NNSquad - Network Neutrality Squad
[ NNSquad ] Sandvine: "DPI is Necessary"
> http://www.p2pnet.net/story/21162 (See webpage for internal links. -- Seth) ?DPI is necessary? - Sandvine DPI, Deep Privacy Invasion (or Deep Packet Inspection) is the tool used by disgraced ?behavioural targeting? firm Phorm on behalf of giant UK provider BT, as well as other companies. British government approval of the technology has gotten it into a costly and politically disastrous lawsuit with the European Commission. In Canada, its use inspired the federal privacy commissioner to launch an anti-DPI site which states clearly and unequivocally »»» Deep packet inspection is just one seemingly neutral technological application that can have a significant impact on privacy rights and other basic civil liberties, especially as market forces, the enthusiasm of technologists and the influence of national security interests grow stronger. DPI is employed by acompany called Sandvine, based in Waterloo, Ontario, and which has now submitted a CRTC filing on Network Management (TPN2008-19 Review of Internet Traffic Management Practices of Internet Service Providers) in which it claims ?DPI is necessary,? says Sandvine Fluff in a dslreports comment post. In it, ?DPI is necessary for the identification of traffic today because the historically-used ?honour-based? port system of application classification no longer works,? says Sandvine. ?Essentially, some application developers have either intentionally or unintentionally designed their applications to obfuscate the identity of the application. Today, DPI technology represents the only effective way to accurately identify different types of applications. ? Really? ?Policy management? Whenever you see a corporate product with ?fair? in the name, you can be 100% sure it?ll be the exact opposite, p2pnet posted a little less than a year ago, going on »»» Apple?s FairPlay DRM is a shining example, and now ace Canadian digital restrictions management company Sandvine has come out with a product sure to make the likes of Bell Canada and Rogers glow. Sandvine, which coined the notable phrase ?policy management,? is now touting Sandvine FairShare to, ?enhance its suite of Traffic Optimization solutions?. For ?Traffic Optimization? read bandwidth throttling, and Sandvine?s new consumer control technology ?empowers? ISPs, enabling, ?fair usage in the shared access network? with ?advanced techniques? to ?ensure equitable allocation of network resources during periods of congestion,? it says. And it?s ?fully application-agnostic,? meaning BitTorrent isn?t the only P2P file sharing application it?ll target. We continued »»» ?FairShare automatically responds to the changing network environment and subscriber usage patterns in real-time,? says Sandvine. To do that, it must be constantly spying on users and although DPI isn?t mentioned, one wonders if it figures in Sandvine?s FairShare. DPI = Deep Packet Inspection which, says the Wikipedia, ?enables advanced security functions as well as internet data mining, eavesdropping, censorship, etc?. CAIP (Canadian Association of Internet Providers) said in a submission to Canadian regulators, ?Bell is using DPI to sequester or ?hijack? certain data packets as they pass through the network, and hold these packets hostage until certain pre-conditions are met ?? And CIPPIC (Canadian Internet Policy and Public Interest Clinic) is asking the Canadian privacy commissioner to open an investigation because, it says, Bell has not only, ?failed to obtain the consent of its retail and wholesale internet customers in applying its deep-packet inspection technology, which tells the company what subscribers are using their connections for,? it?s using Deep Packet Inspection to, ?find and limit the use of peer-to-peer applications such as BitTorrent, which it says are congesting its network?. Sandvine says, blandly, its FairShare, ?collects subscriber usage metrics from various sources and analyzes the data according to sophisticated, configurable parameters?. Then it, ?dynamically modifies policies to balance available bandwidth and resources among subscribers?. It actively throttles bandwidth, in other words. According to Sandvine in its submission to the CRTC, ?DPI is necessary for the identification of traffic today because the historically-used ?honour-based? port system of application classification no longer works. Essentially, some application developers have either intentionally or unintentionally designed their applications to obfuscate the identity of the application. Today, DPI technology represents the only effective way to accurately identify different types of applications.? Now, in the first of what?s certain to be a long series of posts and arguments deconstructing Sandvine?s claims of innocence, ?Boy, this makes me glad I gave up the free beer and ended up working elsewhere,? says shepd in dslreports (http://www.dslreports.com/profile/933870), going on »»» Sandvine (6) : Sandvine submits that the true ?content? of an Internet transmission is represented as the body of your e-mail message; the music or movie you are downloading; the video you are streaming; the words in your VoIP call, etc. As explained in Sandvine?s initial comments to the Notice, Sandvine?s congestion management solutions, including those that employ DPI, do not inspect content as the content is not relevant to a congestion management solution. To be clear, they: Do not read your e-mail; Do not listen to your voice calls; Do not watch the video you are streaming, etc. shepd: Point 6 is (or or will be) a lie. The best DPI systems would implement caching for streaming video, I?m guessing Sandvine doesn?t do this (yet). Sandvine (16): Because typical congestion management solutions do not inspect the actual content of users? Internet traffic, they also cannot record, report on, or store such personal information. As explained in paragraph 62 of Sandvine?s original comments, the most ?personal? information that Sandvine?s congestion management solutions record for an Internet account (i.e, not a particular individual, but the IP address attached to an Internet account, which may include access for many individuals) is aggregate volume usage data, by application or protocol. For example, a typical congestion management solution could report the number of bytes of a VoIP protocol sent and/or received by a given Internet account over a fixed period. shepd: I know personally is an absolute and complete utter lie. One of Sandvine?s most popular solutions was to combine logging activities with their DPI hardware. You could buy several TB log servers just for this purpose. The idea was that when you call up support they could check your account on this log server and see if you have viruses or are running P2P so they could weed out people who just can?t fix their PCs vs. people with bad connections. Sandvine (17): As described above, Sandvine submits that the use of DPI-based congestion management solutions do not create a privacy concern in that they do not inspect content for the purposes of traffic classification, nor is any such information stored within such solutions. Despite this fact, certain respondents claim that somehow the mere presence of DPI-based technology itself raises privacy issues, and have called for an outright ban on any such technology. Imagine if this approach were applied to other technologies, such as those supporting cameras. Single Lens Reflex (SLR) technology underlies cameras that take photos at family birthday parties. The same technology has been applied for surveillance of individuals and public spaces. One use of the technology raises privacy issues, the other does not. Nobody questions the value or validity of the camera technology. So why question DPI technology? Privacy concerns properly attach to applications or uses of technologies, not to the technologies themselves. shepd: 17 is just plain stupid. Encrypted communications are private by their very nature. If I walk into most museums and start taking pictures (especially with an SLR) I?ll be escorted out by the police, because it?s trespassing. I?ll probably be served, too, if it?s obvious I was intended to be a douche about it. Sandvine (18): Banning the use of DPI, would have far-reaching and damaging consequences across the Internet, where the technology is used extensively. The wireless router in your home probably uses DPI to make sure that time-sensitive packets like VoIP or gaming are delivered quickly, while delaying less time-sensitive packets like e-mail. Firewalls, some built right into popular PC operating systems, use DPI to analyze packets for malicious intent like viruses, trojans, and Spam. Libraries, schools and government institutions rely on their firewalls to protect themselves and their users from attacks. Those firewalls use DPI technology. Load balancers and routers, indispensable hardware that distribute traffic on the Internet and private networks, use DPI to identify where a given packet or URL should be routed and what priority it should be given. shepd: Yes, that?s why we want DPI banned for PUBLIC usage, not PRIVATE. Duh. Sandvine (19): DPI is also a key part of the innovation in allowing a migration from IPv4 to IPv6 allowing a network operator to convert from one to the other using a carrier-grade network-address-translation (NAT) and keeping protocols such as VoIP operational. shepd: WTF??? How the hell can inspecting a packet help you take an IPv4 address and put it on an IPv6 network without modifying the contents of the packet? And I thought you just said in point 6 you don?t inspect the content? How do you even know it?s an IPv4 packet then? Sandvine (20): As described above, Sandvine submits that typical congestion management practices (which the Company believes is the subject of theNotice) do not raise personal privacy issues. However, Sandvine recognizes that other Internet solutions that are in high demand from consumers, governments and society in general may raise personal privacy considerations. Examples, raised by certain respondents include lawful intercept, copyright enforcement, and targeted advertising. shepd: See 19 ? and, ?22, 24, 26 ? Contradict point 6, again,? he says. [22 -- To continue the earlier analogy, surveillance of individuals or public spaces could be achieved through a SLR-supported still frame camera or through video recorders supported by a variety of technologies. Similarly, solutions like lawful intercept, copyright enforcement and targeted advertising are achieved through a variety of technologies, not just ? or even predominantly ? DPI. 24 -- DPI technology can comprise a component of targeted advertising solutions, but it has been very rarely used this way. Instead, other technologies have dominated. Google is one of the leaders in targeted advertising, but to Sandvine's knowledge its targeted advertising solutions do not use DPI. According to Google's own Advertising and Privacy notice in connection with its enormously popular Gmail e-mail application, Google reads your mail to make decisions on targeted advertising: "The Gmail filtering system also scans for keywords in users' emails which are then used to match and serve ads. When a user opens an email message, computers scan the text and then instantaneously display relevant information that is matched to the text of the message. 26 -- Lawful intercept provides another example of how privacy-sensitive solutions can be enabled by a wide variety of technologies. In the United States under the Communications Assistance for Law Enforcement Act (CALEA), service providers are required to identify and intercept criminal data traffic under a lawful warrant provided by law enforcement agencies. DPI technology could be used in a solution designed to support the collection of that data, but so too could a home computer "tapped" into the communications of the individual that is the subject of the warrant.] Sandvine (25): According to the Google Toolbar Privacy Notice, the Web History service available through the popular Google Toolbar, ?records information about the web pages you visit and your activity on Google, including your search queries, the results you click on, and the date and time of your searches in order to improve your search experience and display your web activity. Over time, the service may also use additional information about your activity on Google or other information you provide us in order to deliver a more personalized experience.? According to the same Privacy Notice, Google?s PageRank service also sends Google ?the addresses or other information about sites when you visit them. According to Google?s Privacy FAQ, Google stores search engine logs data for each user for 18 months prior to anonymizing it. Again, to Sandvine?s knowledge, none of these solutions use DPI. shepd: So, because Google does it differently, that?s how it?s all done, right? I use a 1541 disk drive (Commodore), so *OBVIOUSLY* my PC can read the disks, you know, because *I* do it that way. Yup. Awesome argument. Sandvine (27): In many cases, questions around privacy-sensitive Internet solutions will ultimately come down to the ability to secure sufficient user consent. To date, vendors of privacy-sensitive solutions like targeted advertising have struggled with providing reliable mechanisms for managing user consent. The mechanisms, whether designed as opt-in (where the user must proactively consent to being subject to the solution) or opt-out (where the user must proactively demand NOT to be subject to the solution) have typically been cookies-based. Cookies are ?small pieces of text, stored by a user?s web browser, that contain the user?s settings, shopping cart contents, or other data used by websites. 29 ? Fortunately, a better solution to the consentproblem is available, through a network-level association between the subscriber?s account and his permission settings related to the privacysensitive solutions. Regardless of the computer he uses to access his Internet account or the browser that he uses on those computers, the permissions follow the user. Only if the user intentionally changes his account-level privacy permissions could a previously opted-out user be opted-in. Such a solution can be implemented through the use of DPI technology. shepd: 27 - 29 ? Nothing at all to do with DPI. Sandvine (30, 32): Service providers are just beginning to explore other uses of DPI that can make their service offerings more attractive to consumers in an increasingly competitive Internet access market. High-speed Internet services are largely offered in the form of flat rate, monthly, unlimited plans. Consumers may be interested in other types of service plans that better reflect the unique ways that they use their Internet connections. Such plans would likely necessitate the ability to differentiate between types of traffic and applications, which in turn would necessitate the use DPI technology as well as other network intelligence tools. 32 ? Other consumers may be interested in a service package that guarantees a high quality of service for certain frequently-used, latency-sensitive applications, like Internet video gaming or VoIP. A DPI-supported policy solution that can distinguish between different types of traffic and applications is necessary to enable this type of service package. shepd: 30 - 32 ? Direct assault on net neutrality. Pay more for real internet, pay less for fake internet. Why go through the effort with DPI? Just dump in a forced proxy server and you?re gold if you just want to provide KIRF internet. Sandvine (35): In response to point ?a? (and as already described in paragraph 55 of Sandvine?s initial comments) a policy that is targeted at disproportionate users of bandwidth can become more targeted by applying an application-specific policy as well. For example, by their nature, applications like VoIP, online video gaming and others do not contribute meaningfully to network congestion, but because they are time-sensitive applications, their usefulness to the consumer is greatly impacted by any delays in their delivery. Congestion management solutions allow service providers to create a narrowly-targeted policy that affects: only disproportionate users; only applications that contribute disproportionately to bandwidth consumption; and only applications that are not time-sensitive. shepd: 35 ? In my opinion, nothing is a bigger hog than work VPNs. So let?s boot off these corporate hogs. Oh wait, this is all opinion based and therefore total BS, right? Sandvine (36): Such a policy would minimally impact users? quality of experience, while achieving the congestion management goal. Sandvine is focused on maximizing the user?s Internet experience. shepd: 36 ? ?Maximizing? their experience they way they did with Comcast, yes? Yes, I sure do feel people had their experience with tech-support ?maximized?. Sandvine (41): Further, many IETF standards implicitly require the use of DPI, such as RFC 3489, ?Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs)?, and RFC 2766, ?Network Address Translation - Protocol Translation (NAT-PT)? shepd: 41 ? If my IP started with 192.168, 172.16-30, or 10. this is right. Guess what, that?s not what any of this is about. Sandvine (42): One of the DPI-supported congestion management policies that Sandvine has historically offered service providers is ?session management?of P2P file-sharing traffic through the use of TCP Reset packets (RST packets) (see paragraph 53 of Sandvine?s initial comments). Despite the claims of certain respondents, there are simply no IETF standards on when or how RST packets should be used. It is further claimed that the RST packets used in session management are in some way ?forged? because an RST packet is supposed to mean that ?the other end of the connection has failed.? While original implementations of RST packets were for this purpose, as with much on the Internet, their use has evolved. For example, most webservers use RST packets today as a mechanism for tearing down TCP connections because it is much more efficient than a four-way connection teardown. In short, RST packets are broadly used today and for purposes other than communicating that ?the other end of the communication has failed.? shepd: 42 ? The US Government, of all people, has told you, Sandvine, that you *are* impersonating people on the internet by injecting RST packets. STFU already! ?Sandvine, you are embarassing my hometown,? says shepd, adding, ?If you are going to write shit, at least make it coherent shit.? And guess who?ll be taking notes avidly, if it isn?t already in behind-closed-doors communication with Sandvine? Phorm, anyone? Definitely stay tuned. Jon Newton - p2pnet (Thanks, Marc)