[ NNSquad ] Re: DPI and privacy (was: Re: Odlyzko: "The delusions of net neutrality")

[Kriss Andsten <kriss@proceranetworks.com>]

On 19 aug 2008, at 03.14, Waclawsky John-A52165 wrote:

> I'd like to ask Kriss, how he intends to protect my privacy with his  
> "fuzzy 'DPI'" activities...

I'd like to reiterate that this is my personal opinion and does not  
reflect my employer in any way. This will be true for any and every  
mail I send to this list, just so that we're clear on this. If you  
want something official, catch a press release.

That said, you were asking about privacy. Allow me to first de-fuzz a  
bit and then respond..

There's DPI and DPI (you'll find a short blurb about the many faces of  
DPI at http://www.shortpacket.org/2008/08/dpi-whats-in-name.html and/ 
or http://en.wikipedia.org/wiki/Deep_packet_inspection ) - I won't try  
to cover or defend NebuAd or Phorm here, nor Qosmos boxes or  
Cloudshield ditto  - I'd rather concentrate on DPI as a part of a  
traffic management (management, shaping, throttling or whatever term  
you prefer) stack. This means units from the likes of Procera,  
Sandvine, Ellacoya and a large number of other players with smaller  
boxes.

Your privacy is for one chap to protect - yourself. You pick an ISP  
with a sane privacy policy and AUP and the ISP in turn protects it by  
various contractual agreements with its employees, contractors,  
suppliers and whatnot. If the ISP obtains traffic management units,  
you'd have to trust them to do the right thing with them (i.e follow  
their own policy), much in the same way you'd have to trust them not  
to copy all your communications down to disk. Can you pick out  
communications for a specific user with a traffic management unit?  
Yes. Would it be perfectly possible to do the same thing using a  
vanilla Linux host in a tap? Yes. Does it boil down to you having to  
decide whether or not to trust the provider in the first place? Yes.

(I've seen some less than stellar choices of what to throttle and how  
much, but that's not really a *privacy* concern, imo)

As for myself, I certainly wouldn't mind using Phorm-style zero cost  
ad-supported WiFi in airports if it ment that I didn't have to bother  
reaching for my credit card  - as long as they're upfront with what  
the deal is (in fact, I'd *prefer* that over submitting my CC details.  
Getting new cards and numbers every few months due to hacked card  
processors or retailers suck big time). YMMV, of course, but that's  
the beauty of choice.

> And what kind of security exposures are likely.

Not entirely sure that I understand the question, but I'll give a shot  
at an answer: The traffic management units I'm familliar with all run  
their admin interfaces out of band, i.e hooked up to the ISP's  
administrative network. You'd have about the same attack vectors and  
risks as you have associated with larger routers that see lots of  
traffic (hacked administrative networks, rogue administrators, etc),  
no more, no less. If that's a 'likely' exposure or not is in the eye  
of the beholder.

Kriss