Deep Packet Inspection and Net Neutrality 334
EncryptKeeper writes "Ars Technica has an in-depth feature on deep packet inspection, and it's a disturbing read. ISPs are starting to turn to DPI to monitor their networks, and, more troubling, to look at how they can use it to shape, block, monitor, and prioritize traffic. 'The "deep" in deep packet inspection refers to the fact that these boxes don't simply look at the header information as packets pass through them. Rather, they move beyond the IP and TCP header information to look at the payload of the packet. The goal is to identify the applications being used on the network, but some of these devices can go much further; those from a company like Narus, for instance, can look inside all traffic from a specific IP address, pick out the HTTP traffic, then drill even further down to capture only traffic headed to and from Gmail, and can even reassemble emails as they are typed out by the user.'"
In other words (Score:2)
(20,000,000th post?)
Re:In other words (Score:5, Interesting)
I work for a telephone coop in their internet dept. We've been drilled about the evils of Vonage/Skype, etc cutting in to our MUCH more lucrative-than-internet-or-tv-depts for a while now.
But, as all of our customers have access to our's and other's(namely cable) broadband. I don't know that filtering out VoIP would be a good move. We've had a few customers whine that their VOiP isnt reliable(duh) on our service. (mine seems to work just fine) So the first thing they do is go to the cable company for service(not that this makes any difference in their reliability)
So with the cable and other non-dialtone companies, filtering VoIP causes phoe co's to loose not only an internet customer but a landline costomer as well. As we require a landline for our broadband, we stil get the best of both worlds while still providing VoIP access.
Re: (Score:2)
Re: (Score:2)
I don't think there will be a huge vonage selloff for that reason. More along the patent disputes...
Re: (Score:2)
Mildly pedantic, but I think you meant to say 'Cue'
Unless it was 'Cue queueing up to sell Vonage stock in 3,2,1
Cheers!
Re: (Score:3, Interesting)
Anyone who actually makes investment decisions based on reak information and not on slashdot line noise have made that consideration 2 years ago.
That was roughly the time when Ellacoya, Taz, P-Cube and their like went into trials with major telcos. Unfortunately they were all private at the time, otherwise I would have been seriously tempted to buy some stock. The telcos and ISPs that intended to deploy them have already done so. The ones that have not are looking at flexible bandwidth management and
Censoring? (Score:2)
Cheers!
Surprisingly balanced article (Score:2)
I know this is
Re: (Score:2)
Re: (Score:2, Funny)
Encryption (Score:5, Interesting)
Hmm, I need some help with this one, since my networking kungfu sucks... When I login to Gmail, I am in a https mode, and this persists through my whole session. I was under the impression, perhaps naively, that this meant my session to Gmail was encrypted and that only I and the Gmail server could decipher the contents of my mail, that is until I click send, and it goes from the Gmail server to wherever I send to. So if this is true, how would someone be able to reassemble my email as I type?
Re: (Score:2)
Gmail (Score:5, Informative)
If you use POP access, you can enable SSL both for incoming and outgoing mail, I believe.
Re: (Score:2)
Re: (Score:2)
Not that it's exactly what you're looking for, but the CustomizeGoogle [customizegoogle.com] FF extension is pretty neat.
Re: (Score:2)
Re:Gmail (Score:5, Informative)
Re:Encryption (Score:5, Informative)
Having said all of that: Email is not an encrypted protocol by default! The method above is a good method for preventing sniffing on the last hop between you and Gmail (which is why I use it when I'm on an unsecured wifi connection to prevent easy eavesdropping). However, once the mail server sends the message on the open network... it is 100% cleartext. If you want real encryption, get PGP, this advice was true long before Slashdot got its panties in a bind over ISP's 'snooping' on your traffic.
Oh and one more thing: I love the Slashdot doublethink: Having a large evil corporation (the ISP) possibly being able to sniff traffic to read some of my emails is a terrible invasion of my privacy!! Simultaneously: Having a large non-evil (because they said so) corporation (Google) actually store all my emails (much easier to get at them then trying to wire-sniff) and index them and use them to generate ads: SUPER!
Re:Encryption (Score:4, Insightful)
It's actually worse than that (Score:3, Interesting)
With packet inspection, anyone on the internet backbone between me and Google could be reading my email - my local ISP, plus anyone they peer with.
Granted, this is also true of standard unencrypted email...
Re: (Score:2)
1. Install the Greasemonkey Add-On for Firefox
2. Install the GMailSecure [userscripts.org] script for Greasemonkey
3. Profit!
Tweak script parameters as required for Calendar, Apps-For-Your-Domain, etc. etc.
Re: (Score:2)
Re:Encryption (Score:5, Informative)
If you use their pop/smtp access, that access is fully encrypted.
Re: (Score:2)
Re: (Score:2)
Cheers!
Re:Encryption (Score:4, Interesting)
http://www.customizegoogle.com/ [customizegoogle.com]
Re: (Score:3, Informative)
The only times you'll ever get booted from
Okay... (Score:2)
Re:Okay... (Score:4, Informative)
If you use the "Gmail notifier" plug in for Firefox, it defaults to https. There is also a "gmail customizer" app that will let you specify HTTPS as the default, but I've never used it.
Re: (Score:3, Informative)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re:Encryption (Score:5, Insightful)
B. it doesn't make sense to reassemble an email because eventually the whole email will be submitted.
C. Deep packet inspection is very expensive because it requires heinously fast hardware to inspect a 10 Gb/s data stream, and you need a lot of these at the network edges. The core networks are too fast to inspect.
D. AFAIK DPI isn't deployed anywhere. Only a couple of manufacturers have 10 Gb/s gear and they are trying to sell it now, which is what ARS picked up on.
E. There isn't a business case for it that I can find.
F. A lot of the applications Ars describes don't require deep packet inspection, only header inspection.
G. Many of these things run inline, which means there is a decrease in reliability due to insertion of the device. That means redundancy etc which drives costs up even more.
Ultimately I don't think there is any likelihood that carriers who are already facing capital expense and return on investment problems plus increasing demands for plant expansion due to video are going to buy this story. The current wisdom is that fast-dumb is what is scalable.
Re:Encryption (Score:5, Informative)
They no longer have to differentiate their product offerings based only on speed.
It's called market segmentation [wikipedia.org]
You see the business case yet?
Re:Encryption (Score:5, Insightful)
The window of opportunity for the Internet to be saved as something resembling the free and open place it's been for the past few decades is closing rapidly. If we don't get some Net Neutrality laws in place soon, it's going to be too late. Once the current model of the Internet is gone and we have what AT&T would like us to have, I'm betting that just about all of us here at Slashdot are going to be very, very sad.
I fully expect that in about 5 years, the same people who are here today talking about how we should let the "free market" control the Internet will be whining about how much they miss the days when an individual could actually put up a web site that could compete with the "big boys" for the eyes of the World.
If there hadn't been a de facto "net neutrality" in place back in '97, there would be no Slashdot today. Nor would there be a You Tube or Craig's List or Wikipedia or just about any of our beloved sites.
If you want to know about what the Internet is going to be like if it's not protected with strong Net Neutrality laws, just picture AOL. Picture the entire Internet being AOL.
Have a nice day.
Re:Encryption (Score:4, Funny)
Wait what??? (Score:3, Insightful)
Re: (Score:3, Insightful)
No, you've just been sold a bill of goods by so-called "conservatives" who since Goldwater have been telling everyone that government is the worst thing in the world. That if only there was less government, we'd all be living in fields of clover, rich beyond our wildest dreams.
Problem is, it was baloney when Goldwater said it, baloney when Reagan repeated it, and baloney today. Funny h
Re: (Score:2)
Re: (Score:2)
I disagree. I could see a lot of business cases for them.
It's only that most of them are illegal, immoral, or just plain evil, but it's not like that's going to stop anybody.
There's a lot of marketing-related stuff you could do with DPI, particularly in conjunction with a transparent proxying system that would swap out ads in real time, replacing the ads that the user would normally see as they browse with your own (targeted to their desires, of course).
Re:Encryption (Score:5, Interesting)
A full reassembly by sniffing would also need to drop retransmitted packets and support all common encapsulation techniques. You're also talking about a LOT of storage and absolutely no way to sensibly organize the volume of data collected. That's the problem with data saturation - there are no database or data processing techniques capable of handling it. I was talking to one of the top Ingres software/network gurus at OSCON yesterday - apparently even just the total information awareness project is staggering under the sheer weight of information that no system yet designed can handle. If the data is unsearchable, unsortable and unprocessable, then to all practical intents and purposes, it doesn't exist.
Why encrypt the connection to your email server? (Score:2)
What about
I think the motivation is... (Score:2)
Of course, that seems a bit farfetched to me, but then having the ISP doing deep packet inspection on one's e-mail traffic seems a bit weird, too.
Re: (Score:3, Informative)
A passive attacker (Eve) can witness the entire key exchange and be unable to work out the key.
To Avoid Gmail Reassembly... (Score:5, Informative)
CustomizeGoogle: Improve Your Google Experience -- Firefox Extension [customizegoogle.com]
If you are using POP3 access to Gmail, you are already using SSL.
If I understand packet sniffing correctly (I'm no programmer), that just shows the source and destination but the contents are encrypted. Please let me know if I'm incorrect.
Re: (Score:2)
Re: (Score:2)
It becomes more difficult to do, but it is possible. The isp has to track the packet flow to the key definition through the whole communication scheme.
Re:To Avoid Gmail Reassembly... (Score:5, Informative)
Re: (Score:3, Informative)
Re: (Score:2)
Re: (Score:2)
Anyone can generate a public key, which means that the system itself is insecure without a third party who can reliably state that public key X definitively belongs to person/organization Y. That's where security certifi
Re: (Score:2)
Re: (Score:2)
I want to communicate with Server A. I have Server A's public key, so I encrypt a randomly generated session key with the public key; Only someone with the private key can see that session key now.
So anybody out on the big bad internet would not be able to reverse the encryption.
Personal VPN (Score:3, Interesting)
I don't currently suspect my home ISP of doing this sort of deep analysis or otherwise interfering with my data stream, but in this way I also don't have to worry about it.
IMHO this sort of thing will become the standard if this trend of ISPs snooping and changing our data continues.
Ubiquitous Encryption (Score:5, Interesting)
The NSA wiretapping with the collusion of the US telecom industry is just the start.
This technology is going to be seen as a data mining opportunity. Want to bet that some of the big data aggregators are going to start installing this technology - or paying ISPs or backbone providers for the privelege.
Having developed one of these boxes (Score:5, Interesting)
First, it's not just ISP's and the NSA, but also Universities. U.C. Berkeley is the biggest fanboi of this stuff. Any new tech, they want. And their IT department has been all over this. Nor are they aren't the only University.
And yes, the RIAA is promoting this stuff too. Very eagerly. And every other control freak out there.
The next obvious step is to network these boxes across the global, to keep track of traffic in realtime. Yes, that's a jump up. But it's doable. And it will happen. That is, people will be able to keep track of what you're doing on the internet in real time.
Also, what people aren't thinking about is the abilitiy to preserve this information. Vast storage is cheap, and getting cheaper. People are targeting saving two-years of realtime data. That's pushing things, but this is what people want. And they want to be able to preserve it longer. There's a huge amount of potential datamining there. Especially when they are able to preserve Internet traffic for longer and longer periods.
In short, the goal is to not only be able to track your every Internet connection, and what you did, but to preserve it for years. Some folks want cradle-to-grave. While they won't get it for a while, that's the direction this stuff is headed.
The bottom line is that encryption is one key defense. Necessary but not sufficient. Just be grateful that the PGP battle was won back in the 90's. If the battle for publically available strong cryptography had been lost then, you wouldn't be having this option. Connections are the other item. The support for obscuring this is lagging, and some cases broken. But it's still critical.
Finally, everyone should be aware that all of these boxes are hackable. If you know why Ethereal/Wireshark was kicked out of OpenBSD, you understand what's going on. The development environments common in this industry are also prevalent here. Harried developers don't care about buffer overflows. That's a total afterthought with minimal risk in the commercial space.
Or, to put it simply, you should in theory be able to not only detect when your traffic is being sniffed, but also be able hijack the sniffing as well.
So in summary, yes, encryption is useful. But it's not sufficient. And there's a heck of a lot more going on in this field than people are aware of, or even thinking about.
I wouldn't do it (Score:5, Informative)
I, as a private system admin, would simplify the entire problem and choose not to engage in packet inspection unless there were absolutely blatant abuses--like setting a threshold. There are ethical reasons why I wouldn't feel that it's proper to go delving through each and every packet. Once government becomes involved, though, then there's no way to turn it off. In order to receive the money for an ISP start-up, for example, one must demonstrate that they can play within the ever shrinking boundaries defined by the laws.
The article (and summary) mentions reassembling e-mails as their being typed. Is this accurate? I have, for some time, wondered if some text entry forms in web pages are "active" in that they exchange keystrokes with the remote end at real-time intervals. Again, from an ethical point of view, I would never make use of anything but passive entry boxes where none of the user's text is transferred across the network until they actually deliberately send it. What possible reason, as an admin, could I have in wanting to watch a user as they type text into an entry form?
I guess the argument can be made for automatically modifying forms. Pfizer uses this for their online resume submission. For example, the available options in the various locations (country, state, county, city, zip, etc.) are pared down as soon as one makes a selection in the heirarchical predecessor. While I appreciate the "wow! neat!" factor I just don't see how it's really necessary and, although I don't see that Pfizer would be using it for some uber-nefarious conspiracy scheme, I can liken it to the desensitization similar to "Click OK if you wish to allow this action" and EULAs.
Re: (Score:2)
Given the advent of Web 2.0 services, the by-keystroke networking, and thus inspection, can indeed be done. even before you hit enter, and even if you backspace, the newer search toolbars' traffic can be inspected. I think this may be the legalization of the implicit keystroke logger.
Re: (Score:3, Informative)
The article (and summary) mentions reassembling e-mails as their being typed. Is this accurate? I have, for some time, wondered if some text entry forms in web pages are "active" in that they exchange keystrokes with the remote end at real-time intervals. Again, from an ethical point of view, I would never make use of anything but passive entry boxes where none of the user's text is transferred across the network until they actually deliberately send it.
The main reason it's done is so that the form auto-saves. Gmail and Google Docs both do this; as you type into the form, every few seconds it will send the data to the server, and save the document. This way, if your connection hiccups, or if your browser crashes, or if you spill that Big Gulp into your keyboard, the text you've entered doesn't disappear.
Granted, Firefox these days is pretty good about remembering what you had typed into a form field if the browser crashes (how many of us have lost a long
Re: (Score:2)
just in case your browser crashes or something of that nature
Twenty years ago, when I first began using a word processor which offered this new "auto-save" feature, I turned it off, and I've been turning it off whenever possible since. Sure, it _seemed_ like a good idea, but something in the back of my head said three things,"If this crashes while I'm typing there's a larger problem that needs to be fixed, if I forget to save important work at regular intervals that's my own fault, and there's something suspicious about this 'auto-save' feature that I don't like."
I
Ask a Ninja About "Netrality" (Score:2)
and hotdog on a stick girl, too. The video is fun, and educational, and brought to you by your friendly neighborhood, endangered, Neutral Network.
Re: (Score:2)
The current network is neutral. Telcos/cablecos want to change that for "preferential" service (which means reduced service for parties they don't prefer).
Federal Mail Laws? (Score:5, Insightful)
ISP's currently have no limits that keep them from violating the privacy of their subscribers. Well, nothing short of market forces. Which in this case is laughable. Since packets can travel through a number of networks before ending up at their destinations, there is no guarantee it won't travel through an ISP the consumer doesn't support financially.
Re: (Score:2)
Just as the technology is what drove the Internet in the first place, so should it continue. A technical solution is what is needed.
Re: (Score:2)
The postal service owns the entire infrastructure end to end (at least for domestic mail in the US). It's also a quasi-government entity. If I'm a Tier 1 provider (i.e. Level3, Global Crossing, etc), you don't get to call privacy rights on your packets. If it hits my network, I can look at it. Mind you, I don't want to look at your data. I really don't care about your personal info. But if I need to look at packets for some reason for debugging/technical reasons, I don't want to be
Damned if you do, and damned if you don't (Score:2)
if you do not use VPN then your traffic is monitored by your ISP with not warning or notice. They probably don't even need any kind of warrant, no doubt it would be covered in the T and C.
if you do use a VPN then you are declaring you have something to hide and arousing suspicion.
or you can hope for a "lost in the noise" solution - but against ubiquitous packet surveillance that would seem optimistic.
hmmmm.
bugger.
Re: (Score:2, Informative)
So if you use a VPN tunnel to visit gmail your network traffic is safe from snooping by your ISP, but may be intercepted anywhere between the other end of the tunnel and the gmail servers themselves.
What you really need is to encrypt all traffic between your system a
common carrier == net neutral (Score:5, Insightful)
Re:common carrier == net neutral (Score:4, Informative)
Re: (Score:2)
They don't have it.
Furthermore, even i they did, tiered pricing does not affect CC status (see Fedex shipping rates for 2nd-day vs overnight delivery). All they would have to do is say that each packet in each rate class is handled the same way, and to provide rate-based pricing on equal footing.
Comment removed (Score:4, Interesting)
Re:Then they should lose common carrier status (Score:5, Informative)
This is a questionable belief, since there isn't necessarily any equality between "common carrier" and "telecom provider," but it's the reasoning, anyway.
Basically, AT&T (the phone company) is a common carrier. AT&T (the ISP) is not.
The horror! What about port 25?! (Score:2)
If you're worried about packet inspection, use port 443 or 22 for all your real time traffic, and gpg (OpenPGP) for email.
long live OpenVPN, captcha-enabled crypto (Score:2)
This is one reason (Score:2)
And if nothing else it's possible to tunnel a lot of information through SSH and other techniques.
OK, one day the encryption may be broken, or that some ISP thinks that all SSH must go through a gateway first... In that case the net will really start to die...
i am surprised... (Score:2)
if you don't think you can trust your isp, encrypt it. otherwise they can see everything, they always could...
Deep Packet Inspection 7 (Score:2)
Plus.net (Score:2)
From the site:
Every ISP has a finite amount of capacity - there's only so much traffic that you can get t
Encryption not the magic bullet (Score:4, Insightful)
Re:Encryption not the magic bullet (Score:5, Insightful)
Re: (Score:3, Insightful)
Encryption as a standard rather than an option? (Score:2)
Chinese (Invisible) Export (Score:5, Insightful)
It's not just China. Countries like Saudi Arabia and Iran are also taking advantage of this new technology, every byte of it developed by corporations right here in the "free" west.
And now? The technology is simply being marketed here to. Exported back into the west if you will. ISP, companies, governments are all being given the power to put the internet genie back in the bottle. Time was that corporations were developing technology to help make democracy stronger. Now they're simply giving democracy the rope it needs to throughly hang itself.
I'd like to be optimistic about our society, but frankly it's too tiring in this day and age of fear and surveillance. The worst part is the overwhelming acceptance, nay approval, of our loss of freedoms. The Net Neutrality debate is not an isolated argument. It's a symptom of the underlying shift in Western society, back into a dark age.
Re: (Score:3, Informative)
Shades of grey (Score:2)
When we use it on them, information wants to be free, it's not stealing since the original remains, and they knew this is how it worked when they started using it.
When they use it on us, it's wiretapping, invasion of privacy, and they'll use it to control what we can do (and charge us, monetarily or legally, accordingly).
You can have it both ways. You can *only* have it
Encryption? (Score:2)
It works extremely well and is very secure (packet sniffers just see jibberish). Any thoughts from anyone on how DPI would affect encrypted traffic?
Cheers,
imag0
Re: (Score:2)
Re: (Score:2)
Traffic from there on out isn't too much of a concern yet.
Cheers,
imag0
Newsflash: All your traffic goes through your ISP (Score:2)
The 90's called... (Score:2)
Who Owns Your Bandwidth (Score:2)
Btw, that was a long article for Ars Technica.
It'll never work. (Score:2)
Bandwidth is cheap, and continues to get cheaper. Why treat it as a precious resource when there's more of it every da
It's much worse than the article made it sound (Score:3, Informative)
Nate did not, for instance, watch Rod Randall's 2005 IEC presentation, which featured the tag line http://www.iec.org/online/iforums/iec_3/choose.as
For instance, one application is to monitor for email traffic (POP and SMTP). It can then log and create charging records for every email message that passes on the wire. Not that uses the ISP's server, but that goes on the wire. The pitch -- Randall makes this in his show -- is that wireless providers sell SMS for about a dime a message, and email by kilobyte is tons cheaper, so they should charge a dime for each email. VoIP competes with their phone calls, so it should be blocked or at least billed by the call.
But it gets worse. AT&T has made noise about charging for the value of ecommerce transactions. So if you make an online purchase, they'd get a fee for using their wire. Hell, Visa already does, for using their card, so AT&T wants to get their cut too, just for using their wire.
And it gets worse. They can decide what web sites are okay and which ones aren't. Others have already mentioned the Great Firewall of China. DPI lets its user tilt performance, so, for instance, Fox News gets better results than CNN, or Hollywood Fred's web site gets better performance than Barack's, John's, or Hillary's. This is all legal today for ISPs to do.
And it gets worse. Since DPI detects applications, it can block any new application -- leaving innovation in the hands of the phone companies who control the wire. After all, if it doesn't recognize the application, it must go to the lowest category, either blocked or relegated to what Randall calls "hobo class". Think modem speed, on a noisy line.
I do suggest reading Data Foundry's comments; author Scott McCollough is one of the best communications lawyers out there. He notes that the Ts and Cs of many "broadband" services give the wire owner the ownership rights on packets passing over their wire. No privacy -- so if you're a lawyer, you technically have waived your lawyer-client privilege by using their network! DPI makes this practical -- they can monitor emails for certain keywords, addresses, etc., even if it's not using their servers.
DPI is the tool for replacing Internet access with a "broadband" data service that is more like 1982's Compuserve, which charged by the hour and surcharged by the minute based on what application you ran (CB Simulator, email, etc.). It will happen if current (as of 2006) US rules, which kick independent ISPs off of ILEC DSL networks, are retained. It cannot happen if open competition for ISP services is restored, because the public wouldn't buy such a service if there were a choice. That's why the Bells got their buddies at the FCC to remove common carrier status from the telephone company networks.
Re: (Score:3, Interesting)
Already done. (Score:4, Interesting)
See Relakks [relakks.com].
I am sure there are more.
Re: (Score:3, Informative)
B) Even if you could, it doesn't matter. You may be able to switch your last-mile provider, but you probably can't switch their upstream provider. It's the upstream/backbone providers who will be racing to do this.
Basically, if providers are doing this, you're hosed. It's going to be real, real difficult for you to somehow make sure your traffic doesn't route across Level3's (or Cogent's, or whomever's) network at any point.
Re: (Score:2)
First: price/service competition works well in a competitive market. For most consumers, the market is highly non-competitive; they are faced with two choices of provider (BigTelCo or BigCableCo).
Second: it's not really the last-mile ISPs that are the worry with this, it's the upstream providers. If Level3 decides to implement DPI, there's nothing you can do about it. It's essentially impossible for you to make sure none of your packets route across Level3's network.
Re: (Score:3, Interesting)
If they have the ability to know this much about the individual packets why don't they start charging individuals for improved network performance?
The average workingman is paid 5 sp/day.
The priveleged workingman is paid 7 sp/day.
The favored workingman is paid 10 sp/day.
The cost of a coal shovel is 100 sp.
The cost of a coal shovel +1 is 110 sp.
The cost of a coal shovel +2 is 120 sp.
A coal shovel breaks after 19 days.
A coal shovel +1 breaks after 15 days.
A coal shovel +2 breaks after 13 days.
The favored workingman offers loans to the priveleged workingman in amounts of 20 sp per loan, with an interest rate which causes the total repayment to be 30 sp.