1179/DoT/ISPAI/08
January 17, 2008
Deputy Director General (DS)
Department of Telecommunications
Sanchar Bhavan, Ashok Road,
New Delhi – 110 001
Subject : Security and Monitoring requirement by ISPs
Dear Sir,
Please refer to the meeting held with ISPAI representatives on 15th January 2008 on
the subject as well as ISP license clause no. 1.10.10 in this connection. ISPAI is of
the view that monitoring and security of data is paramount important for the
country. However, Government should take a holistic view while implementing
such requirement. While discussing the issue amongst the member ISPs, it was
emerged that effective, viable and worktable solution would be to monitoring the
traffic at the exit points e.g. International Gateways, NIXI Nodes, and Downstream
peering by Tier 1 ISP providers.
We are enclosing a sheet which shows that most of the ISPs (category C, B & even
A) are taking bandwidth from 3-4 large service providers. It will be easy to monitor
traffic at their Gateways rather than different locations. You will find from the
sheet that several ISPs are not connected with NIXI since they are taking bandwidth
from upstream service providers which in turn are connected to NIXI their traffic
hence get monitor either at International Gateway or at NIXI.
In case of ISPs using IPLC such ISPs should be responsible for monitoring traffic
whereas in case of ISPs doing private peering with other ISPs onus should be on one
of the ISP (after mutual agreement) about monitoring the traffic and such ISPs
should install the necessary monitoring equipment and inform DoT accordingly.
We are enclosing a comprehensive Note on Security and Monitoring Issue for your
kind perusal. ISPAI will be too happy to be part of any discussion in this regard or
provide further clarifications, if any you may require.
Kind regards,
For Internet Service Providers Association of India
Rajesh Chharia
President
CC: Member (T)
SECURITY MONITORING SYSTEM: ISPAI’s PERSPECTIVE
Introduction.
1. DOT in its endeavour to ensure a secure environment in terms of data,
voice and information security has included clauses in the various
licences, e. g. ISP, NLD, ILD and also sent various advisories from
time to time. ISPAI and its members being responsible organisations
who wish to ensure protection of ours country’s security, whole
heartedly support the efforts in their right spirit in this regard.
2. The Govt and its various security agencies have a responsibility to
monitor and evaluate risks associated to terrorist activities, immoral
behaviour or any such activities which are inimical to our country’s
way of life. To do this job seriously, in keeping with the present
security environment, the security agencies need to have a effective,
monitor able, optimal in keeping with technology, economy in use of
resources system. The system of monitoring or the technology used
should be upgradeable, affordable to the businesses deploying it and
practical in their usage in achieving the overall aim of effective
monitoring. Keeping this in view ISPAI recommends the suggestions as
given in the paper below.
Aim
3. The aim of this document is to suggest a viable, economical and
effective system of monitoring internet by security agencies.
Challenges
4. The infrastructure and resources required for data monitoring for
security purposes is very high. Since the amount of internet traffic is
very large and constantly growing, the setup required to capture,
analyse, store and filter the relevant data for security agencies needs
to be very elaborate. As demand for bandwidth multiplies the cost of
equipment, installation and maintenance is also going to become
significantly high. As per current ISP regulations, this setup is
required at all nodes with capacity of 2 mbps or more. This actually
means that an ISP will have to deploy this elaborate monitoring
facility at virtually every POP. Although an alternative option of
centralised monitoring is provided in the regulation, it is an equally
expensive and impractical solution, since the entire traffic from all
nodes will have to be carried to the central site resulting in a
requirement of huge bandwidth for NLD transportation and
consequent data processing equipment. This has the technical
disadvantage that the network gets inefficient, more hops get added
and latency increases leading to QOS issues and increase of failure
points leading to reduced uptime. In either situation, the ISP business
becomes financially unviable even for large ISPs thereby making cost
of Internet Bandwidth at service provider end and customer end
exceptionally high. To what extent this will effect the spread of
Broadband will need to be analysed from a strategic viewpoint.
Recommendations
5.
Keeping in view above challenges facing the Govt, Security Agencies
on one hand and the industry on the other, ISPAI puts forward
following suggestions which we feel will meet the needs of all the
stake holders in terms of effective monitoring on one end and being
cost effective and practical to implement on the other-:
Efficient data monitoring of internet traffic can be done at the critical
points in the country through which all internet traffic traverses. This can
be classified as follows:
a) International gateway points
b) Domestic ISP peering points (NIXI)
c) Downstream peering by Tier 1 ISP providers.
All internet traffic that needs to be monitored will be traversing these exit
points or exchange points as described below:
d) All traffic that is exiting/enter India do so only at the defined
International gateway points. Hence by monitoring at these points
100% of international traffic is monitored.
e) All domestic traffic that is exchanged between ISPs traverse through
the Tier 1 ISPs who in turn peer with overseas ISPs. Hence by
monitoring all the peering links of Tier 1 ISPs, the entire traffic can
be monitored.
f) In addition, it can be made mandatory for all ISPs to peer with NIXI
and data monitoring can be done at all NIXI points for local traffic
monitoring.
Thus, it will be seen that for achieving nationwide data monitoring, it is
sufficient to monitor at only the above points.
The above proposal has several advantages:
g) It reduces the burden of security agencies in terms of manpower
resources required to be deployed for continuous monitoring at each
ISP site and aggregation point across the country. In a scenario as per
current regulations monitoring might be required at sites which may
run into hundreds. The costs to be incurred by all also will run into
vast sums, not affordable by all. However monitoring at the above
three points reduces the manpower requirement to a relatively small
affordable level.
h) The efficiency of monitoring is significantly enhanced. If data
monitoring is distributed at all nodes, it results in duplication and
dilution of efforts and reduced focus. However with fewer points to
monitor, the entire setup will be streamlined and there will be more
focus and skilled management. This will result in much better results
in detection of violations.
i) It significantly reduces the wasteful monitoring infrastructure
requirement of both ISPs and security agencies. In fact, with this
option, the provisioning of Internet will remain financially viable
without compromising on the security requirements of the
government and the country.
j) Such monitoring is also of strategic importance to the country as any
directions resulting in blocking some traffic as required by
Government of India security would need to be implemented at fewer
locations thus maintain proper confidentiality.
Conclusion
5. A pragmatic view of this issue very clearly brings out the necessity of
a viable, manageable, upgradeable, practical and cost effective
monitory system in the country. Internet bandwidth requirements are
likely to grow exponentially in the country keeping in view the
aggressive plans of the Govt to spread Broadband into rural areas for
upliftment of the rural populace and get them into the mainstream of
growth, education, health care and e governance initiatives.
Provision of bandwidth at affordable prices will be a challenge if the
targets need to be met.
******************************