digg

Facebook Connect Join Digg About

Deep packet inspection meets 'Net neutrality, CALEA

arstechnica.com Deep packet inspection provides the tools that ISPs need to throttle, cap, and spy on users. Depending on who you believe, it might also save the Internet.

Who dugg this? Made popular Jul 26, 2007

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

103 Comments

show profanity settings
expand all
  • Mittop, on 10/10/2007, -1/+23The problem is, there are no "right hands". All the DPI owners (non governmental) are going to be profit oriented. And in a profit oriented scenario, DPI will be used to increase revenue by creating tiers of access. This model is used in other businesses, and would quickly be adapted in this scenario. Those revenue increases will come at the expense of the users (corporate/private) everywhere.

    But I wonder, if the deep packet is encrypted, so as to disguise the underlying protocol, can the shaping be as effective? The DPI operator would still know about the connection itself, but the nature of the connection would be hidden. Anyone have any idea about that?
  • aservin, on 10/10/2007, -3/+23In good hands it could help a lot to stop SPAM, DoS attacks, malware, etc. In the other side, in the wrong ones ...

    Sadly, I bet its use will be abused soon.
  • nihility, on 10/10/2007, -1/+17We're all screwed.
  • GnuTzu, on 10/10/2007, -0/+15Because, they will always care more about their bottom line then they will ever care about you.
  • Philluminati, on 10/10/2007, -3/+16With DPI the ISP basically can ***** you over with a "Man in the Middle Attack". When you connect to gmail / digg / your bank it records everything you send and recieve. It doesn't need to understand it! Later on, someone at BT, "plays back the traffic" like a tape recording and digg thinks you've logged in successfully again. The whole handshake including the encryped password send were correct as far as digg can tell. Then they can basically own you!

    The *ONLY* way to ensure your ISP can't read your ***** is to exchange encyption keys with another computer on another ISP using a different service (post, carrier pigion) etc.
  • verge, on 10/10/2007, -1/+13 DPI on that scale is newsworthy. I share Nate Anderson's apprehension. Wish for clarity's sake he stuck to DPI and put commentary in second article, so less tech-savvy could follow the debacle that net neutrality is becoming.
  • Noods, on 10/10/2007, -2/+13This is already in place in many larger ISPs waiting to be enabled. If you care about Net Neutrality, I would contact your Senate and House representatives now.
  • OBKenobi, on 10/10/2007, -0/+11That's why professional terrorists use good ol' snail mail, or just meet in person at a strip club. The US government is jerking itself (and taxpayers) around with all this tech paranoia, its effect on terrorism is 0. Government contractors get richer, ISPs get richer, you get bombed.

    As for net neutrality, it would be easy to enforce without the government having all these snooping rights. If customers detect throttling, a Jedi strike team should be dispatched immediately to execute all responsible.
  • GliTCH82, on 10/10/2007, -0/+10People digging this guy up just prove to me that the telecoms succeeded in totally ***** up everyone's perception about what net neutrality really is. Basically, for all those not following this, it was merely legislation designed to keep the internet THE SAME.
  • Terr01, on 10/10/2007, -0/+10"That's what net neutrality regulation advocates don't seem to get. In order to enforce it, the government will need this kind of access to all networks."

    Uhm... No. That's just silly. That's like arguing the government can't enforce laws against shoplifting because they need to have a policeman in every single store.

    Speaking of "Network Neutrality", wouldn't using tools like this and discriminating on the basis of content cause an ISP to lose common-carrier status?
  • OBKenobi, on 10/10/2007, -2/+10I'm sick of all these corporate bastards messing with my stuff.
  • NikoKun, on 10/10/2007, -1/+8Really seems like Darknets and neighborhood wireless nets... are going to be the only free safe internet left eventually...
  • IADTatami, on 10/10/2007, -0/+7That's a nice story. Tell us about the time that industry shills promised us a network the world would envy by 2005 in return for $200 billion!
  • jtb4, on 10/10/2007, -0/+6Soon? You mean like as in Yesterday! Already happening....
  • mstivren, on 10/10/2007, -0/+6Encryption alone is a losing proposition. Operators will look at the packet, see that it's not something they've white listed and blamo your packet is chucked. What you can try to do is fool the operator's parsers... but... I don't want a technical solution to this problem -- I don't want to have to waste my time fighting this battle. I want the government to step in and make this problem go away.
  • Winston84, on 10/10/2007, -2/+8Thank God I live in a country where even my IP is protected information and any kind of inspection
    of the actual packet-content requires a court-order ..
    Flat bandwidth IS profitable, at least in "socialist" countries as Sweden, Norway, Denmark, Finland and many other European God-forsaken
    un-american tax-paying countries .
    Of course the Brits get robbed ....
  • fantasticFlan, on 10/10/2007, -1/+6The first and last sentences are coherent, but I'm having no luck deciphering the others.
  • Ahnteis, on 10/10/2007, -1/+6a) "Net Nutrality are a joke."
    b) "Being able to hold websites like google at random? You already charge them / their ISP at your on ramp. It's a bad idea and the internet is fine the way it is."

    Um.... sentence A and sentence B are in conflict. Do you know what net neutrality is? The article DOES explain it.
  • 68024, on 10/10/2007, -0/+4Sorry but it's just plain naive to think that companies would use this software for anything else but a chance to charge people more money. That's the whole reason for companies to exist - to make money. They're not charities. Which doesn't take away that I'm very much against a tiered internet.
  • GliTCH82, on 10/10/2007, -0/+4Pretty soon they're gonna start policing forums and say that you can't post certain things because they violate the ISP's TOS. Well, actually they already do that but now they can enforce it for real. The internet is getting censored because the man does not want you to group, because there's power in mobs.
  • SmokedL, on 10/10/2007, -0/+4"I know of a solution to this: Make all forms of traffic shaping and software like this illegal."

    1. The software should not be illegal. No tool should be illegal. It may have a multitude of valid uses, prohibit invalid uses, not the tool.
    2. Besides the software part, Network neutrality is almost exactly what you want. The difference being that, at least the bill I read, would forbid any and all shaping based on who is sending and receiving. It would not forbid prioritizing VoIP as long as ALL VoIP traffic was prioritized in the same manner.

    I'm with you on that part though. I prefer the version with no ambiguity or margin for malicious interpretations. I think banning any and all traffic shaping on the public internet would be the best way to go.

    "Also, make it illegal to monitor packets."
    Whoa, hold your horses there. You are going to have to be a hell off a lot more specific there. If all monitoring of packages was banned you just banned the operation of the blinking light on your network card, the use of packet sniffers to reverse engineer network protocols, the use of intrusion detection systems in corporate networks etc etc.
  • zephyrxero, on 10/10/2007, -0/+4Yes, but if such a system were in place already, Grandma might not have ever discovered sites like YouTube that she loves today. Traditional television and other forms of media conglomerates have alot at stake in these issues because budding technologies that threaten their existence could be quickly stamped out for most user who will likely opt for the cheaper service, thus insuring we continue to rely on their already established services. This is the major fear with packet-shaping and tiered services...stifling innovation.
  • GnuTzu, on 10/10/2007, -0/+4Especially, since encrypted content can traverse a variety of protocols.

    The tricky part deals with being able to look things up; such as locating some content in file sharing. The listings have to readable by everyone who participates in the sharing. I you want to share something publicly, then the means to locate it and how to access it must be public.

    So, DPI will have some control over public directories. That might not currently affect encrypted content, but that could change as the technology gets more powerful.
  • zephyrxero, on 10/10/2007, -0/+3The scariest aspect this article covers is the thought of an upstream provider using traffic shaping...thus not even giving your local ISP a chance to make such decisions on their own. All I know is if I'm forking over tens of thousands of dollars each month for an OC-12, it better damn well be unfiltered, raw bandwidth!

    I hope you all enjoy your Skype/Vonage and YouTube services of today, because a tiered and shaped internet will never allow any new technologies to ever come about and truley flourish like they have been able to until now. I just hope my IMs don't take 10 times as long to transfer now since I use OTR encryption and don't want these jack-asses reading my private conversations.
  • potatomasher, on 10/10/2007, -3/+6If you want to do something about this and let your politicians know what you think, I suggest the following:
    if you live in the US, check out http://www.savetheinternet.com/
    if you live in Canada, there's still home and time to pressure politicians to make the right call. Check out http://www.neutrality.ca/
  • dtschwe, on 10/10/2007, -0/+3The best counter to this is encryption. Run all apps encrypted over 443 and let the ISP and the government try and figure out what is what.
  • Error601, on 10/10/2007, -1/+4Yea, it's called SSL. Which ISP your system connect to is irrelevant.
  • Terr01, on 10/10/2007, -1/+4"Net neutrality" simply makes it so that providers cannot legally do things like "All of your internet traffic to our affiliates if fast, but if you try to go to our competitor's site we'll make that artificially slow".

    Net Neutrality does NOT mean placing any sort of government equipment in the line, it only ensures that a new kind of dangerous business model does not become legal.
  • GliTCH82, on 10/10/2007, -0/+3The tiered system might not be so bad if the highest tier available is the price we're paying now. They could always create lower tiers that would filter out Johnny from downloading movies at Grandma's house, since Grandma only needs web/e-mail and pays $10 a month. That would save them bandwidth, quite possibly. Plus there are all these rogue systems that are running with eMule installed and the parents/grandparents don't even know it, so that would get those under control too.
  • BlindIrishman, on 10/10/2007, -1/+4Flood Digg with his stories
  • Wosat, on 10/10/2007, -1/+4Attention all libertarian/conservative leaning people out there who think "network neutrality" is some kind of liberal cause to put the government in control of the internet: it's not true! As a conservative with a background in computer science who's done a lot of reading on the subject, I urge you to look into it further. The choice is not between regulation and no regulation. (Does anyone think the government is going to be able to resist regulating something as important as the internet???) The choice is between simple, non-invasive prophylactic regulation now and potentially complex reactionary regulation later. There are legitimate economic and technical arguments for a policy that limits packet discrimination. I could write pages on the topic, but long comments suck. For more information: http://www.timwu.org/network_neutrality.html
  • DeathtoG4, on 10/10/2007, -0/+3Long but very good read
  • theoallardyce, on 10/10/2007, -0/+2> "Looking this closely into packets can raise privacy concerns: can DPI equipment peek inside all of these packets and assemble them into a legible record of your e-mails, web browsing, VoIP calls, and passwords? Well, yes, it can. In fact, that's exactly what companies like Narus use the technology to do, and they make a living out of selling such gear to the Saudi Arabian government, among many others."

    Its time to sabotage Narus's business model by getting packet signature obfuscation into as much software as possible. The free/open-source community could pull this off im sure. Companies like this need to learn the hard way that if they are going to be traitors they are going to pay.
  • princessangry, on 10/10/2007, -0/+2again companies like this lobby it's not just them cisco was the first to make the technology and they actually sold this to the companies as well. I heard about this kinda of stuff back in 2000. I also think they need to make the networks faster and they wont have the damn bottleneck problems. if they made the networks faster they wouldn't have to worry about things being slowed down. they are using outdated tech that should have been ripped out and replaced with fiber or last mile laser optics,etc like 10+ years ago! Hard to believe we are still running off old ass copper lines. if they would spend the money to make the networks better instead of wasting money on lobbying congress and buying this useless traffic shaping tech they would be alot better off!
  • princessangry, on 10/10/2007, -0/+2he would say that regulating the telco's against using this would be an "aggression" against the businesses.
  • geekee, on 10/10/2007, -2/+4Ron Paul is against net neutrality.
  • GnuTzu, on 10/10/2007, -0/+2Encryption, as well as obfuscation, is discussed in the white paper that was mentioned in the article: http://www.getadvanced.net/learning/whitepapers/networkmanagement/Deep%20Packet%20Inspection_White_Paper.pdf
  • SupaFupa, on 10/10/2007, -0/+2No system of any kind, computer network or otherwise, is 100% secure. If it were, even the intended users could not use the system.
  • jugger74, on 10/10/2007, -0/+2It always ends up in the wrong hands this will be the death of the internet as we know it. We will now have virtual tyranny to match up with nicely with the real world.
  • Terr01, on 10/10/2007, -0/+2You're spewing *****.
  • GnuTzu, on 10/10/2007, -0/+2mstivren and davotoula have meaningful points. However, the old way of packing binary data into emails suggests that DPI will always be limited to what it can easily recognize. That is if I use a protocol, such as email, to transport data that looks like it belongs in that protocol, then DPI won't reliably know the difference.

    Now, that doesn't make things all that easy for those who want to circumvent DPI, but there are those that work to get around automated detection. Take spammers for example. When Bayesian filters became popular, spam started to include some chaff to throw the filters off.

    Ultimately, trying to wrangle control over things that most people don't want controlled will only complicate things for everybody. If corporations manage to convince the government that their way of controlling things is right, then we could end up with some seriously Draconian laws telling us what we can and can't do.

    How would you like a DMCA that really locks things down? We could find that any protocol created outside of big corporations would be automatically outlawed. If you say that can't happen, then I say only if we actively work to stop it (because corporations will get their way if we don't speak up).
  • spudlyo, on 10/10/2007, -0/+2Sounds like in the future you might need two ISPs. I know that there is an ISP in Sweden who will hook you up with a VPN account for a price. Routing all your packets through Sweden won't enhance your Quake experience, but it will perhaps thwart these kinds of bandwidth shaping schemes. Who knows though, if your ISP is a nazi they might just throttle the ***** out of any traffic they can't analyze.
  • bromac, on 10/10/2007, -0/+2True, but this just goes to show that Digg's usually savvy technology crowd is getting more incompetant.

    Please, if you don't understand cryptography, don't comment on something of this nature. It's a little more complex than just "playing back" your password.
  • bobcrotch, on 10/10/2007, -0/+2The only thing that wasn't made up was 'man in the middle attack', but you still sound like you have no idea whats going on.

    Maybe you should just start sending everything post.
  • pintomp3, on 10/10/2007, -0/+2yeah, because everyone has like 20 different provider options. thanx to a more hands off approach since reagan, we have fewer and fewer providers. do you really thing the telco cartel will undercut each other? you can boycott one, but they tend to move in lock step with each other. your alternative will have the same setup, provided you have any alternatives.
  • Winston84, on 10/10/2007, -0/+2256bit AES ? Do you know how many years it takes to bruteforce a strong key ,
    are you aware how much traffic there is ?
    and no, don't run everything over port 443 , that is one sure way to have the ISP's start port-throttling..
  • pintomp3, on 10/10/2007, -0/+2ha, your puny encryption is no match for the machines in the secret rooms at att.
  • AlexFerny, on 10/10/2007, -0/+2Because Vonage alraedy get enough money and should spend it on more fibre, instead of lining thier investors pockets
  • Mittop, on 10/10/2007, -0/+2Because, unfortunately, the pricing scheme desired would not result in your costs going down (I am assuming you don't transfer gigabytes of files), rather the costs of the average user would go up. Also, I most fear that packet shaping could be used in far more nefarious ways, like censorship. If I was a google, I would be really frightened, because now the "greenmail" can happen, where the ISP offers you "protection" so that nothing bad happens to your bandwidth. See where this is heading?
  • NetJoe, on 10/10/2007, -0/+2Your point of the high volume user is perfectly legitimate, the market offers both bandwidth limited and fairly open connections. You are welcome to order a less costly bandwidth capped line and save yourself some money in the process. Most of the market has chosen an 'all you can eat' system with predictable billing, and that will always have some imbalances. Peer to Peer in particular might not be the best example however as the protocols tend to keep much of the traffic 'local' and may not create as much load on the upstream choke points as their numbers imply.

    Paying Vonage for better quality. I assume your eluding to Vonage contracting with your bandwidth provider for preference in the network. This has a number of concerns.

    First, the bandwidth provider already has a contract with you, they should be working in your best interests as a customer, adding more parties to the mix can create a conflict of interest. In the best case, you now have a third party that will want compensation for their negotiation efforts, this is not an efficient scenario.

    Next what happens when the bandwidth provider also sells telephone service? Will they be willing to offer the same priority to a competitor? At a reasonable cost? Eventually you as a customer will have to pay this fee in order for the companies involved to remain viable.

    The third concern I have starts with people gaming the system forcing bandwidth providers to white list specific forms of traffic. Anything that doesn't fit the recognized pattern sees degraded performance. A variety of new protocols would not have survived that, VoIP and IP Video in particular come to mind.

    These new protocols and increased bandwidth do create new loads. I would much prefer my ISP to work for ME. Not for me, and maybe a little harder if Vonage pays them a bit, and a little harder if Google pays them a bit, unless of course Yahoo pays them better, etc, etc.
  • Fetching more discussions...
    Show 51 - 100 of 103 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...