how-to block ads
|
G_Poobah
join:2004-01-17
Schenectady, NY
| reply to TKJunkMail
Re: I love the new encryption scheme!
Oooh, the corporate apologists all post within a 20 minute window? how could that possibly be..
Professional Astroturfers are not allowed to say they are paid by megacorp .. Well, DUH.. That kind of disclosure would be like.. hmm.. oh the bush administration admitting they are wiretapping citizens without warrants, and we all know how that turns out. Oops, gotta be careful about criticizing the administration, heard cheney is being sent out as a hitman now.
The point is that there are only TWO ways to throttle traffic. The old school way is port throttling. You set your switch to drop traffic on port XXXX until the bandwidth is low enough. That of course causes the clients to do a massive number of retries, which slows down the PC until the software is smart enough to throttle itself (at the OS level)
Option 2 is deep packet scanning. In fact, they are using the ellacoya switch at several of their hubs. They have used several others, but last I heard they hadn't finalized the vendor yet. Again, I ramble. In order for a deep packet inspection to work, the traffic needs to have VISIBLE and UNDERSTANDABLE header information. If you've ever looked at a TCP dump (possible), you'd understand that in order for an inspection to work, you need to be able to determine exactly WHAT is in the packet. Once the keys are exchanged, all these 'deep inspection devices' go to hell, as all they can tell is that it IS traffic, but have zero idea WHAT traffic it is.
Proof? Why.. Azureus and utorrent work again! How could you possibly need more proof than that? Once everyone upgrades their clients, the war starts all over again.
--
Sure the internet has lots of porn and piracy, but I'm sure there's a downside to it. | |
toadlife
Premium
join:2004-05-03
Lemoore, CA | Simple solution. If the traffic is encrypted, throttle it. | |
ssj4android
Redefining Reality
join:2002-04-14
Wyoming, MI | reply to G_Poobah
How is Azureus working proof that he works for Comcast? | |
Combat Chuck
Too Many Cannibals
Premium
join:2001-11-29
Erie, PA
| reply to G_Poobah
said by G_Poobah  :Oooh, the corporate apologists all post within a 20 minute window? And now I'm gonna change the subject cause thats all I got. I may have edited that a bit. You know...just in case anyone was confused by your sudden concern with explaining the two ways you know how to throttle a protocol.
--
Asking those who disagree with you to find support of your arguements is like asking an assailant if you can borrow his gun. | |
gheezer
Compooters R Us
Premium
join:2002-12-20
Henrietta, NY
1 edit | reply to G_Poobah
Since the devices at layers 2 and 3 are NOT running this encryption scheme, (being that the company doing the throttling actually OWNS that equipment), THAT information can NOT pass encrypted.
Had you ever done a NETFLOW analysis (highly unlikley), the UNTHROTTLED encrypted activity pattern sticks out like a sore thumb.
The source and destination addresses (at layers 2 and 3) CANNOT be encrypted. For the packets to be delivered, they MUST be legible to the devices doing the forwarding.
All encryption does is scramble the PAYLOAD. Encryption protects you from the xxAA's, not network traffic shaping.
The ONLY reason it APPEARS to work is the limited distribution, thus far, of encryption clients. (in order for it to work, both sides have to encrypt identically).
--
Join the NAVY, see the world....It's mostly water! | |
G_Poobah
join:2004-01-17
Schenectady, NY
| Umm, you use big words, but you don't know what they mean.
First of all, Encryption occurs at layer 2, in fact, they even have a NAME for it.. It's called L2TP (or Layer 2 Tunneling Protocol). You can set it up on your Windows PC very easily by creating a VPN connection.
How does this magic Layer 2 Tunneling protocol work? Why, it ENCAPSULATES (It's a big word, but you could look it up) the protocol inside the PPP, then it puts the entire package inside the frame (usually IP). So, from the OUTSIDE, the Man in the Middle (ISP) can see.. hmm.. everything from layer 1 (they own the switch) to layer 7. But they have NO IDEA WHAT'S INSIDE. Period. The PAYLOAD is the entire package. For all you know it could be a netbios frame! It PROTECTS you from ANY TRAFFIC SHAPING because it's an ALL or NOTHING approach. The ISP could throttle ALL encrypted traffic, or NO encrypted traffic. There's no middle ground.
So, given that the entire package of data from my pc to your pc has been encrypted, and the only way to unencrypt it is for your PC to have the correct key. Please tell me how they could determine WHAT PROTOCOL I was running? Am I running HTTP? Am I running SMTP? Am I running TELNET? Oh, wait, they CAN'T TELL. PERIOD.
So, there is NO WAY to selectively filter encrypted traffic on a protocol level. The entire concept of trying to 'throttle' encrypted torrent traffic by packet inspection is pointless, since they can't tell it's torrent traffic.
There are other options, of course, like limiting connections, etc. But that's not the issue. The issue is all that expensive, fancy equipment they bought is now a worthless piece of electronics. In fact, most of the vendors have a FAQ saying 'yes, encryption will defeat our devices, but we expect congress to outlaw encryption'.
--
Sure the internet has lots of porn and piracy, but I'm sure there's a downside to it. | |
gheezer
Compooters R Us
Premium
join:2002-12-20
Henrietta, NY
| Packets can't get back to your PC without referencing your machine's IP Address. Without a MAC address, there's now way for your upstream router to ARP your CPE for the forwarding tables. Without a forwarding table entry, your packets go nowhere.
Your upstream device ALWAYS knows who you are.
Layer 2 and 3 aside, the service port you open is meaningless
as the BitTorrent/E-mule netflow pattern showing thousands of simultaneous inbound connection attempts to one CPE is well known and easy to spot.
--
Join the NAVY, see the world....It's mostly water! | |
G_Poobah
join:2004-01-17
Schenectady, NY
| have to reply, but what the hell are you talking about? Of course the upstream devices knows who I am, that's impossible to hide. But it's completely irrelevant to your misguided attempt to understand how encryption works. As the original post goes : If you ENCRYPT your bit-torrent traffic, the traffic shapers DON'T WORK. I described in detail exactly WHY they don't work. Because the info leaving your computer CANNOT be inspected with the technology they deployed. Period. Encryption defeats packet inspection, which is why I argue that ALL traffic should be encyrpted by default. Any crap about the ISP being able to see Layer 2-7 traffic is meaningless, as the encryption occurs BEFORE it leaves your PC. | |
gheezer
Compooters R Us
Premium
join:2002-12-20
Henrietta, NY
1 edit | reply to gheezer
Bullshit. Traffic shaping can be done by netflow pattern, and can be protocol port independant.
IP FLOW PATTERN.
Hundreds of simultaneous incoming connection attempts destined for a single address.
1 in 5 can easily be discarded.
--
Join the NAVY, see the world....It's mostly water! | |
G_Poobah
join:2004-01-17
Schenectady, NY
| *Sigh*.. I'll post one last time, since you obviously don't get it.. What's the TITLE of the subject? "Bit Torrent Encryption Beats Shaw Throttling"
You argue that encryption doesn't beat throttle. That's complete and total bullshit, and I've shown you the proof. Maybe it's possible you don't even know HOW encryption works, (and I quote your post "The source and destination addresses (at layers 2 and 3) CANNOT be encrypted".
(helpful hint from a real cisco engineer: Layer 2 MAC addresses aren't send beyond the switch.. that's why it's called a 'switch' and not a 'router')
There is no way to inspect an encrypted packet, unless you know some 'magic super decrypter' that does it or you are the NSA with the real time processing capabilities. ENCRYPTION defeats everything Shaw is trying to do to throttle torrents. PERIOD. Shaw will need to rip out all that worthless equipment, and install new equipment to TRY and defeat torrent traffic. And of course, the torrent makers will defeat THOSE techniques too.
As I said before "There are other options, of course, like limiting connections, etc. But that's not the issue.".
I researched your 'supposed' technique of 'ip flow pattern', and can't find it being used anywhere on a WAN basis. Then I realized, oh, wait, he's talking about Cisco Traffic Manager. I've used that! But it FAILED MISERABLY, and it NEVER WORKED WELL. In fact, Cisco gave up on it 2 years ago! It CAN'T work. The processing power and memory required to maintain a table of just ONE ports session states was huge. Try and scale that up to 10,000 nodes at once? There's no processor/memory combo even remotely powerful enough. Maybe I'm wrong, and your right. Please point me to this 'magic device' if it's available. (hint: a notebook based application ISN'T the same thing as an enterprise level processor. Monitoring one port, or even 100 ports is cake, Monitoring 10,000+ is impossible.
Go back to the original message. The objective of SHAW is to throttle torrent traffic. Not the entire connection. Not the total bandwidth, just torrent traffic. They can't do it. The internet wasn't designed that way, and encryption defeats all currently available methods of traffic shaping based on content.
--
Sure the internet has lots of porn and piracy, but I'm sure there's a downside to it. | |
gheezer
Compooters R Us
Premium
join:2002-12-20
Henrietta, NY
| Insults are meaningless.
I work Cisco every day in a network that services 2 Million customers. At command line. It's true.
I have been doing Computer work since 1982. Networking since 1988. I'm a bit more clueful than you realize.
There's NO NEED to inspect the packet. You watch the IP flow pattern at layer 3 and mark on the top talkers.
»netflow.cesnet.cz/
»manageengine.adventnet.com/produ···dex.html
»www.cisco.com/warp/public/732/pa···0604.pdf
it's you who aren't seeing this...read the article a bit closer, it says BOTH ends must be running the same encryption client. With the, thus far, limited distribution of the encrypted client, the netflow monitoring isn't seeing hundreds of simultaneous connections request, so the netflow monitering sees no need to throttle.
TOP TALKERS, no more, no less....and no reference to service port.
--
Join the NAVY, see the world....It's mostly water! | |
|
