DANE and SMTP

Jan Žorž of Internet Society has written a text describing results of lab tests of DANE and SMTP at Go6Labs. The findings seems to be that if either of the MX or the TLSA records in the DNS is unsigned, then delivery of SMTP will not happen over the TLS protected connection if the cert is self-signed.

I think that is wrong.

For me SMTP delivery consists of two steps:

  1. Resolution of the MX
  2. Management of the SMTP connection

I think the two are separable from each other, and that seems to be where there is disagreement (and question on how it is actually implemented, for example in postfix).

Resolution of the MX takes the domain name of the target email address, and looks up MX record. The target of the MX record is the host that later one should open the SMTP connection to. This resolution to me uses normal DNSSEC rules for success. The record is to be either unsigned or signed, and if it is (to be) signed the validation is to succeed. Otherwise the result of the lookup is to be ignored, and delivery not possible. I do not think fallback to delivery to A/AAAA is correct if MX exists and validation of MX fails. Only if MX is missing fallback to A/AAAA is acceptable.

Second step is to deliver the email over an SMTP connection. A/AAAA is to be looked up (and validated if signed). On top of that TLSA record is to be looked up for _426._tcp.mail.example.com (if the target of the mx is mail.example.com). If the A/AAAA and TLSA records exists, and they are signed, then the DANE specification says the cert is to be trusted and can be used for the TLS connection.

I think that is something that is correct, and I think it should happen regardless of whether the MX record in the first step was signed or not. I think it should be enough that the MX in the first step is passing the requirements (either be signed and correctly validated, or not signed at all).

Caspar Bowden

On July 9 I was reached by the message that Caspar Bowden has passed away. What a loss!

I so much remember everything we have done together during the years related to privacy and integrity. Combination of ability for LEA to do their job and maximizing ability for people to communicate. Data retention directive. CSR and Human Rights. And more!

Here is one of his presentations.

Misslyckad revision av bredbandsutbyggnad i Ystad

I Ystad har man låtit göra en revision av Ystad Energi. Revisionerna har gått igenom en hel del av Ystad Energis verksamhet på bredbandsområdet, men, de har inte tittat på de saker som är tvingande enligt EU förordning.

Jag har skrivit om vilka krav som gäller för etablering av passiv infrastruktur med hjälp av stadsstöd tidigare. Det är främst 5 kap. 9 e § fjärde punkten förordningen (2007:481) om landsbygdsutvecklingsåtgärder som styr hur stöd kan utgå, och som ni ser i det jag skrivit har PTS till och med summerat vilka regler som gäller.

Ändå tittar inte revisionerna på just detta, dvs de har explicit missat att titta på huruvida svartfiber (passiv infrastruktur) tillhandahålls på icke-diskriminerande villkor. Vilket är det som krävs. Speciellt har de inte tittat på månadsavgift, utan bara anslutningsavgifter. Jo, de tittar på om och konstaterar att modem ingår. Modem. Till fiber. Säger ett och annat.

Om inte ens revisorer tittar på denna typ av regelverk, vilka ska då göra det?