Application Throttling/Management

[brundles]

Quote:

Originally Posted by David F

Is this set to be a 24 thing or will there be any break ? it is sucky.

Didnt VM just sign a deal to use easynews NNTP backbone? anyone think this could be part of a deal? Easynews now have a 150 gig 15 quid a month HTTP link to the newsgroups will these be hit by App throttling? can this hardware filter port 80 traffic? if not coudl this be a shroud move to push usenet customers to Easynews ? ie you give us access to your servers we could force thousands of customers your way?

Is it the same IPs though or do VM essentially allocate shadow IPs or proxy it so they can differentiate and limit the service as defined in the contract between the 2. (Assuming that VM customers don't get the same access and retention on Easynews as Easynews customers)

[Bonglet]

Thousands of customers would just up and leave not go to some company vm has connections too.
Really bad show and the final nail in vm's casket if this dpi stuff goes ahead said it a long time ago when this stuff was first mentioned this is no different to what the advertising malarkey were upto, isp's could filter anything (affecting traffic now and creeping to whatever surfaces as the next p2p) they want out with the kit leading in the end to a distrust of the isp using the kit and a 2 tier system and a more encrypted internet.

This could also be used covertly for isp discrimination to certain services or products that the isp's see fit for use (they WILL say they wont but will they?)

I am stuck with them well unless I quit and move house

[popper]

Quote:

Quote:
Originally Posted by dev
an ISP can easilly see SSL traffic, afterall you negotiate the secure connection via your ISP

Quote:

Originally Posted by Toto

I was answering the point as to whether or not D(eep)P(acket)I(nspection) of SSL packets was legal or not, not whether the ISP can see them, which of course they can.

Deep Packet Inspection/Interception of a UK/EU/US consumers Unique datastream IS NOT legal, UNLESS they have been given written full and informed consent by the owner of that data stream, I.E YOU as the owner and maker of that unique datastream.

You as the owner and maker of that data can remove any of the rights you may have given them at any time with a simple "official notice" in writing to the data controller of the company involved removing that right.

(as the phorm/NebuAd cases are showing and educating the worlds Broadband masses today).

---------- Post added at 18:25 ---------- Previous post was at 18:05 ----------

Quote:

Originally Posted by Broadbandings

Not really, this is why there are certification chains for the SSL certificates. If Virgin started trying to proxy SSL connections in order to read the contents it would be very obvious when you noted your bank's secure site having a certificate signed by Virgin Media

They can't 'break' SSL but can certainly monitor the endpoints and implement a policy based on that. If someone has 10 SSL connections to news-europe.giganews.com it doesn't take a huge amount of thinking or analysis to guess what the traffic is.

this is so true, thats why theres such a massive potential for some Uk 3rd party Co-location site to set up a basic free tunneling service to their servers and charge a reasonable price for higher data packages.

if only someone would provide this simple free basic service ASAP (google Uk infrastructure perhaps?) for your average users that dont know how to get or setup their own SSL tunneled Co-location Virtual web servers and related apps for personal remote use.

that way you tunnel from your VM/BT master home machine pluged into your desk BB modem directly to the free 3rd party virtual web server, and run your real datatreams end point from that 3rd party location,and hence VM/BT etc cant easly see these unencypted data end point requests, lets see VM/BT justify STMing that single SSL data pipe to a 3rd party in court.

OC as time moves on, its looking far more viable to look into direct WiMax and wireless gigE to the Co-Location sites around the country and bypass the ISPs invasive snooping all together.

as the Wimax/GigE hardware prices fall through the floor for this old/new wireless kit, all it takes today is a few mates or a small village to club together and run their own cheap Meshed wifi and a single server housed somewere handy to all of them with this wireless WiMax/GigE connection pointing to your friendy Co-Location site and you can do that today, never mind the url story below that will make it even easyer and cheaper later.

http://www.dailywireless.org/2008/09/04/gigabit-wi-fi/

http://www.dailywireless.org/2008/08...most-as-cheap/

[Ignitionnet]

The problem is though that it just ends up with any traffic being throttled unless it can be identified as being a 'wanted' protocol, and while that may not be liked it's a perfectly legitimate thing for VM to do.

And yes it's not hard to shape things, you don't have to shape based on protocol, you can shape based on destination, number of TCP connections, source, TCP port, whatever you want.

Not sure if the quote was aimed at me or if you were just pointing out the things I mentioned above regarding behavioural shaping and SSL CA chains / self signing / SSL proxying and putting them in a somewhat better way

[popper]

Quote:

Originally Posted by Impz2002

i think there is alot of assumptions going on here. If VM start throttling certrain protocols im sure ofcom will have something to say about it !

Impz

they already did, they "asking ISPs to sign up for a Code of Practice" ... "It's a voluntary code that will be tested using 'mystery shoppers,' " ..."Ofcom is also going to investigate real broadband speeds around the country" with a survey.

"One thing not mentioned is throttling. For example, an ISP could give an accurate speed estimate then deliver a lower speed due to contention or deliberate speed throttling in response to file sharing. The fact that your DSL2 connection can do 7Mbps doesn't mean you're going to get that speed all day every day"

it just fills you with real confidence that Ofcom are really looking after your legal consumer rights doesnt it

http://blogs.guardian.co.uk/technolo...tish_isps.html

getting yourself a few D1 forms and fact sheets an passing them around your friends will be far more effective in the long term OC.

[popper]

Quote:

Originally Posted by Broadbandings

Then they throttle flows going to those VPN endpoints.



SSL is a protocol and what's inside the SSL can't be read unless you proxy the SSL connection and terminate it on the appliance. Secure Sockets Layer - what's running on top of the SSL tunnel can be anything and ISP is none the wiser, so they throttle based on source address, the Giganews FEPs.

VPN is completely secure so long as the encryption is set up appropriately however as mentioned above you don't need to know what's in the VPN to be able to throttle.

its not been the case for a long time now, at least for any and all plain text inside the ssl tunnel datastreams and the right kit, but you seem to already understand this point yet skip over it!? but no matter,its still interesting to other readers of the thread later perhaps.

this is a so called "Man In The Middle attack" built directly into industrial ISP grade hardware that business and well funded criminal oufits can purchase off the shelf today and pay an ISP tech to plug in for instance.

Ohh, it seems that later in the thread you concentrate on full decyption of the tunnel, wereas for the purposes of this thread and the reality of why VM and the DPI vendors are doing this is to get just enough information from your encypted datastream to use it in whatever mannor they chose to increase their profit margins at the end users expense...and without regard to the legal or political implications that might bring in the future from their actions.

and by "to close the security loophole that SSL creates" they obviously mean that without this kit they couldnt see much if any of your unique datastream property to profit from its processing...

http://www.intelcommsalliance.com/ks...04daf53086f015
"
Netronome SSL Inspector Transparent SSL Proxy


[img]Download Failed (1)[/img][img]Download Failed (1)[/img][img]Download Failed (1)[/img][img]Download Failed (1)[/img][img]Download Failed (1)[/img]
No ratings yet

Resources

Product Web Page
Datasheet

Categories

Application Software
Other


The Netronome SSL Inspector, the industry's highest-performance transparent SSL proxy, enables network security applications to access the clear text in SSL-encrypted connections and has been designed for security and network appliance manufacturers, enterprise IT organizations and system integrators. Without compromising any aspect of enterprise- or government-regulated compliance, the SSL Inspector allows network appliances to be deployed with the highest levels of flow analysis while still maintaining multi-gigabit line-rate network performance.

The SSL Inspector's unique combination of capabilities removes the risks arising from the lack of visibility into SSL traffic while simultaneously increasing the performance of security and network appliances.

The SSL Inspector Appliance provides existing sniffing (IDS) and filtering (IPS) security appliances with access to the decrypted plaintext of SSL flows. This equips network appliance manufacturers with a mechanism to provide their security applications with visibility into both SSL and non-SSL network traffic, increase their application performance and avoid becoming the source of reduced network throughput. This also allows end-users to add SSL Inspection capabilities to their network security architecture immediately to close the security loophole that SSL creates.

The SSL Inspector is also available in a standard development kit that provides the industry's only open application programming interface.


..."

[Ignitionnet]

Popper, those rely on having the proxy configured as a CA on the browsers so that they can create phony certificates to present to the browsers.

They can work on layer 2 however they terminate the SSL tunnel from client to server and server to client. To do this they require the browser to trust them to sign certificates. This can be done in an Enterprise environment where you have control over the security policies on browsers, however in an ISP environment it's not feasible.

EDIT: The other alternative is to get certified as a CA properly so that you get installed into browsers, however use of CA in this manner is not valid and any company doing this will soon find their CA disappears.

Remember how SSL works - in order to properly set up the session you need to have a certified, signed public/private key pair from the server. While it is possible to impersonate the client and decrypt the flow initially it is not possible to impersonate the server unless you have a signed public/private key pair the client trusts through appropriate certification.

Having set up SSL offload appliances all, without exception, require the transferral of the key pair from the server to the appliance or generation of a new key pair which has been appropriately signed and certified on a per server basis. I would suggest the same goes for trying to SSL 'offload' within the ISP network as well.

[Andrewcrawford23]

Quote:

Originally Posted by Broadbandings

Popper, those rely on having the proxy configured as a CA on the browsers so that they can create phony certificates to present to the browsers.

They can work on layer 2 however they terminate the SSL tunnel from client to server and server to client. To do this they require the browser to trust them to sign certificates. This can be done in an Enterprise environment where you have control over the security policies on browsers, however in an ISP environment it's not feasible.

EDIT: The other alternative is to get certified as a CA properly so that you get installed into browsers, however use of CA in this manner is not valid and any company doing this will soon find their CA disappears.

Remember how SSL works - in order to properly set up the session you need to have a certified, signed public/private key pair from the server. While it is possible to impersonate the client and decrypt the flow initially it is not possible to impersonate the server unless you have a signed public/private key pair the client trusts through appropriate certification.

Having set up SSL offload appliances all, without exception, require the transferral of the key pair from the server to the appliance or generation of a new key pair which has been appropriately signed and certified on a per server basis. I would suggest the same goes for trying to SSL 'offload' within the ISP network as well.

So you are admitting it is possible? even though you said to me it is impossible? and my point was it wasn't impossible just very hard? no i am not bring this up again just curious to your thoughts.

[Ignitionnet]

See my post here: http://www.cableforum.co.uk/board/34632497-post274.html

Quote:

What you probably saw was someone doing an SSL proxy with a badly configured browser with no sense of certifcation authorities. That is not invisible either as those proxies can only be self-signed and the certificates would flag to indicate that they are not properly signed and only have a 1 step CA.

That's the mechanism by which these appliances work. It's not breaking SSL it's attempting to impersonate each side to the other. It's not difficult at all and open source implementations are available, but will show up on a browser when you go to www.barclays.co.uk and the SSL certificate the server provides is signed by Virgin Media and can't be verified.

It isn't a break of SSL though, is easily detectable, and requires browsers to be set up specifically to accomodate it as in an enterprise environment, so no I'm not admitting anything

---------- Post added at 13:17 ---------- Previous post was at 13:14 ----------

Quote:

Originally Posted by popper

Ohh, it seems that later in the thread you concentrate on full decyption of the tunnel, wereas for the purposes of this thread and the reality of why VM and the DPI vendors are doing this is to get just enough information from your encypted datastream to use it in whatever mannor they chose to increase their profit margins at the end users expense...and without regard to the legal or political implications that might bring in the future from their actions.

Ah forgot to respond to this. I'm well aware of DPI being used with partial decrypts, I've worked on DPI kit with regards to detecting encrypted Bittorrent. As you rightly said only enough 'decryption' was needed to detect what the underlying protocol was. In the case of encrypted BT the encryption was rather weak and although it took a few months researchers did indeed break it to the point where it could be positively identified.

[Robertus]

So if I use Giganews with 256bit SSL - can they just take a peak and see what I'm leeching?

I was under the impression that they'd need DPI to do this.

[Ed2020]

Quote:

Originally Posted by Robertus

So if I use Giganews with 256bit SSL - can they just take a peak and see what I'm leeching?

I was under the impression that they'd need DPI to do this.

DPI alone will not allow them to see the contents of SSL-encrypted traffic. The would need to use a man in the middle attack, as described earlier in this thread, to decrypt the stream analyse it and reencrypt it before delivering to you. This is not "breaking" SSL and can be detected from the client end.

Ed.

[AppleSauce]

If VM continues to do this there will be no point in having anything above 4mb.

Mind you having seen this:

"I would note there is ALSO a seperate trial going on while controls ports speciifcally for games (Wow etc) which affect the pings for said games."

Which is obviously a lie, it wouldn't surprise me if the rest was.

[acidal]

Quote:

Originally Posted by AppleSauce

If VM continues to do this there will be no point in having anything above 4mb.

I'm on 4mb and it's crawling between 25-40k and the most i've seen it at tonight has been about 250k, my signals are good too.

It's been like this a few times over the last 2 or 3 weeks. I wouldn't be surprised if the *******s are up to something in this area.

There's many different factors you have to look at i.e congestion, wireless router, not just VM are throttling your speeds plus are your speeds from torrents,newsgroups,p2p?