Sandvine: "DPI is Necessary"

[David Farber <dave () farber net>]

Begin forwarded message:

From: Seth Johnson <seth.johnson () RealMeasures dyndns org>
Date: May 1, 2009 10:37:24 AM EDT
To: David Farber <dave () farber net>
Subject: Sandvine: "DPI is Necessary"
Reply-To: seth.johnson () RealMeasures dyndns org


> http://www.p2pnet.net/story/21162

(See webpage for internal links.  I just noticed there's some "rich"
language in this, so be advised  -- Seth)


‘DPI is necessary’ - Sandvine


DPI, Deep Privacy Invasion (or Deep Packet Inspection) is the tool
used by disgraced ‘behavioural targeting’ firm Phorm on behalf of
giant UK provider BT, as well as other companies.

British government approval of the technology has gotten it into a
costly and politically disastrous lawsuit with the European
Commission.

In Canada, its use inspired the federal privacy commissioner to launch
an anti-DPI site which states  clearly and unequivocally »»»

Deep packet inspection is just one seemingly neutral technological
application that can have a significant impact on privacy rights and
other basic civil liberties, especially as market forces, the
enthusiasm of technologists and the influence of national security
interests grow stronger.

DPI is employed by acompany called Sandvine, based in Waterloo,
Ontario, and which has now submitted a CRTC filing on Network
Management (TPN2008-19 Review of Internet Traffic Management Practices
of Internet Service Providers) in which it claims “DPI is necessary,”
says Sandvine Fluff in a dslreports comment post.

In it, “DPI is necessary for the identification of traffic today
because  the historically-used ‘honour-based’ port system of
application classification no longer works,” says Sandvine.

“Essentially, some application developers have either intentionally or
unintentionally designed their applications to obfuscate the identity
of the application.  Today, DPI technology represents the only
effective way to accurately identify different types of applications.
”

Really?

‘Policy management’

Whenever you see a corporate product with ‘fair’ in the name, you can
be 100% sure it’ll be the exact opposite, p2pnet posted a little less
than a year ago, going on »»»

Apple’s FairPlay DRM is a shining example, and now ace Canadian
digital restrictions management company Sandvine has come out with a
product sure to make the likes of Bell Canada and Rogers glow.

Sandvine, which coined the notable phrase ‘policy management,’ is now
touting Sandvine FairShare to, “enhance its suite of Traffic
Optimization solutions”.

For ‘Traffic Optimization’ read bandwidth throttling, and Sandvine’s
new consumer control technology ‘empowers’ ISPs, enabling, “fair usage
in the shared access network” with “advanced techniques” to “ensure
equitable allocation of network resources during periods of
congestion,” it says.

And it’s “fully application-agnostic,” meaning BitTorrent isn’t the
only P2P file sharing application it’ll target.

We continued »»»

“FairShare automatically responds to the changing network environment
and subscriber usage patterns in real-time,” says Sandvine.

To do that, it must be constantly spying on users and although DPI
isn’t mentioned, one wonders if it figures in Sandvine’s FairShare.

DPI = Deep Packet Inspection which, says the Wikipedia, “enables
advanced security functions as well as internet data mining,
eavesdropping, censorship, etc”.

CAIP (Canadian Association of Internet Providers) said in a submission
to Canadian regulators, “Bell is using DPI to sequester or ‘hijack’
certain data packets as they pass through the network, and hold these
packets hostage until certain pre-conditions are met …”

And CIPPIC (Canadian Internet Policy and Public Interest Clinic) is
asking the Canadian privacy commissioner to open an investigation
because, it says, Bell has not only, “failed to obtain the consent of
its retail and wholesale internet customers in applying its
deep-packet inspection technology, which tells the company what
subscribers are using their connections for,” it’s using Deep Packet
Inspection to, “find and limit the use of peer-to-peer applications
such as BitTorrent, which it says are congesting its network”.

Sandvine says, blandly, its FairShare, “collects subscriber usage
metrics from various sources and analyzes the data according to
sophisticated, configurable parameters”.

Then it, “dynamically modifies policies to balance available bandwidth
and resources among subscribers”.

It actively throttles bandwidth, in other words.

According to Sandvine in its submission to the CRTC, “DPI is necessary
for the identification of traffic today because  the historically-used
“honour-based” port system of application classification no longer
works.  Essentially, some application developers have either
intentionally or unintentionally designed their applications to
obfuscate the identity of the application.  Today, DPI technology
represents the only effective way to accurately identify different
types of applications.”

Now, in the first of what’s certain to be a long series of posts and
arguments deconstructing Sandvine’s claims of innocence, “Boy, this
makes me glad I gave up the free beer and ended up working elsewhere,”
says shepd in dslreports (http://www.dslreports.com/profile/933870),
going on »»»

Sandvine (6) : Sandvine submits that the true “content” of an Internet
transmission is represented as the body of your e-mail message; the
music or movie you are downloading; the video you are streaming; the
words in your VoIP  call, etc.  As explained in Sandvine’s initial
comments to the Notice, Sandvine’s congestion management solutions,
including those that employ DPI, do not inspect content as the content
is not relevant to a congestion management solution.  To be clear,
they: Do not read your e-mail; Do not listen to your voice calls; Do
not watch the video you are streaming, etc.

shepd: Point 6 is (or or will be) a lie. The best DPI systems would
implement caching for streaming video, I’m guessing Sandvine doesn’t
do this (yet).

Sandvine (16): Because typical congestion management solutions do not
inspect the actual content of users’ Internet traffic, they also
cannot  record, report on, or  store such personal information.  As
explained in paragraph  62 of Sandvine’s original comments, the most
“personal” information that Sandvine’s congestion management solutions
record for an Internet account (i.e, not a particular individual, but
the IP address attached to an Internet account, which may include
access for many individuals) is aggregate volume usage data, by
application or protocol.  For example, a typical congestion management
solution could report the number of bytes of a VoIP protocol sent
and/or received by a given Internet account over a fixed period.

shepd: I know personally is an absolute and complete utter lie. One of
Sandvine’s most popular solutions was to combine logging activities
with their DPI hardware. You could buy several TB log servers just for
this purpose. The idea was that when you call up support they could
check your account on this log server and see if you have viruses or
are running P2P so they could weed out people who just can’t fix their
PCs vs. people with bad connections.

Sandvine (17): As described above, Sandvine submits that the use of
DPI-based congestion management solutions do not create a privacy
concern in that they do not inspect content for the purposes of
traffic classification, nor is any such information stored within such
solutions.  Despite this fact, certain respondents claim that somehow
the mere presence of DPI-based technology itself raises privacy
issues, and have called for an outright ban on any such technology.
Imagine if this approach were applied to other technologies, such as
those supporting cameras.  Single Lens Reflex (SLR) technology
underlies cameras that take photos at family birthday parties.  The
same technology has been applied for surveillance of individuals and
public spaces.  One use of the technology raises privacy issues, the
other does not.  Nobody questions the value or validity of the camera
technology.  So why question DPI technology? Privacy concerns properly
attach to applications  or uses of technologies, not to the
technologies themselves.

shepd: 17 is just plain stupid. Encrypted communications are private
by their very nature. If I walk into most museums and start taking
pictures (especially with an SLR) I’ll be escorted out by the police,
because it’s trespassing. I’ll probably be served, too, if it’s
obvious I was intended to be a douche about it.

Sandvine (18): Banning the use of DPI, would have far-reaching and
damaging consequences across the Internet, where the technology is
used extensively.  The wireless router in your home probably uses DPI
to make sure that time-sensitive packets like VoIP or gaming are
delivered quickly, while delaying less time-sensitive packets like
e-mail.  Firewalls, some built right into popular  PC operating
systems, use DPI to analyze packets for malicious intent like
viruses,  trojans, and Spam.  Libraries, schools and government
institutions rely on their firewalls to protect themselves and their
users from attacks.  Those firewalls use DPI  technology.  Load
balancers and routers, indispensable hardware that distribute traffic
on the Internet and private networks, use DPI to identify where a
given packet or URL should be routed and what priority it should be
given.

shepd: Yes, that’s why we want DPI banned for PUBLIC usage, not
PRIVATE. Duh.

Sandvine (19): DPI is also a key part of the innovation in allowing a
migration from IPv4 to IPv6 allowing a network operator to convert
from one to the other using a carrier-grade
network-address-translation (NAT) and keeping protocols such as VoIP
operational.

shepd: WTF??? How the hell can inspecting a packet help you take an
IPv4 address and put it on an IPv6 network without modifying the
contents of the packet? And I thought you just said in point 6 you
don’t inspect the content? How do you even know it’s an IPv4 packet
then?

Sandvine (20): As described above, Sandvine submits that  typical
congestion management practices (which the Company believes is the
subject of theNotice) do not raise personal privacy issues.  However,
Sandvine recognizes that other Internet solutions that are in high
demand from consumers, governments and society in general may raise
personal privacy considerations.  Examples, raised by certain
respondents include lawful intercept, copyright enforcement, and
targeted advertising.

shepd: See 19

… and, “22, 24, 26 — Contradict point 6, again,” he says. [22 -- To
continue the earlier analogy, surveillance of individuals or public
spaces could be achieved through a SLR-supported still frame camera or
through video recorders supported by a variety of technologies.
Similarly, solutions like lawful intercept, copyright enforcement and
targeted advertising are achieved through a variety of technologies,
not just ? or even predominantly ? DPI. 24 --  DPI technology can
comprise a component of  targeted advertising solutions, but it has
been  very rarely used this way. Instead, other technologies have
dominated.  Google is one of the leaders in targeted advertising, but
to Sandvine's knowledge its targeted advertising solutions do not use
DPI.  According to Google's own Advertising and Privacy notice in
connection with its enormously popular Gmail e-mail application,
Google reads your mail to make decisions on targeted advertising:
"The Gmail filtering system also scans for keywords in users' emails
which are then used to match and serve ads.  When a user opens an
email message, computers scan the text and then instantaneously
display relevant information that is matched to the text of the
message. 26 --  Lawful intercept provides another example of how
privacy-sensitive solutions can be enabled by a wide variety of
technologies.  In the United States under the Communications
Assistance for Law Enforcement Act (CALEA), service providers are
required to identify and intercept criminal data traffic under a
lawful warrant provided by law enforcement agencies.  DPI technology
could be used in a solution designed to support the collection of that
data, but so  too could a home computer "tapped" into the
communications of the individual that is the subject of the warrant.]

Sandvine (25): According to the Google Toolbar Privacy Notice, the Web
History service available through the popular Google Toolbar, “records
information about the web pages you visit and your activity on Google,
including your search queries, the results you click on, and the date
and time of your searches in order to improve your search experience
and display your web activity.  Over time, the service may also use
additional information about your activity on Google  or other
information you provide us in order to deliver a more personalized
experience.”  According to the same Privacy Notice, Google’s PageRank
service also  sends Google “the addresses or other information about
sites when you visit them. According to Google’s Privacy FAQ,
Google stores search engine logs data for each user for 18 months
prior to anonymizing it. Again, to Sandvine’s knowledge, none of these
solutions use DPI.

shepd: So, because Google does it differently, that’s how it’s all
done, right? I use a 1541 disk drive (Commodore), so *OBVIOUSLY* my PC
can read the disks, you know, because *I* do it that way. Yup. Awesome
argument.

Sandvine (27): In many cases, questions around privacy-sensitive
Internet solutions will ultimately come down to the ability to secure
sufficient user consent.  To date, vendors of privacy-sensitive
solutions like targeted advertising have struggled with providing
reliable mechanisms for managing user consent.  The mechanisms,
whether designed as opt-in (where the user must proactively consent to
being subject to the solution) or opt-out (where the user must
proactively demand NOT to be subject to the solution) have typically
been cookies-based.  Cookies are “small pieces of text, stored by a
user’s web browser, that contain the user’s settings, shopping cart
contents, or other data used by websites. 29 –  Fortunately, a better
solution to the consentproblem is available, through a network-level
association between the subscriber’s account and his permission
settings related to the privacysensitive solutions.  Regardless of the
computer he uses to access his Internet account or the browser that he
uses on those  computers, the permissions follow the user.  Only if
the user intentionally changes his account-level privacy permissions
could a previously opted-out user be opted-in.  Such a solution can be
implemented through the use of DPI technology.

shepd: 27 - 29 — Nothing at all to do with DPI.

Sandvine (30, 32): Service providers are just beginning to explore
other uses of DPI that can make their service offerings more
attractive to consumers in an increasingly competitive Internet access
market.  High-speed Internet services  are largely offered in the form
of flat rate, monthly, unlimited plans.  Consumers may be interested
in other types of service plans that better reflect the unique ways
that they use their Internet connections.  Such plans would likely
necessitate the ability to differentiate between types of traffic and
applications, which in turn would necessitate the use DPI technology
as well as other network intelligence tools. 32 — Other consumers may
be interested in a service package that guarantees a high quality of
service for certain frequently-used, latency-sensitive applications,
like Internet video gaming or VoIP.  A DPI-supported policy solution
that can distinguish between different types of traffic and
applications is necessary to enable this type of service package.

shepd: 30 - 32 — Direct assault on net neutrality. Pay more for real
internet, pay less for fake internet. Why go through the effort with
DPI? Just dump in a forced proxy server and you’re gold if you just
want to provide KIRF internet.

Sandvine (35): In response to point “a” (and as already  described in
paragraph 55 of Sandvine’s initial comments) a policy that is targeted
at disproportionate users of bandwidth can become more targeted by
applying an application-specific policy as well.  For example, by
their nature, applications like VoIP, online video gaming and others
do not contribute meaningfully to network congestion, but because they
are time-sensitive applications, their usefulness to  the consumer is
greatly impacted by any delays in their delivery.  Congestion
management solutions allow service providers to create a
narrowly-targeted policy that affects: only disproportionate users;
only applications that contribute disproportionately to bandwidth
consumption; and only applications that are not time-sensitive.

shepd: 35 — In my opinion, nothing is a bigger hog than work VPNs. So
let’s boot off these corporate hogs. Oh wait, this is all opinion
based and therefore total BS, right?

Sandvine (36): Such a policy would minimally impact users’ quality of
experience, while achieving the congestion management goal.  Sandvine
is focused on maximizing the user’s Internet experience.

shepd: 36 — “Maximizing” their experience they way they did with
Comcast, yes? Yes, I sure do feel people had their experience with
tech-support “maximized”.

Sandvine (41): Further, many IETF standards implicitly require the use
of DPI, such as RFC 3489, “Simple Traversal of User Datagram  Protocol
(UDP) Through Network Address Translators (NATs)”, and RFC 2766,
“Network Address Translation - Protocol Translation (NAT-PT)”

shepd: 41 — If my IP started with 192.168, 172.16-30, or 10. this is
right. Guess what, that’s not what any of this is about.

Sandvine (42): One of the DPI-supported congestion management policies
that Sandvine has historically offered service  providers is “session
management”of P2P file-sharing traffic through the use of TCP Reset
packets (RST packets) (see paragraph 53 of Sandvine’s initial
comments).  Despite the claims of certain respondents, there are
simply no IETF standards on when or how RST packets should be used.
It is further claimed that the RST packets used in session management
are in some way “forged” because an RST packet is supposed to mean
that “the other end of the connection has failed.”  While original
implementations of RST packets were for this purpose, as with much on
the Internet, their use has evolved.  For example, most webservers use
RST packets  today as a mechanism for tearing down TCP connections
because it is much more efficient than a four-way connection teardown.
In short, RST packets are broadly used today and for purposes other
than communicating that “the other end of the communication has
failed.”

shepd: 42 — The US Government, of all people, has told you, Sandvine,
that you *are* impersonating people on the internet by injecting RST
packets. STFU already!

“Sandvine, you are embarassing my hometown,” says shepd, adding, “If
you are going to write shit, at least make it coherent shit.”

And guess who’ll be taking notes avidly, if it isn’t already in
behind-closed-doors communication with Sandvine?

Phorm, anyone?

Definitely stay tuned.

Jon Newton - p2pnet

(Thanks, Marc)





-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com