Slashdot Mirror

← Back to Stories (view on slashdot.org)

Deep Packet Inspection and Net Neutrality

Posted by kdawson on from the freedom-vs.-the-exaflood dept.

EncryptKeeper writes "Ars Technica has an in-depth feature on deep packet inspection, and it's a disturbing read. ISPs are starting to turn to DPI to monitor their networks, and, more troubling, to look at how they can use it to shape, block, monitor, and prioritize traffic. 'The "deep" in deep packet inspection refers to the fact that these boxes don't simply look at the header information as packets pass through them. Rather, they move beyond the IP and TCP header information to look at the payload of the packet. The goal is to identify the applications being used on the network, but some of these devices can go much further; those from a company like Narus, for instance, can look inside all traffic from a specific IP address, pick out the HTTP traffic, then drill even further down to capture only traffic headed to and from Gmail, and can even reassemble emails as they are typed out by the user.'"

20 of 334 comments (clear)

  1. Encryption by s31523 · · Score: 5, Interesting

    then drill even further down to capture only traffic headed to and from Gmail, and can even reassemble emails as they are typed out by the user
    Hmm, I need some help with this one, since my networking kungfu sucks... When I login to Gmail, I am in a https mode, and this persists through my whole session. I was under the impression, perhaps naively, that this meant my session to Gmail was encrypted and that only I and the Gmail server could decipher the contents of my mail, that is until I click send, and it goes from the Gmail server to wherever I send to. So if this is true, how would someone be able to reassemble my email as I type?
    1. Re:Encryption by nahdude812 · · Score: 4, Informative

      Only Gmail's login process is https, once you get to the mail page it's standard http. However you can change the URL to https and it seems to stick.

      If you use their pop/smtp access, that access is fully encrypted.

      --
      Slay a dragon... over lunch!
    2. Re:Encryption by the+eric+conspiracy · · Score: 5, Insightful

      A. it isn't going to work on an HTTPS session.
      B. it doesn't make sense to reassemble an email because eventually the whole email will be submitted.
      C. Deep packet inspection is very expensive because it requires heinously fast hardware to inspect a 10 Gb/s data stream, and you need a lot of these at the network edges. The core networks are too fast to inspect.
      D. AFAIK DPI isn't deployed anywhere. Only a couple of manufacturers have 10 Gb/s gear and they are trying to sell it now, which is what ARS picked up on.
      E. There isn't a business case for it that I can find.
      F. A lot of the applications Ars describes don't require deep packet inspection, only header inspection.
      G. Many of these things run inline, which means there is a decrease in reliability due to insertion of the device. That means redundancy etc which drives costs up even more.

      Ultimately I don't think there is any likelihood that carriers who are already facing capital expense and return on investment problems plus increasing demands for plant expansion due to video are going to buy this story. The current wisdom is that fast-dumb is what is scalable.

    3. Re:Encryption by TubeSteak · · Score: 5, Informative

      E. There isn't a business case for it that I can find. FTFA: Imagine a device that allows one user access only to e-mail and the Web while allowing a higher-paying user to use VoIP and BitTorrent.

      They no longer have to differentiate their product offerings based only on speed.
      It's called market segmentation
      You see the business case yet?
      --
      [Fuck Beta]
      o0t!
    4. Re:Encryption by PopeRatzo · · Score: 5, Insightful

      Deep packet inspection is very expensive because it requires heinously fast hardware to inspect a 10 Gb/s data stream
      You don't think AT&T would already have this "heinously fast hardware" in place? I'd guess that if anybody does, they do.

      The window of opportunity for the Internet to be saved as something resembling the free and open place it's been for the past few decades is closing rapidly. If we don't get some Net Neutrality laws in place soon, it's going to be too late. Once the current model of the Internet is gone and we have what AT&T would like us to have, I'm betting that just about all of us here at Slashdot are going to be very, very sad.

      I fully expect that in about 5 years, the same people who are here today talking about how we should let the "free market" control the Internet will be whining about how much they miss the days when an individual could actually put up a web site that could compete with the "big boys" for the eyes of the World.

      If there hadn't been a de facto "net neutrality" in place back in '97, there would be no Slashdot today. Nor would there be a You Tube or Craig's List or Wikipedia or just about any of our beloved sites.

      If you want to know about what the Internet is going to be like if it's not protected with strong Net Neutrality laws, just picture AOL. Picture the entire Internet being AOL.

      Have a nice day.

      --
      You are welcome on my lawn.
    5. Re:Encryption by CajunArson · · Score: 5, Informative

      Gmail by default only uses https for your login, not actually reading/sending mail. To get a full session via https you need to login to this URL: https://mail.google.com/ Note: https://gmail.com/ will NOT encrypt the session further than the login screen (see for yourself, look for the https connection).

          Having said all of that: Email is not an encrypted protocol by default! The method above is a good method for preventing sniffing on the last hop between you and Gmail (which is why I use it when I'm on an unsecured wifi connection to prevent easy eavesdropping). However, once the mail server sends the message on the open network... it is 100% cleartext. If you want real encryption, get PGP, this advice was true long before Slashdot got its panties in a bind over ISP's 'snooping' on your traffic.

          Oh and one more thing: I love the Slashdot doublethink: Having a large evil corporation (the ISP) possibly being able to sniff traffic to read some of my emails is a terrible invasion of my privacy!! Simultaneously: Having a large non-evil (because they said so) corporation (Google) actually store all my emails (much easier to get at them then trying to wire-sniff) and index them and use them to generate ads: SUPER!

      --
      AntiFA: An abbreviation for Anti First Amendment.
    6. Re:Encryption by jd · · Score: 5, Interesting
      Most packet inspectors (such as Network Observer) are packet class only. Converged Access does a more sophisticated packet inspector, but even that only drills down to the specific subtype of packet for a given application, and of course only those applications they have the specifications for, or reverse-engineered. I know of no full-payload inspectors and doubt they even exist. Remember that packets cannot be guaranteed to travel on identical paths - the Internet is not a spanning tree - and that packets can fragment when there is an MTU change. Anyone sending a jumbo packet is guaranteed to see packet fragmentation, for example.

      A full reassembly by sniffing would also need to drop retransmitted packets and support all common encapsulation techniques. You're also talking about a LOT of storage and absolutely no way to sensibly organize the volume of data collected. That's the problem with data saturation - there are no database or data processing techniques capable of handling it. I was talking to one of the top Ingres software/network gurus at OSCON yesterday - apparently even just the total information awareness project is staggering under the sheer weight of information that no system yet designed can handle. If the data is unsearchable, unsortable and unprocessable, then to all practical intents and purposes, it doesn't exist.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  2. To Avoid Gmail Reassembly... by Buran · · Score: 4, Informative

    If you use Firefox and Gmail's web UI, use this extension to make sure your Gmail session is encrypted:

    CustomizeGoogle: Improve Your Google Experience -- Firefox Extension ... and check the box labeled "Secure (switch to https)" in the Gmail section.

    If you are using POP3 access to Gmail, you are already using SSL.

    If I understand packet sniffing correctly (I'm no programmer), that just shows the source and destination but the contents are encrypted. Please let me know if I'm incorrect.

    --
    i am a soviet space shuttle
    1. Re:To Avoid Gmail Reassembly... by interiot · · Score: 4, Informative

      It doesn't matter if ISPs record the entire conversation. The initial key exchange is done under asymmetric encryption, so it's not possible for an outside sniffer to get the symmetric key (without brute-forcing or otherwise taking a long long time to break the asymmetric keys).

  3. Ubiquitous Encryption by Anonymous Coward · · Score: 5, Interesting

    It really is time to start encrypting everything from everywhere/to everywhere.

    The NSA wiretapping with the collusion of the US telecom industry is just the start.

    This technology is going to be seen as a data mining opportunity. Want to bet that some of the big data aggregators are going to start installing this technology - or paying ISPs or backbone providers for the privelege.

  4. I wouldn't do it by HomelessInLaJolla · · Score: 4, Informative

    It's a snowballing system. The new tech companies want to come up with new technology. The government wants to make use of new technology. The new tech companies want to come up with new technology to appease the government regulations which make use of the new (-1) technology. The government wants to make use of the new technology. The new tech companies want to come up with new technology to appease the government regulations which make use of the new (-1) and new (-2) technology. Repeat.

    I, as a private system admin, would simplify the entire problem and choose not to engage in packet inspection unless there were absolutely blatant abuses--like setting a threshold. There are ethical reasons why I wouldn't feel that it's proper to go delving through each and every packet. Once government becomes involved, though, then there's no way to turn it off. In order to receive the money for an ISP start-up, for example, one must demonstrate that they can play within the ever shrinking boundaries defined by the laws.

    The article (and summary) mentions reassembling e-mails as their being typed. Is this accurate? I have, for some time, wondered if some text entry forms in web pages are "active" in that they exchange keystrokes with the remote end at real-time intervals. Again, from an ethical point of view, I would never make use of anything but passive entry boxes where none of the user's text is transferred across the network until they actually deliberately send it. What possible reason, as an admin, could I have in wanting to watch a user as they type text into an entry form?

    I guess the argument can be made for automatically modifying forms. Pfizer uses this for their online resume submission. For example, the available options in the various locations (country, state, county, city, zip, etc.) are pared down as soon as one makes a selection in the heirarchical predecessor. While I appreciate the "wow! neat!" factor I just don't see how it's really necessary and, although I don't see that Pfizer would be using it for some uber-nefarious conspiracy scheme, I can liken it to the desensitization similar to "Click OK if you wish to allow this action" and EULAs.

    --
    the NPG electrode was replaced with carbon blac
  5. Federal Mail Laws? by apt142 · · Score: 4, Insightful

    I've become more and more convinced that information sent over the internet should afford the same protections that federal mail does. Net neutrality is a step in that direction. But, it's just a step.

    ISP's currently have no limits that keep them from violating the privacy of their subscribers. Well, nothing short of market forces. Which in this case is laughable. Since packets can travel through a number of networks before ending up at their destinations, there is no guarantee it won't travel through an ISP the consumer doesn't support financially.

    --
    Star Pirates
  6. common carrier == net neutral by markhahn · · Score: 5, Insightful

    If an isp wants to do this, I think they should simply loose any common-carrier status. that is, deep inspection means that they become responsible for content: accomplices in any crime committed via that traffic.

  7. Re:Then they should lose common carrier status by Control+Group · · Score: 4, Informative

    ISPs don't have common carrier status. They're "information services." They've historically fought getting common carrier status, because they believe it would subject them to a different set of rules; the ones pertaining to telecommunications common carriers (as distinct from seaway common carriers, railway common carriers, etc).

    This is a questionable belief, since there isn't necessarily any equality between "common carrier" and "telecom provider," but it's the reasoning, anyway.

    Basically, AT&T (the phone company) is a common carrier. AT&T (the ISP) is not.

    --

    Reality has a conservative bias: it conserves mass, energy, momentum...
  8. Re:In other words by josquint · · Score: 4, Interesting

    I wonder about this somewhat.

    I work for a telephone coop in their internet dept. We've been drilled about the evils of Vonage/Skype, etc cutting in to our MUCH more lucrative-than-internet-or-tv-depts for a while now.

    But, as all of our customers have access to our's and other's(namely cable) broadband. I don't know that filtering out VoIP would be a good move. We've had a few customers whine that their VOiP isnt reliable(duh) on our service. (mine seems to work just fine) So the first thing they do is go to the cable company for service(not that this makes any difference in their reliability)

    So with the cable and other non-dialtone companies, filtering VoIP causes phoe co's to loose not only an internet customer but a landline costomer as well. As we require a landline for our broadband, we stil get the best of both worlds while still providing VoIP access.

  9. Chinese (Invisible) Export by ObsessiveMathsFreak · · Score: 4, Insightful

    Deep packet inspection technology was developed by the likes of Cisco for the sole purpose of obtaining access to the Chinese market. The Communist Party wanted the power of the internet, but they also wanted the power to control it. With deep packet inspection and a suite of other related solutions, I think it's reasonable to say they got their wish. There are millions of Chinese internet users and the country is father from a revolution now that it was in 1989.

    It's not just China. Countries like Saudi Arabia and Iran are also taking advantage of this new technology, every byte of it developed by corporations right here in the "free" west.

    And now? The technology is simply being marketed here to. Exported back into the west if you will. ISP, companies, governments are all being given the power to put the internet genie back in the bottle. Time was that corporations were developing technology to help make democracy stronger. Now they're simply giving democracy the rope it needs to throughly hang itself.

    I'd like to be optimistic about our society, but frankly it's too tiring in this day and age of fear and surveillance. The worst part is the overwhelming acceptance, nay approval, of our loss of freedoms. The Net Neutrality debate is not an isolated argument. It's a symptom of the underlying shift in Western society, back into a dark age.

    --
    May the Maths Be with you!
  10. Re:Encryption not the magic bullet by jeko · · Score: 5, Insightful

    Yeah, I thought that too, until I realized that meant all commercial activity (ebay, bill pay, amazon) gets shunted to scavenger class. Somehow, I don't think "the money" is going to go along with this....

    --
    He put his boots up on the table and made a face. "The sig," he smirked. "You can waste your life in search of the sig."
  11. Gmail by Kadin2048 · · Score: 4, Informative

    Best way to do it is just to create a bookmark to https://mail.google.com/mail/ and then ALWAYS use that link to get your mail (don't click on any of Google's Gmail links from your homepage, etc.).

    If you use POP access, you can enable SSL both for incoming and outgoing mail, I believe.

    --
    "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
    1. Re:Gmail by hotdiggitydawg · · Score: 4, Informative

      There should be a firefox plug-in that will automatically redirect you to the https url whenever you try to go through the http url. There is - it's called Greasemonkey with the GMailSecure script.
  12. Having developed one of these boxes by Anonymous Coward · · Score: 5, Interesting

    I worked on developing one of these boxes. Not Naurus, but a competitor (who's name starts with "P"). You are absolutely spot on. But you, and many here, are really not understanding the scale or the scope intended, or what is possible. This stuff is kept well out of the mainstream press, for good reason.

    First, it's not just ISP's and the NSA, but also Universities. U.C. Berkeley is the biggest fanboi of this stuff. Any new tech, they want. And their IT department has been all over this. Nor are they aren't the only University.

    And yes, the RIAA is promoting this stuff too. Very eagerly. And every other control freak out there.

    The next obvious step is to network these boxes across the global, to keep track of traffic in realtime. Yes, that's a jump up. But it's doable. And it will happen. That is, people will be able to keep track of what you're doing on the internet in real time.

    Also, what people aren't thinking about is the abilitiy to preserve this information. Vast storage is cheap, and getting cheaper. People are targeting saving two-years of realtime data. That's pushing things, but this is what people want. And they want to be able to preserve it longer. There's a huge amount of potential datamining there. Especially when they are able to preserve Internet traffic for longer and longer periods.

    In short, the goal is to not only be able to track your every Internet connection, and what you did, but to preserve it for years. Some folks want cradle-to-grave. While they won't get it for a while, that's the direction this stuff is headed.

    The bottom line is that encryption is one key defense. Necessary but not sufficient. Just be grateful that the PGP battle was won back in the 90's. If the battle for publically available strong cryptography had been lost then, you wouldn't be having this option. Connections are the other item. The support for obscuring this is lagging, and some cases broken. But it's still critical.

    Finally, everyone should be aware that all of these boxes are hackable. If you know why Ethereal/Wireshark was kicked out of OpenBSD, you understand what's going on. The development environments common in this industry are also prevalent here. Harried developers don't care about buffer overflows. That's a total afterthought with minimal risk in the commercial space.

    Or, to put it simply, you should in theory be able to not only detect when your traffic is being sniffed, but also be able hijack the sniffing as well.

    So in summary, yes, encryption is useful. But it's not sufficient. And there's a heck of a lot more going on in this field than people are aware of, or even thinking about.