Sandvine CEO Says Internet Monitoring a Necessity

Khalid Baheyeldin writes in with a CBC interview with the CEO of Sandvine, Dave Caputo (bio here). Sandvine is the Waterloo, Ontario-based company that provides the technology that Comcast and other ISPs use to overrule Net neutrality by, for example, injecting RST packets to disrupt Bittorrent traffic. Caputo says, among other things, that Internet monitoring is a necessity. Some of the comments to the interview are more tech-savvy than the interviewee comes across.

Of course it's needed

[compro01]

And we can sell you just the product you need for that.

Beating Sandvine

[Misanthrope]

http://redhatcat.blogspot.com/2007/09/beating-sandvine-with-linux-iptables.html [blogspot.com]
If you are running linux or a linux based router with iptables give this a try. My speeds returned to pre-sandvine levels.

"If you are using a Red Hat Linux derivative, such as Fedora Core or CentOS, then you will want to edit /etc/sysconfig/iptables. First, make a backup of this file. Next, open this file in your favorite text editor. Replace the current contents with this, substituting 6883 with your BitTorrent port number:

*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
#Comcast BitTorrent seeding block workaround
-A INPUT -p tcp --dport 6883 --tcp-flags RST RST -j DROP
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#BitTorrent
-A INPUT -m state --state NEW -m tcp -p tcp --dport 6883 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 6883 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Reload your iptables firewall with service iptables restart. You should now see a great improvement in your seeding.

If you are using Ubuntu or another non-Red Hat Linux derivative, then place the following in a file and execute that file as root.

#!/bin/sh
#Replace 6883 with you BT port
BT_PORT=6883

#Flush the filters
iptables -F

#Apply new filters
iptables -A INPUT -i lo -j ACCEPT
#Comcast BitTorrent seeding block workaround
iptables -A INPUT -p tcp --dport $BT_PORT --tcp-flags RST RST -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#BitTorrent
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport $BT_PORT -j ACCEPT
iptables -A INPUT -m state --state NEW -m udp -p udp --dport $BT_PORT -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited

Your firewall is now configured and you should have great upload speed now. You will have to run this script every boot, by the way. One easy way is to call the script at the end of /etc/rc.local."

What has overselling to do with monitoring?

[kandresen]

As stated in the article is that the ISP's are selling you 1 megabyte while really buying you 1/4th of a Megabyte... Network monitoring is in other words necessary to ensure you in other words only use 1/4th of a Megabyte for every Megabyte you buy. It's right there in his argument!

ISPs should never send an RST

[Animats]

ISPs should never muck with a TCP stream. They're entitled to send ICMP messages. ICMP Destination Unreachable has codes for things like "(13) Communications Administratively Prohibited" and "(10) Destination host administratively prohibited". Then at least the user knows 1) that somebody along the route didn't like the packet, and 2) who to blame. There's a right way to do this, and sending an RST isn't it.

Client software may not pass all the ICMP info up to the user, but that could be fixed easily enough.

Re:Maybe I'm being selfish

[hardburn]

Where is it written that it is all-you-can-eat?

All over ISPs' advertisements. Unless they've redefined the word "unlimited".

An Internet which is not neutral is less useful than an Internet that is. If web browsing is sped up at the expense of streaming video, that's going to hurt some people more than others. If streaming video is sped up at the expense of games, a whole other group is affected. Since people come up with new ways of using the Internet all the time, and we can't predict new uses, the best strategy is to give all packets equal measure.

Rather than throwing out Net Neutrality, it'd be more productive for ISPs to find business models that don't involve overcommitment, or at least make it less painful. Like some of the recent attempts to make P2P software favor nodes within the same ISP.

Re:Honestly, I'm SHOCKED!

[99BottlesOfBeerInMyF]

I am shocked because Sandvine is a frequent supporter of Open Source Operating Systems and has contributed to BSD Conferences. I would have thought that they would support the openness of the internet too. Apparently, their monetary sponsorship of open source conferences are just a PR Stunt.

Sandvine is one of many telecomm gear companies that strongly support OSS. I used to work at a similar company with at least one ex-Sandvine co-worker. Basically, they build "devices" which they sell to ISPs and other big network operators. They build those devices with custom or off the shelf hardware combined with on OSS operating system, toolchain, and applications, plus a few closed source applications that contain their core competency and money proposition. This is often referred to as the "secret sauce" code.

These companies do support OSS and build their entire business model around it (in combination with some closed source). They aren't OSS zealots, but most of the employees are strong supporters of OSS and the companies are very good about contributing code back. A lot of the code in Linux and the BSDs is contributed by these companies. They support OSS conferences and the like, because they want to promote OSS, because it is a good way to recruit new talent, and because the improvements that come out of those conferences are often beneficial to their bottom line. A lot of people think OSS is created by hobbyists, but really Sandvine is a good example of who really makes up the OSS community and contributes code. It is mostly businesses who use it to make money in conjunction with hardware, services, or additional closed source software.

Re:Gotta love those statements.

[Free+the+Cowards]

Everybody in my neighborhood picked up the phone at the same time and half of them couldn't get through!

Overselling is not a bad thing. It can just mean that you sell based on statistical maximums rather than theoretical maximums which never happen. When done this way, there's absolutely nothing wrong with it.

When 90% of your customers are offline at any given time, there's no point in provisioning more than one tenth of the bandwidth you would need to support all of them downloading at the maximum rate simultaneously.

The problem is not overselling. The problem is that some ISPs oversell too much. They aren't willing increase capacity to match actual use, but instead try to reduce usage to match actual capacity. This is wrong. But the simple fact of overselling is the only sane way to do business.