The latest crazy law imposed, today, with no notice, is The Russia (Sanctions) (EU Exit) (Amendment) (No. 9) Regulations 2022. My good friend, and lawyer, Neil, has blogged on it already...
This is one of those rare cases I am blogging as director of AAISP rather than purely personally. See here for A&A news post on this.
The main issue is we, as an ISP, have to "take reasonable steps to prevent a user of the service in the United Kingdom from accessing, by means of that service, an internet service provided by a designated person."
I do wonder why - I mean this is asking anyone providing internet access, whether for their family at home, or via free wifi, or anything, to do this? Why not ask the handful of transit providers to do this instead - much simpler, surely? But OK...
My first issue as an ISP is what are those services? I mean these are not services offered by some corporate entity that happens to have a "designated person" as shareholder, officer, or even employee, but services actually provided by a "designated person", over the internet. This list of such persons is not simple or small, and working out which provide what services over the internet will not be a simple task.
So we plan to ask, maybe, OFCOM, as they have specific enforcement requirements in that legislation, for a list of such services.
But when we get that, what then? LOL, like we will get a sane answer, ha... But, well, then we have to try and block access somehow, if reasonable.
We do not have means to block access or filter anything by IP, or DNS name, in our network!
I can't stress this enough, we have never had any order to block anything or any previous legal requirement to do so, really. It is, in my opinion, not "reasonable" to expect us (for no payment at all, or otherwise) to magically implement such a measure, especially to do so between Laid before Parliament at 5.00 p.m. on 27th April 2022 and coming into force 29th April 2022, really. Or even (as it will cost a lot) later.
Update: As some people say, we have BGP routers that could have a black hole route added, and customer facing DNS servers that could have a bogus entry added. But this is the tip of the iceberg in terms of a "system" for blocking. There needs to be the management systems to maintain the blocked IPs and domains. Systems for who can add and remove entries. Systems to ensure they are applied correctly to the various config files. Procedures for handling mistakes. Procedures for handling support queries from customers relating to blocks (and mistakes in blocks, over-blocking, etc). Systems for getting the sanctions lists, processing it, researching the services provided by those Russian companies, and making changes over time. Yes, some ISPs have (most of) these systems and procedures in place for other reasons. We don't! On top of which, actual URL blocking is a completely different matter and simply impossible when considering the current use of https.
Update: That said, for a couple of domains, it is not impossible to add a DNS entry manually, but it is far from a scaleable solution.
What could we do?
At a push we could refuse to answer DNS for some domains on our customer facing DNS servers, but customer do not have to use them, so that would not be effective in meeting the requirement. And weirdly the providers of public DNS, like 188.8.131.52 and 184.108.40.206 are not subject to this order - why?
Indeed, if we had some way to block some routing to some IPs (and remembering we must not "over block" to meet net neutrality laws), customers are allowed to, and often do, use VPNs, so again, it would not actually be effective.
I am not sure we could "reasonably" take any technical measures. The closest we could get is not answering some DNS.
So what do we do?
Well, step one is we ask OFCOM for the list of services, and see what we get. That is it for now. I expect no list, to be honest, which sort of solves the problem.
Then we consider what next.
The other consideration is that we might "ask customers nicely" not to access such services. That sounds like a reasonable step to me. We might do that once we have a list of such services.
Update: The sanctions list has been updated - two "designated persons" have been listed: TV-Novosti and Rossiya Segodnya, with the web site rossiyasegodnya.com specifically listed. What is odd is that OFCOM have seen the list and decided that the sites rt.com and sputniknews.com should be "blocked" somehow. So which is it? What is the process for finding the "services" offered by the designated persons and how did OFCOM come up with those two domains? Is every coffee shop offering WiFi to somehow research some Russian companies to find what services they offer?
In practice, it looks like our (free) customer facing DNS servers may have to fib about a couple of domains for now. Not a scalable system, but hopefully "reasonable steps".
And just to be clear, I want the war to stop. But I am not sure how these sanctions help or are in any way effective. They are, however, a break from any notion of "mere conduit" for Internet Access. If they are needed, they are in the wrong place (surely transit providers, or DNS providers like 220.127.116.11 and 18.104.22.168, are more appropriate than every coffee shop offering WiFi). So we are doing what may be the only "reasonable steps" we can do.