‘DPI is necessary’ – Sandvine
p2pnet news view Freedom | P2P:- DPI, Deep Privacy Invasion (or Deep Packet Inspection) is the tool used by disgraced ‘behavioural targeting’ firm Phorm on behalf of giant UK provider BT, as well as other companies.
British government approval of the technology has gotten it into a costly and politically disastrous lawsuit with the European Commission.
In Canada, its use inspired the federal privacy commissioner to launch an anti-DPI site which states clearly and unequivocally »»»
Deep packet inspection is just one seemingly neutral technological application that can have a significant impact on privacy rights and other basic civil liberties, especially as market forces, the enthusiasm of technologists and the influence of national security interests grow stronger.
DPI is employed by a company called Sandvine, based in Waterloo, Ontario, and which has now submitted a CRTC filing on Network Management (TPN2008-19 Review of Internet Traffic Management Practices of Internet Service Providers) in which it claims “DPI is necessary,” says Sandvine Fluff in a dslreports comment post.
In it, “DPI is necessary for the identification of traffic today because the historically-used ‘honour-based’ port system of application classification no longer works,” says Sandvine.
“Essentially, some application developers have either intentionally or unintentionally designed their applications to obfuscate the identity of the application. Today, DPI technology represents the only effective way to accurately identify different types of applications. ”
Really?
‘Policy management’
Whenever you see a corporate product with ‘fair’ in the name, you can be 100% sure it’ll be the exact opposite, p2pnet posted a little less than a year ago, going on »»»
Apple`s FairPlay DRM is a shining example, and now ace Canadian digital restrictions management company Sandvine has come out with a product sure to make the likes of Bell Canada and Rogers glow.
Sandvine, which coined the notable phrase `policy management,` is now touting Sandvine FairShare to, enhance its suite of Traffic Optimization solutions.
For `Traffic Optimization` read bandwidth throttling, and Sandvine`s new consumer control technology `empowers` ISPs, enabling, fair usage in the shared access network with advanced techniques to ensure equitable allocation of network resources during periods of congestion, it says.
And it`s fully application-agnostic, meaning BitTorrent isn`t the only P2P file sharing application it`ll target.
We continued »»»
FairShare automatically responds to the changing network environment and subscriber usage patterns in real-time, says Sandvine.
To do that, it must be constantly spying on users and although DPI isn`t mentioned, one wonders if it figures in Sandvine`s FairShare.
DPI = Deep Packet Inspection which, says the Wikipedia, enables advanced security functions as well as internet data mining, eavesdropping, censorship, etc.
CAIP (Canadian Association of Internet Providers) said in a submission to Canadian regulators, Bell is using DPI to sequester or `hijack` certain data packets as they pass through the network, and hold these packets hostage until certain pre-conditions are met
And CIPPIC (Canadian Internet Policy and Public Interest Clinic) is asking the Canadian privacy commissioner to open an investigation because, it says, Bell has not only, failed to obtain the consent of its retail and wholesale internet customers in applying its deep-packet inspection technology, which tells the company what subscribers are using their connections for, it`s using Deep Packet Inspection to, find and limit the use of peer-to-peer applications such as BitTorrent, which it says are congesting its network.
Sandvine says, blandly, its FairShare, collects subscriber usage metrics from various sources and analyzes the data according to sophisticated, configurable parameters.
Then it, dynamically modifies policies to balance available bandwidth and resources among subscribers.
It actively throttles bandwidth, in other words.
According to Sandvine in its submission to the CRTC, “DPI is necessary for the identification of traffic today because the historically-used “honour-based” port system of application classification no longer works. Essentially, some application developers have either intentionally or unintentionally designed their applications to obfuscate the identity of the application. Today, DPI technology represents the only effective way to accurately identify different types of applications.”
Now, in the first of what’s certain to be a long series of posts and arguments deconstructing Sandvine’s claims of innocence, “Boy, this makes me glad I gave up the free beer and ended up working elsewhere,” says shepd in dslreports, going on »»»
Sandvine (6) : Sandvine submits that the true “content” of an Internet transmission is represented as the body of your e-mail message; the music or movie you are downloading; the video you are streaming; the words in your VoIP call, etc. As explained in Sandvine’s initial comments to the Notice, Sandvine’s congestion management solutions, including those that employ DPI, do not inspect content as the content is not relevant to a congestion management solution. To be clear, they: Do not read your e-mail; Do not listen to your voice calls; Do not watch the video you are streaming, etc.
shepd: Point 6 is (or or will be) a lie. The best DPI systems would implement caching for streaming video, I’m guessing Sandvine doesn’t do this (yet).
Sandvine (16): Because typical congestion management solutions do not inspect the actual content of users’ Internet traffic, they also cannot record, report on, or store such personal information. As explained in paragraph 62 of Sandvine’s original comments, the most “personal” information that Sandvine’s congestion management solutions record for an Internet account (i.e, not a particular individual, but the IP address attached to an Internet account, which may include access for many individuals) is aggregate volume usage data, by application or protocol. For example, a typical congestion management solution could report the number of bytes of a VoIP protocol sent and/or received by a given Internet account over a fixed period.
shepd: I know personally is an absolute and complete utter lie. One of Sandvine’s most popular solutions was to combine logging activities with their DPI hardware. You could buy several TB log servers just for this purpose. The idea was that when you call up support they could check your account on this log server and see if you have viruses or are running P2P so they could weed out people who just can’t fix their PCs vs. people with bad connections.
Sandvine (17): As described above, Sandvine submits that the use of DPI-based congestion management solutions do not create a privacy concern in that they do not inspect content for the purposes of traffic classification, nor is any such information stored within such solutions. Despite this fact, certain respondents claim that somehow the mere presence of DPI-based technology itself raises privacy issues, and have called for an outright ban on any such technology. Imagine if this approach were applied to other technologies, such as those supporting cameras. Single Lens Reflex (SLR) technology underlies cameras that take photos at family birthday parties. The same technology has been applied for surveillance of individuals and public spaces. One use of the technology raises privacy issues, the other does not. Nobody questions the value or validity of the camera technology. So why question DPI technology? Privacy concerns properly attach to applications or uses of technologies, not to the
technologies themselves.
shepd: 17 is just plain stupid. Encrypted communications are private by their very nature. If I walk into most museums and start taking pictures (especially with an SLR) I’ll be escorted out by the police, because it’s trespassing. I’ll probably be served, too, if it’s obvious I was intended to be a douche about it.
Sandvine (18): Banning the use of DPI, would have far-reaching and damaging consequences across the Internet, where the technology is used extensively. The wireless router in your home probably uses DPI to make sure that time-sensitive packets like VoIP or gaming are delivered quickly, while delaying less time-sensitive packets like e-mail. Firewalls, some built right into popular PC operating systems, use DPI to analyze packets for malicious intent like viruses, trojans, and Spam. Libraries, schools and government institutions rely on their firewalls to protect themselves and their users from attacks. Those firewalls use DPI technology. Load balancers and routers, indispensable hardware that distribute traffic on the Internet and private networks, use DPI to identify where a given packet or URL should be routed and what priority it should be given.
shepd: Yes, that’s why we want DPI banned for PUBLIC usage, not PRIVATE. Duh.
Sandvine (19): DPI is also a key part of the innovation in allowing a migration from IPv4 to IPv6 allowing a network operator to convert from one to the other using a carrier-grade network-address-translation (NAT) and keeping protocols such as VoIP operational.
shepd: WTF??? How the hell can inspecting a packet help you take an IPv4 address and put it on an IPv6 network without modifying the contents of the packet? And I thought you just said in point 6 you don’t inspect the content? How do you even know it’s an IPv4 packet then?
Sandvine (20): As described above, Sandvine submits that typical congestion management practices (which the Company believes is the subject of theNotice) do not raise personal privacy issues. However, Sandvine recognizes that other Internet solutions that are in high demand from consumers, governments and society in general may raise personal privacy considerations. Examples, raised by certain respondents include lawful intercept, copyright enforcement, and targeted advertising.
shepd: See 19
… and, “22, 24, 26 — Contradict point 6, again,” he says. [22 -- To continue the earlier analogy, surveillance of individuals or public spaces could be achieved through a SLR-supported still frame camera or through video recorders supported by a variety of technologies. Similarly, solutions like lawful intercept, copyright enforcement and targeted advertising are achieved through a variety of technologies, not just ? or even predominantly ? DPI. 24 -- DPI technology can comprise a component of targeted advertising solutions, but it has been very rarely used this way. Instead, other technologies have dominated. Google is one of the leaders in targeted advertising, but to Sandvine's knowledge its targeted advertising solutions do not use DPI. According to Google's own Advertising and Privacy notice in connection with its enormously popular Gmail e-mail application, Google reads your mail to make decisions on targeted advertising: "The Gmail filtering system also scans for keywords in users' emails which are then used to match and serve ads. When a user opens an email message, computers scan the text and then instantaneously display relevant information that is matched to the text of the message. 26 -- Lawful intercept provides another example of how privacy-sensitive solutions can be enabled by a wide variety of technologies. In the United States under the Communications Assistance for Law Enforcement Act (CALEA), service providers are required to identify and intercept criminal data traffic under a lawful warrant provided by law enforcement agencies. DPI technology could be used in a solution designed to support the collection of that data, but so too could a home computer "tapped" into the communications of the individual that is the subject of the warrant.]
Sandvine (25): According to the Google Toolbar Privacy Notice, the Web History service available through the popular Google Toolbar, “records information about the web pages you visit and your activity on Google, including your search queries, the results you click on, and the date and time of your searches in order to improve your search experience and display your web activity. Over time, the service may also use additional information about your activity on Google or other information you provide us in order to deliver a more personalized experience.” According to the same Privacy Notice, Google’s PageRank service also sends Google “the addresses or other information about sites when you visit them. According to Google’s Privacy FAQ,
Google stores search engine logs data for each user for 18 months prior to anonymizing it. Again, to Sandvine’s knowledge, none of these solutions use DPI.
shepd: So, because Google does it differently, that’s how it’s all done, right? I use a 1541 disk drive (Commodore), so *OBVIOUSLY* my PC can read the disks, you know, because *I* do it that way. Yup. Awesome argument.
Sandvine (27): In many cases, questions around privacy-sensitive Internet solutions will ultimately come down to the ability to secure sufficient user consent. To date, vendors of privacy-sensitive solutions like targeted advertising have struggled with providing reliable mechanisms for managing user consent. The mechanisms, whether designed as opt-in (where the user must proactively consent to being subject to the solution) or opt-out (where the user must proactively demand NOT to be subject to the solution) have typically been cookies-based. Cookies are “small pieces of text, stored by a user’s web browser, that contain the user’s settings, shopping cart contents, or other data used by websites. 29 – Fortunately, a better solution to the consentproblem is available, through a network-level association between the subscriber’s account and his permission settings related to the privacysensitive solutions. Regardless of the computer he uses to access his Internet account or the browser that he uses on those computers, the permissions follow the user. Only if the user intentionally changes his account-level privacy permissions could a previously opted-out user be opted-in. Such a solution can be implemented through the use of DPI technology.
shepd: 27 – 29 — Nothing at all to do with DPI.
Sandvine (30, 32): Service providers are just beginning to explore other uses of DPI that can make their service offerings more attractive to consumers in an increasingly competitive Internet access market. High-speed Internet services are largely offered in the form of flat rate, monthly, unlimited plans. Consumers may be interested in other types of service plans that better reflect the unique ways that they use their Internet connections. Such plans would likely necessitate the ability to differentiate between types of traffic and applications, which in turn would necessitate the use DPI technology as well as other network intelligence tools. 32 — Other consumers may be interested in a service package that guarantees a high quality of service for certain frequently-used, latency-sensitive applications, like Internet video gaming or VoIP. A DPI-supported policy solution that can distinguish between different types of traffic and applications is necessary to enable this type of service package.
shepd: 30 – 32 — Direct assault on net neutrality. Pay more for real internet, pay less for fake internet. Why go through the effort with DPI? Just dump in a forced proxy server and you’re gold if you just want to provide KIRF internet.
Sandvine (35): In response to point “a” (and as already described in paragraph 55 of Sandvine’s initial comments) a policy that is targeted at disproportionate users of bandwidth can become more targeted by applying an application-specific policy as well. For example, by their nature, applications like VoIP, online video gaming and others do not contribute meaningfully to network congestion, but because they are time-sensitive applications, their usefulness to the consumer is greatly impacted by any delays in their delivery. Congestion management solutions allow service providers to create a narrowly-targeted policy that affects: only disproportionate users; only applications that contribute disproportionately to bandwidth consumption; and only applications that are not time-sensitive.
shepd: 35 — In my opinion, nothing is a bigger hog than work VPNs. So let’s boot off these corporate hogs. Oh wait, this is all opinion based and therefore total BS, right?
Sandvine (36): Such a policy would minimally impact users’ quality of experience, while achieving the congestion management goal. Sandvine is focused on maximizing the user’s Internet experience.
shepd: 36 — “Maximizing” their experience they way they did with Comcast, yes? Yes, I sure do feel people had their experience with tech-support “maximized”.
Sandvine (41): Further, many IETF standards implicitly require the use of DPI, such as RFC 3489, “Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs)”, and RFC 2766, “Network Address Translation – Protocol Translation (NAT-PT)”
shepd: 41 — If my IP started with 192.168, 172.16-30, or 10. this is right. Guess what, that’s not what any of this is about.
Sandvine (42): One of the DPI-supported congestion management policies that Sandvine has historically offered service providers is “session management”of P2P file-sharing traffic through the use of TCP Reset packets (RST packets) (see paragraph 53 of Sandvine’s initial comments). Despite the claims of certain respondents, there are simply no IETF standards on when or how RST packets should be used. It is further claimed that the RST packets used in session management are in some way “forged” because an RST packet is supposed to mean that “the other end of the connection has failed.” While original implementations of RST packets were for this purpose, as with much on the Internet, their use has evolved. For example, most webservers use RST packets today as a mechanism for tearing down TCP connections because it is much more efficient than a four-way connection teardown. In short, RST packets are broadly used today and for purposes other than communicating that “the other end of the communication has failed.”
shepd: 42 — The US Government, of all people, has told you, Sandvine, that you *are* impersonating people on the internet by injecting RST packets. STFU already!
“Sandvine, you are embarassing my hometown,” says shepd, adding, “If you are going to write shit, at least make it coherent shit.”
And guess who’ll be taking notes avidly, if it isn’t already in behind-closed-doors communication with Sandvine?
Phorm, anyone?
Definitely stay tuned.
Jon Newton – p2pnet
(Thanks, Marc)
April, 2009
Use free p2pnet newsfeeds for your site. It`s really easy! Subscribe to p2pnet.net | | rss feed: http://p2pnet.net/p2p.rss | | Mobile – http://p2pnet.net/index-wml.php
Net access blocked by government restrictions? Use Psiphon from the Citizen Lab at the University of Toronto. Go here for details.
May 1st, 2009 at 11:21 am
The CRTC should toss that out.
All Sandvine submitted was a commercial.
An attempt to get attention using the tax payers regulatory website to submit a commercial that lacks in substance.
Maybe P2Pnet.net should use the CRTC as a commercial avenue as well. After all P2PNet is Canadian also.
May 1st, 2009 at 12:02 pm
“Yes, thatâs why we want DPI banned for PUBLIC usage, not PRIVATE. Duh.”
Bell and Rogers using DPI is private usage. It happens on their own privately-owned networks, which customers have paid for the right to put their traffic on.
“In my opinion, nothing is a bigger hog than work VPNs.”
That’s a pretty ill-informed opinion. If I’m active on BitTorrent, I’m using about 10-20 times the bandwidth as when I’m active on my work VPN connection.
“And I thought you just said in point 6 you donât inspect the content? How do you even know itâs an IPv4 packet then?”
This is just being obtuse. The IP header isn’t the content. If you disallow inspection of IP headers, then the Internet might not work so well. I’m not sure if you really don’t know how ISATAP works or if you’re just pretending for the sake of being argumentative.
May 1st, 2009 at 1:43 pm
@BennyBeans
> Bell and Rogers using DPI is private usage. It happens on their own privately-owned networks, which customers have paid
> for the right to put their traffic on.
1. Customer is the one who designates the use of type, content, priority and timing of his communication over the internet. Noone has the right to stomp upon his right of free decision. So NO, DPI usage is not matter of ISP deciding whether to use it or not. Customer must give him right to do so first. If he does not, its use is public use (= without knowing customer, his opinion, and using it thus on all the traffic).
2. Show me, where customer gives its ISP the right to manipulate his/her own originated/destined traffic, in the agreement between customer and ISP.
3. Customer is the one who comes to ISP with demand. Network wouldnt be there without people interrested to use it; they drive it. Without customer demand, the ISP can pack up and go away, it is useless, at least as a business. So: Customer is the one who primarily decides, NOT ISP.
>> âIn my opinion, nothing is a bigger hog than work VPNs.â
>
> Thatâs a pretty ill-informed opinion. If Iâm active on BitTorrent, Iâm using about 10-20 times the bandwidth as when Iâm
> active on my work VPN connection.
VPNs *may* be fair much more hogs; it depends on technology usage. If I funnel my BitTorrent traffic through VPN, or my sole net usage is transferring data loads over VPN, guess what kind of traffic the DPI would mark on an egress port of my router?
So, neither you nor shepd are right on this point. However, if customer decides to prioritize certain traffic, ISP has no right to thwart such his decision by giving it. ISP must stay network usage-agnostic (a.k.a. “best effort” model), at least in their own network, unless they both have agreed upon something else. See point 1 in my reply above.
>> âAnd I thought you just said in point 6 you donât inspect the content? How do you even know itâs an IPv4 packet then?â
>
> This is just being obtuse. The IP header isnât the content. If you disallow inspection of IP headers, then the Internet might
> not work so well. Iâm not sure if you really donât know how ISATAP works or if youâre just pretending for the sake of being
> argumentative.
No, shepd is right here. Why? Becouse you simply can’t generalize ‘IPv4′ is not a data content. It again may be, depending on use. Guess what will happen if I’ll create an IPSec connection in tunneling mode? The original IPv4 header is part of data payload. What will happen if my application packs an IPv4 header as a means of app-driven routing information? Again, this is content. So: anything *data* is content, part of it is just being marked ‘header’ for purpose of specific program handling (routing decision, manipulation/marking, logging, etc.). In this sense, it is no different than anything that follows header.
And no, do not object this is just wording. This is definition. If you have more exact one, go ahead and beat it.
May 1st, 2009 at 2:17 pm
“If he does not, its use is public use (= without knowing customer, his opinion, and using it thus on all the traffic).”
This is a very strange definition of public. Usually the distinction has to do with ownership. If I allow someone use of my property by contract, and I don’t abide by the terms of the contract, then this is a tortious conduct. I haven’t read that closely any ISP customer agreements, but if ISP’s behaviour contradicts what’s in the agreement then I’m sure it wouldn’t be hard to get a lawyer to take on the class action suit.
“If I funnel my BitTorrent traffic through VPN, or my sole net usage is transferring data loads over VPN, guess what kind of traffic the DPI would mark on an egress port of my router?”
I would call it VPN traffic, no matter what you are doing. DPI is impossible on tunneled IPSec traffic, unless your DPI engine knows something the information security profession doesn’t.
BitTorrent over VPN would be crap, though.
“No, shepd is right here. Why? Becouse you simply canât generalize âIPv4â² is not a data content.”
I’m not sure why the definition matters. The point is that networks cannot support IPv6 tunneling without ‘inspecting’ what comes after IPv4 headers. If you insist on creating a bright-line network rule of “don’t read what comes after a packet’s layer 3 header”, then the ISATAP RFC becomes illegal to implement.
May 1st, 2009 at 5:14 pm
I don’t think it’s possible to set up DPI at the front of a backbone network in such a way it could be considered “private”.
The trouble with DPI is, it sees EVERYTHING going IN and coming OUT of that provider’s network.
Even networks that wouldn’t be using DPI would still have to peer with those that would be.
Even “opting out”, if such an option was offered by networks that use it, would need to be done with EVERY DPI-USING PROVIDER ON THE PLANET, in order to effectively opt out of the practice. Even if that choice was honoured by each provider, your traffic would still have to line up with everyone else’s and pass through these DPI units. (Your service would still be degraded, by default, by a factor times the number of DPI units it needs to pass through.)
This essentially makes DPI totally “public”, and should be absolutely illegal.
May 1st, 2009 at 6:05 pm
None of this changes the fact that the network is privately owned. People connect into the privately owned network so they can send requests and get responses from servers somewhere.
The privacy implications seem very stretched to me, though. Isn’t content caching a far more invasive feature of ISPs? Why does nobody care about caching? Is it simply because people don’t like DPI (it makes BitTorrent slow) and do like content caching (it makes the web much faster)?
We’re complaining about programs ’seeing’ our content. Of course they see the content. Routers have to copy those bits all over the place to get them to the destination; they can’t copy it without ’seeing’ it. Caching is far worse because it leaves the bits in one place where they can be inspected after the fact. DPI is just a bunch of heuristics that makes decisions based on certain properties of the data. What are the specific privacy concerns there?
May 1st, 2009 at 7:46 pm
“None of this changes the fact that the network is privately owned.”
What difference should it make if the network itself is private?!
(Not that most actually aren’t anyway, or wouldn’t exist without public money, but…)
The USER DATA isn’t owned by the provider, who’s getting paid to transfer it.
___________________________________
“The privacy implications seem very stretched to me, though. Isnât content caching a far more invasive feature of ISPs?”
No, it’s not.
Content caching is done on the fly, doesn’t interfere with the service (actually improves it), doesn’t examine the data packets (just caches them), and the content is dumped as soon as it’s no longer required by the USER (no retention when done). Compare content caching to the RAM chips in your computer.
DPI digs into the packets, interferes with the flow, and records information on them.
This information is retained for set periods of time, or “permanently” in some cases.
Why do you think there’s so much discussion from police forces and other interests about legalizing DPI??
Some are completely drooling over the amount of information they would have access to that wouldn’t have normally been kept by the providers.
“Of course they see the content.”
No, they don’t.
The content you transfer is dismantled at the transmission user’s end into smaller data packets, and reassembled at the receiving user’s end.
Normal equipment doesn’t exactly “see” anything, nor does it assemble the packets it caches into a “viewable” form at the provider end. Nor does the provider know what packets belong to a specific transfer or user. Providers would need to pick out a specific user, sort only those packets into their respective transfer clusters, and reassemble it the way a computer reassembles it at the user end, in order to “see” anything. Providers wouldn’t have the time, desire, or incentive to rig that kind of thing up. That’s essentially what makes a provider a “dumb pipe”. DPI would change that significantly.
If they could “see” anything, groups like the RIAA would be totally badgering the providers for a “front row seat”, to see and record all the copyright infringements “as they go by”.
Providers are supposed to be “dumb pipes”.
They’re not going to be allowed to open data packets to determine their contents, if we, collectively, can help it at all!
Content control by the ISPs, as well as loss of user privacy, would be two of the many negative results if we don’t.
May 2nd, 2009 at 12:08 am
“What difference should it make if the network itself is private?!”
Ask shepd, who seems to think public vs private is a big deal.
“Content caching is done on the fly, doesnât interfere with the service (actually improves it), doesnât examine the data packets (just caches them), and the content is dumped as soon as itâs no longer required by the USER (no retention when done).”
It’s not dumped when the user’s done with it. That’s the whole point of caching. It’s retained for a certain amount of time, in case the same person (or someone else) requests it soon afterward.
“If they could âseeâ anything, groups like the RIAA would be totally badgering the providers for a âfront row seatâ, to see and record all the copyright infringements âas they go byâ.”
This is nonsense. Every ISP in the world has the capability in their network to single out a user and monitor their traffic. They have to, it’s the law. With a court order, the police can require an ISP to monitor any given user’s Internet traffic, and get all of it. So if the idea is that DPI is giving privacy-impairing capabilities to ISPs that they don’t already have, then it’s wrong. And the RIAA doesn’t need this capability to figure out who is copying files (they just get on the P2P network).
So again, what is the specific privacy loss?
May 2nd, 2009 at 8:33 am
I’m flabergasted.
Sandvine seem to be saying that obfusaction prevents traffic management.
Um – crap.
Traffic management is required for QOS and QOS only.
If some of the traffic wants to masquerade as different port utilisation then iut will either miss out on obtaining better QOS or be included in QOS by accident.
And actually – he is quite incorrect about being able to obtain the result by dpi.
128 bit encryption with fake headers bouncing of a remote proxy through a pvc is impossible to read – and I dont care what your patent claims mr sandvine group. It just cant be done.
But I tell you what – you write a paper that tells the truth – i.e: American protectionist FUD distribiution has forced the global internet community to experiment with new methods enabling discrete private data streams to make sure that when the commercially filetered internet does arrive in 2012, those individuals that havbe mastered the ART of CDMA type TCP-IP layer overlay with disparate ad-hoc on demand chaos based random routing – will still be able to cruise the net quite comfortably without being traced.
And Sandvine – if you dont join the team – you become part of the problem. And if you’re part of the problem, well then no-one is actually going to give you the solution. So I guess, the academics have been right all alone – surprise surprise surprise (gomer pyle accent). We do have a need for Internet 2.
Damn – I really did think that government would come to its senses.
Everyone – load PVC’s – take aim at neutral virtual proxy and fire.
Sesame Street today was brought to you by the letter i as in invisible, the R as in you’re wRong and letter S as in “duck Sucker” (any “A fist full of Dynamite” fans out there ?
May 2nd, 2009 at 12:32 pm
@ Tom, well said……and although this will show everyone my tech level on networking
what the heck do you mean by PVCs??? Is it like running a VM or what??
May 2nd, 2009 at 3:12 pm
“Itâs retained for a certain amount of time, in case the same person (or someone else) requests it soon afterward”
The “content caching” you’re talking about doesn’t capture user data, it only caches the static elements of a popular site’s webpage, and that kind of stuff, and retaining it on geographically dispersed servers, with the intention of speeding up all the instances of that page being called. It’s got nothing to do with the users that access them. (Other names for this are “content delivery” and “content distribution service”.)
“Every ISP in the world has the capability in their network to single out a user and monitor their traffic”
The “capability” to do this comes from procedures they need to perform, and not from any mechanism that is in place and waiting to be used on “everybody” on the fly. Monitoring is done, by law and court order only, when cause has been presented (complaints, police investigation, etc.). Anything else would currently not be legal in Canada (not sure about the US now, where the Patriot Act seems to have perverted everything).
The provider needs to actually intercept data packets from and to the user in question (using the right packet headers), and copy and forward those packets to a computer, which would assemble and “recreate” what the user would be getting from them. They need to know who they’re looking for first, and sort his activities to find and reconstruct what they’re looking for. That’s how they trace child porn traffic for the RCMP.
“…what is the specific privacy loss?”
DPI equipment inspects each packet, logs content types and all packet headers, and keeps a record of individual user activity summaries. These summaries make it much easier to retrieve those packets that are still in cache, and it has been discussed that the packet caching (which I erroneously thought you were talking about before) be done for longer periods of time, thereby raising the question that our personal activities and privacy would no longer be considered as important as things like delivering countless “targetted” ads, or suing copyright infringers, while using the spin “finding child predators” as an incentive to overlook the all the other obvious implications.
DPI takes away the “dumb pipe” quality of a provider, as it saves individually-targetted and specific information on not only a network’s paying customers, but on those whose traffic needs to peer with that network. DPI takes away the “anonymity” of the current packet transfer protocol by IDENTIFYING EACH USER it collects logs on, and by INTERCEPTING TRAFFIC to do so.
The privacy issues are endless.
And, by the very definition of what DPI does, it should be considered a violation of current privacy law.
May 4th, 2009 at 9:56 am
This discussion, and a new topic of interest in based on this topic, is continued over here:
http://www.p2pnet.net/story/21212
May 8th, 2009 at 5:27 pm
I am sorry but being a pro p2p downloader against DPI is like a transport carrier being opposed to d.o.t. weight limits on roads. Unless you work for an ISP and understand the growth problems and how the IP protocol works, you really can’t claim to know what you are talking about.
Please take a CISCO CCNA course before saying things like “WTF??? How the hell can inspecting a packet help you take an IPv4 address and put it on an IPv6 network without modifying the contents of the packet? And I thought you just said in point 6 you donât inspect the content? How do you even know itâs an IPv4 packet then?”
The 4 bits of an IP packet (in the header, not the DATA portion of the packet) tells you what version of IP protocol is being used. If you say that reading thoes 4 bits is a privacy violation you might be more concerned to know every router will read further into the packet to decide where to forward that packet… if you take the header of an IPV4 packet, and rip it off, and exchange it with a header with ’similar’ information, but using 128bit addresses and changing the first 4 bits to 0110… you performed some level of packet inspection and created a IPV4-IPV6 router. I am sorry you feel the internet is a giant privacy concern to you and that your pornz have been slowed. Also sending a packet with the reset bit set in the header is only impersonating the ISP’s own IP address (which they would also own the product) to the other ISP.
Instead of being confused and wrong, please get some real world education. We have a great university in Waterloo, you probably already know that because you also got drunk at a Sandvine recruiting event where you heard about that “database product” and came to your own drunken suspicions.
Sadly shepd you are embarrasing my hometown as well. Using shortforms as STFU, WTF etc. just take away any credibility you build.
The internet was never designed to be last mile to last mile. It was designed to connect in a “mesh”. Instead of mopeing about DPI you should be more concerned about the monopolies owning the last mile of network. Call group telecoms old number… press 1 for sales and get rogers… 2 for support and get Bell. Rogers owns GT. Charter communications filed for chapter 11. Bell has filed a tarrif for “Usage based billing” in which they will be billing wholesale DSL ISPs for Data usage on the last mile. ISPs still pay for the data usage to their transit providers. Congestion during peak hours means an internet provider may not be able to provide resonable VOIP experience unless other non real-time protocols are managed.
If your post office was overloaded but could prioritize bills and cheques over junk mail, would you not want that so the bills and cheques arrived on time… also keeping in mind the junk mail keeps the post office from losing billions of dollars a year.
May 8th, 2009 at 8:08 pm
It seems to me that it would be valuable to look at different DPI appliances to hone arguments for and against the technology more broadly – the appliances are *not* all made the same. Some of iPoque’s devices, for example, are capable of the forensic analysis that has been alluded to in this post, some are not (DPX Network Probes are better able at forensics, PRX devices not so much). Also, when we’re talking about DPI it is critically important to distinguish between: (a) devices’ theoretical capabilities; (b) how ISPs have actually deployed them. Further, DPI vendors themselves often produce whitepapers that demonstrate that they are engaging with privacy, copyright, and other issues of the day. I’ve fairly recently looked at a few of iPoque’s whitepapers (just happens to be where I am on ‘things to read’ research list) and analyzed and critiqued them at the following:
http://www.christopher-parsons.com/blog/technology/analysis-ipoque-dpi-and-copyright/
http://www.christopher-parsons.com/blog/technology/analysis-ipoque-dpi-and-encryption/
http://www.christopher-parsons.com/blog/technology/analysis-ipoque-dpi-and-bandwidth-management/
Looking CRTC submissions, it isn’t immediately apparent to me that ISPs have particularly detailed consumer logs. ISPs have a tendency to aggregate data sets, with most individuated alerts about network uses coming up when something ‘weird’ appears (e.g. when a computer attached the network is infested with hostile code and starts spamming the network, that activity is seen and the computer removed from the network until the issue is cleared up). Don’t get me wrong – if we read whitepapers from actual DPI vendors we can see that there is the potential to do really unpleasant things, including *very* detailed user tracking. The concern is that, once these devices are in place, third-parties will be able to exert influence and have ISPs actually begin tracking users in a very granular fashion. This is an entirely justified and legitimate worry, but isn’t one that necessarily follows from inserting any old DPI appliance in a network – certain vendors’ products can do this easily, others cannot.
As a note: in terms of encrypted traffic it is possible for many DPI appliances to identify what program is attempting to establish a connection based on the initial exchange of packets between programs. This is one of the key ways that Skype is identified, as well as some P2P protocols. In these cases, there is a heuristic analysis of packet sizes and transmissions – if this analysis is performed and an appliance applies its rulesets without creating a consumer profile (X customer used Skype on days A,B,C,D,etc) has there been an infringement on the consumer’s privacy? (This is an open question – I’m not trying to be rhetorical, just trying to open up a bit what we mean by ‘privacy’ in these discussions.)