400 likes | 566 Views
A primer. Net Neutrality. Network Neutrality. The promise of the Internet Means networks should be dumb Because for once, dumb is good: Dumb networks are necessary for open and free communication Key to innovation The promise of the Internet. Who wouldn’t want this?.
E N D
A primer Net Neutrality
Network Neutrality • The promise of the Internet • Means networks should be dumb • Because for once, dumb is good: • Dumb networks are necessary for open and free communication • Key to innovation • The promise of the Internet
Who wouldn’t want this? • Telecom providers feel left out of the Internet economy :-( • Dear Google: We’re the reason you’re successful. Shouldn’t you pay us for all the traffic we bring you? • Internet Service Providers want to ration bandwidth by application • Create tiered access • “value-add” for the consumer • BitTorrent and MMORPGs? $$$
How? • Traffic shaping • Deep Packet Inspection • Telecom provider buys special box • Special box peeks into your internet connections • Tries to identify applications and services using known patterns • Even encrypted protocols have identifiable patterns..
JUNE 2009, TEHRAN #iranelection
Censorship in Iran • Between 5 and 10 million websites, according to government statements • Dissident and reformist political content • Secular viewpoints • Ba’hai faith, Kurdish movements • Sins: Pornography, drug, alcohol, gambling • Foreign media sites • Tools for circumventing filters • 9% of all Farsi blogs • Myspace, Orkut, Flickr, Bebo, Metacafe, Photobucket, Del.ic.io.us
Iran Facts • 23 million Internet users in Iran (28 million in Canada) • 35% of the Iranian population • 60,000 active Farsi blogs • 1/3 of the Iranian population is between 15 and 29 years old
Circumventing Censorship • SSL encrypted proxy servers • Freegate • Tor • OpenVPN tunnels • SSH tunnels
Iran blocking ports? • We needed to know if it was true that connections originating inside Iran were being blocked by port • We had no friends in Iran to help us test this • Then we had an idea..
Testing Connectivity from Within Iran • Follow these steps: • Step 1: Google for publicly accessible FTP server • Step 2: Connect with FTP client and initiate active mode data connection back to client • Step 3: Wait to see if connection successfully completes or not • Implemented in a program that did this automatically • Link at the end of presentation
Results • So how many ports were being blocked? None!
However.. • There were credible reports from Iran of connectivity problems • A pattern emerged • Affected connections are slow, very slow • The port does not matter • Destination does not matter • What matters is the protocol you’re using to communicate
An experiment • We wanted to verify a theory that deep packet inspection technology was behind the censorship • The SSH protocol was chosen • Modifications were made to OpenSSH to fully encrypt the initial handshake • To avoid detection by deep packet inspection technology
Result • Significant performance differences observed between normal SSH and the modified SSH • This strongly suggested that some sort of deep packet inspection technology was being used • Later, sources in Iran credibly claimed that Western technology was being used to implement state censorship policy • Packet shaping, deep packet inspection technology • Specific products cited
Conclusion • By definition, deep-packet inspection, packet shaping technology is censorship technology • The introduction of a policy of service or application preference, an intentional bias • The technology is not evil • But it can be • Similarly, the export of technology to Iran is not a bad thing
Links • http://opennet.net/studies/Iran2009 • http://github.com/brl/ftpscan • http://github.com/brl/obfuscated-ssh • E-mail • bruce@netifera.com • david@netifera.com