Re: Impacts of Encryption Everywhere (any solution?)

[Mike Hammett <nanog () ics-il net>]

The increase in the subscriber base increases the likelihood of visiting the same content and thus the benefit. 

Before HTTPS-everywhere, caching was hugely beneficial. 

Currently they are making do with 40 kilobit/s, so it's certainly possible to Internet at that level. Just looking at 
ways the service can be even that much better. 

If they only have single digit megabit/s of Internet, you don't need multiple systems to add\drop the encryption. While 
I don't have anything to back this up, I'd suspect a couple hundred dollar single board computer (since session border 
controller seems to be a more popular use of the acronym SBC) would be sufficient. I'm not overly intimate with that 
space, but some little ARM-based machine could probably do it just fine. Move that to hundreds of megabit/s or 
gigabit/s and your concern is certainly much more relevant. 





----- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

----- Original Message -----

From: "Andrey Khomyakov" <khomyakov.andrey () gmail com> 
To: "Mike Hammett" <nanog () ics-il net> 
Cc: "NANOG list" <nanog () nanog org> 
Sent: Monday, May 28, 2018 9:50:01 AM 
Subject: Re: Impacts of Encryption Everywhere (any solution?) 


That is super interesting. While one can Internet fine at 5Mbps (save for streaming UHD movies maybe), I am not 
convinced 1Mbps can be successfully shared even if there was no encryption anywhere. 
My understanding is that some enterprises do decrypt traffic in flight with proxies such as bluecoat, though I'm not 
sure on the particulars of how that works. I think the overall theory is that the proxy acts as a trusted CA for all 
its client and generates the certificate for the destination hostname on the fly thus terminating the SSL connection 
and opening new one on behalf of the client. I do, however, recall that the solution is not cheap. Neither $ nor 
computationally or, I'm guessing, in case of a village if they can't get anything faster than 1Mbps, can they even get 
power to run a couple (does the proxy uptime matter?) of proxies of heavy compute? 


Another concern would be that caching implies the whole village visits the same content. I'm not even confident me and 
wife visit the same content (save for gmail maybe). 


And lastly, most modern websites are very media rich. Unless the whole village confines their usage to wikipedia.org , 
I can't imagine that the experience will be pleasant in anyway or form or there will be any benefit to caching. 


Save for the SSL proxy mentioned above, I have seen folks pull several crappy DLS connections (Let's say ~1Mbps each) 
and band them together. If the provider support the bonding option, great! If not, I've seen folks basically per flow 
load balance across the 4 connections. 


-Andrey 





--Andrey 

On Mon, May 28, 2018 at 4:23 PM, Mike Hammett < nanog () ics-il net > wrote: 


Has anyone outside of tech media, Silicon Valley or academia (all places wildly out of touch with the real world) put 
much thought into the impacts of encryption everywhere? So often we hear about how we need the best modern encryption 
on all forms of communication because of whatever scary thing is trendy this week (Russia, NSA, Google, whatever). 
HTTPS your marketing information and generic education pieces because of the boogeyman! 

However, I recently came across a thread where someone was exploring getting a one megabit connection into their 
village and sharing it among many. The crowd I referenced earlier also believes you can't Internet under 100 megabit/s 
per home. 

Apparently, the current best Internet the residents of the village can get is 40 kilobit/s. Zero oversubscription gets 
a better service to up to 25 homes. Likely that could be stretched to at least 50 or 100 homes and be better than what 
they currently have. Forget about streaming video, let's just focus on web browsing and messaging. 

However, this could be wildly improved with caching ala squid or something similar. The problem is that encrypted 
content is difficult to impossible for your average Joe to cache. The rewards for implementing caching are greatly 
mitigated and people like this must suffer a worse Internet experience because of some ideological high horse in a 
far-off land. 

Some things certainly do need to be encrypted, but encrypting everything means people with limited Internet access get 
worse performance OR mechanisms have to be out in place to break ALL encryption, this compromising security and privacy 
when it's really needed. 

To circle back to being somewhat on-topic, what mechanisms are available to maximize the amount of traffic someone in 
this situation could cache? The performance of third-world Internet depends on you. 



----- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com