Susan Crawford blog

This Month

Month Archive

October 2007
September 2007
August 2007
July 2007
June 2007

Year Archive

2007
2006
2005
2004
2003

Search Google

Previous:	Somewhat fewer words per page
Next:	Chairman Martin and the white spaces

DPI

by Susan on Tue 07 Aug 2007 07:10 PM EDT | Permanent Link

I'm at a hotel that won't let me send SMTP mail - in Mountain View! - and so I thought today would be a good day to talk about Deep Packet Inspection. Nate Anderson of Ars Technica wrote a fine article about this recently.

In talking about tricky "when the law hits the network" questions, we often assume that non-cableco ISPs can't know all that much about what their subscribers are doing online. It would take so much computational effort to look at packets zipping by that the user experience would grind to a halt - people would take their business elsewhere.

It turns out that's just not true. Anderson's piece points out that there are vendors selling products that are designed to dig into a packet's payload and make educated guesses about what the packet is part of. And more than that - they can reconstitute webmail messages and chat sessions.

[S]ome of [these DPI products] can inspect and shape every single packet -- in real time -- for nearly a million simultaneous connections while handling 10-gigabit Ethernet speeds and above.

Patient visitors to this blog will remember that I've spent a lot of their time talking about CALEA. Well, these same vendors make CALEA compliance easy for ISPs, because they can just isolate all the traffic coming from a particular subscriber and forward it on (in response to adequate legal process, you hope) to law enforcement.

The vendors' argument on "traffic shaping" is that it's only fair - why should some bandwidth hogs get away with whatever they want to, when capacity is constrained? A response could be: why don't you provision more bandwidth, and then charge people for using more capacity?

The key point, the money quote, is here:

Where you come down on these questions may vary depending on where Deep Packet Inspection gear is deployed; many people have less problems with its use by last-mile ISPs who interact directly with consumers. Throttling P2P traffic to keep the network open for other uses might be fine, but the concern is magnified when such gear is rolled out by the backbone operators, like AT&T and Verizon...

Think about that for a second. We assume for purposes of the whole Net Neutrality debate in this country that competition is absent in the "last mile." What if there's no competition for backbone transport? What if the backbone providers think they can get away with private traffic shaping too? We'll have no way of knowing, and they'll be able (apparently) to watch the payload of every packet.

Posted to:

Main Page

Comments

Post a comment

port blocking

by nedu on Wed 08 Aug 2007 03:49 PM EDT | Profile | Permanent Link

Can you ssh out? Or is port 22 blocked, too?

Also, if you have tcptraceroute available on your laptop, can you reach, say, port 1022 on one of your static boxen outside the hotel?

Listen, Susan, if they've got you locked up in there, just holler for help. I'm sure lots of people would be willing to you help tunnel out of that prison.

Re: DPI

by Jim Fleming on Wed 08 Aug 2007 08:20 PM EDT | Profile | Permanent Link

1. As a so-called "ICANN Director" (and Esther Dyson plant), it is shocking that you have apparently not spent much time considering the evolution that is happening NOW. The migration is to an FCC-regulated back-bone and an enhanced edge community.
2. That migration is partly to allow North America to route around many of the unsavory actors that ICANN showcases as "Internet Pioneers".
3.Millions of people have been quietly moved off of the ICANN cabal infrastructure.
They no longer rely on that clique's DNS or routing, or even the address blocks.
They do get a high-speed back-bone they really really like.
4. It gets very ugly from here, as those protected millions continue to get
better and better service and....routing is cut-off to the ICANN cabal.

The FCC, the telcos and the cablecos are now in the dominant role. Millions
of protected users prefer it that way. They elected the FCC and they vote
with their dollars with the carriers. Did they vote you into ICANN ? No!!!

The FCC-bashing and telco-bashing that YOU have done helps to fuel
the good people in the .USA to work hard to route around your cabal.

It is unfortunate that much of the world has no bandwidth to participate in
the Next Generation Network. The laws of physics prevent them from
being able to participate. Not even the ICANN cabal has the arrogance
to claim to be able to change the laws of physics. Instead, they are telling
people to move OFF of the FCC broadband back-bone to their IPv6
text-chat IM services. Broadband NA users could not care less where
the ICANN cabal moves. They want their .TV and their .MP3 and .USA
and the FCC is delivering and will continue to deliver.

Again, it gets very ugly from here. Massive de-routing, based on lack of
USA bandwidth performance on the back-bone, will free up address space
for the FCC to re-distribute. Spectrum is spectrum. The FCC spectrum
auction of the old IPv4 address blocks will be intereting to watch. Just
think, you will have something else to bash as unfair, while being a so-called
Director of the most unfair cabal ever seen by mankind, ICANN.

Re: DPI

by Rob Frieden on Tue 14 Aug 2007 04:25 PM EDT | Profile | Permanent Link

Hello All:
I certainly do NOT consider Professor Crawford a lackey for ICANN or anyone. She calls them as she sees them without corporate sponsorship.
I too see the problem in deep packet inspection. See http://www.personal.psu.edu/faculty/r/m/rmf5/Net%20Neutrality%20and%20IPR.htm. DPI provides the means for ISPs to enforce DRM without any opportunity for end users to claim fiar use. The packets can be preempted and blocked not at the receiver's PC, but at the ISP's router. The router decides whether I can receive specific bitstreams.

Re: DPI

by Rob Frieden on Tue 14 Aug 2007 04:26 PM EDT | Profile | Permanent Link

Hello All:
I certainly do NOT consider Professor Crawford a lackey for ICANN or anyone. She calls them as she sees them without corporate sponsorship.
I too see the problem in deep packet inspection. See http://www.personal.psu.edu/faculty/r/m/rmf5/Net%20Neutrality%20and%20IPR.htm. DPI provides the means for ISPs to enforce DRM without any opportunity for end users to claim fair use. The packets can be preempted and blocked not at the receiver's PC, but at the ISP's router. The router decides whether I can receive specific bitstreams.

Re: DPI

by JustF on Mon 24 Mar 2008 04:44 AM EDT | Profile | Permanent Link

generic zoloft * buy propecia online