NET NEUTRALITYA primer

Network Neutrality

• The promise of the Internet• Means networks should be dumb• Because for once, dumb is good:– Dumb networks are necessary for open and free

communication– Key to innovation– The promise of the Internet

Who wouldn’t want this?

• Telecom providers feel left out of the Internet economy :-(– Dear Google: We’re the reason you’re successful.

Shouldn’t you pay us for all the traffic we bring you?• Internet Service Providers want to ration

bandwidth by application• Create tiered access– “value-add” for the consumer – BitTorrent and MMORPGs? $$$

Their needs

The Internets: Not a truck

How?

• Traffic shaping• Deep Packet Inspection– Telecom provider buys special

box– Special box peeks into your

internet connections– Tries to identify applications

and services using known patterns

– Even encrypted protocols have identifiable patterns..

Meanwhile…

#iranelectionJUNE 2009, TEHRAN

Censorship in Iran

• Between 5 and 10 million websites, according to government statements– Dissident and reformist political content– Secular viewpoints– Ba’hai faith, Kurdish movements– Sins: Pornography, drug, alcohol, gambling– Foreign media sites– Tools for circumventing filters– 9% of all Farsi blogs– Myspace, Orkut, Flickr, Bebo, Metacafe, Photobucket,

Del.ic.io.us

And during the 2009 election..

Iran Facts

• 23 million Internet users in Iran (28 million in Canada)

• 35% of the Iranian population• 60,000 active Farsi blogs• 1/3 of the Iranian population is between 15

and 29 years old

Circumventing Censorship

• SSL encrypted proxy servers• Freegate• Tor• OpenVPN tunnels• SSH tunnels

Iran blocking ports?

• We needed to know if it was true that connections originating inside Iran were being blocked by port

• We had no friends in Iran to help us test this• Then we had an idea..

Testing Connectivity from Within Iran

• Follow these steps:– Step 1: Google for publicly accessible FTP server– Step 2: Connect with FTP client and initiate active

mode data connection back to client– Step 3: Wait to see if connection successfully

completes or not• Implemented in a program that did this

automatically– Link at the end of presentation

Results

• So how many ports were being blocked?

None!

However..

• There were credible reports from Iran of connectivity problems

• A pattern emerged– Affected connections are slow, very slow– The port does not matter– Destination does not matter– What matters is the protocol you’re using to

communicate

An experiment

• We wanted to verify a theory that deep packet inspection technology was behind the censorship

• The SSH protocol was chosen• Modifications were made to OpenSSH to fully

encrypt the initial handshake– To avoid detection by deep packet inspection

technology

Result

• Significant performance differences observed between normal SSH and the modified SSH– This strongly suggested that some sort of deep

packet inspection technology was being used • Later, sources in Iran credibly claimed that

Western technology was being used to implement state censorship policy– Packet shaping, deep packet inspection technology– Specific products cited

Conclusion

• By definition, deep-packet inspection, packet shaping technology is censorship technology

• The introduction of a policy of service or application preference, an intentional bias

• The technology is not evil– But it can be

• Similarly, the export of technology to Iran is not a bad thing

Thank you!

Links

• http://opennet.net/studies/Iran2009• http://github.com/brl/ftpscan• http://github.com/brl/obfuscated-ssh• E-mail– bruce@netifera.com– david@netifera.com