
Deep packet inspection could be outlawed in US - vaksel
http://www.techworld.com/security/news/index.cfm?newsID=114856&pagtype=all
======
tptacek
Totally misleading headline. DPI-based behavioral advertising and customer
tracking might (might!) become unlawful. But even the people advocating for
DPI regulation concede that it will be used for "security" and "network
management", which means that ISPs will still be able to use it for:

* Blocking or throttling BitTorrent and P2P

* Satisfying requests from the RIAA and MPAA, and

* So-called "lawful intercept".

Note also that when the government "wiretapped" the Internet, they didn't do
it by deploying Narus directly ISP networks. Instead, they offramped traffic
to their own lab network. There's no reason you couldn't build a shrink-wrap
commercial offering based on the same idea; ISPs already offramp internally to
"scrubbing networks" when handling DDoS and botnet traffic.

------
pj
What is the problem with DPI? It slows down torrent downloads, which are
already slow, but speeds up more synchronous activity like web browsing and
chatting. Don't we all want that?

~~~
Kejistan
DPI does not specifically slow down bittorrent traffic or speed up http
traffic. DPI filters traffic based on the data in the packet, which affects
all traffic. What happens to that traffic is up to the person implementing the
DPI.

The problem with DPI is that its akin to the post office reading all of your
mail.

~~~
pj
The post office has a similar system, except they charge customers differently
to get information to the recipient faster. Overnight costs more than first
class for example.

If DPI were used to allow customers to pay based on priority, would that be
acceptable? For example, if you only want to pay 1 cent per GB for a torrent
download that gets packets to you at 1/3 the rate of HTTP packets, which cost
2 cents per GB, would something like that work?

I am not proposing it, just continuing the post office analogy.

~~~
Kejistan
I've never understood this analogy. We already pay more for more bandwidth
which is supposed to allow us to receive packets faster. This always sounds
like they're expecting me to pay twice for service.

------
Allocator2008
In terms of a long-term solution to the DNS cache poisoning issue it seems
deep packet inspection could be the only way to go. The work-around was to
extend the encryption involved with DNS but that only makes it harder, but not
impossible for DNS hacks to take place. Only if deep packet inspection happens
would DNS hacks truly become a thing of the past, since if my ISP is
inspecting all the packets, and it's stored IP for say cnn.com gets re-routed
to a hacker's IP, an inspection of the packets coming across could flag a
problem to the ISP. I am not an expert in this area but I just recall from
reading a 'Wired' article on this issue that the only really good solution
here is in fact deep packet inspection. So outlawing it would be a hacker's
wet dream, and by hacker I mean "cracker" or "black hat" people obviously.

~~~
tptacek
(1) No part of the DNS is currently any hacker's wet dream. Why bother
spoofing at all? You don't need to bust out the batmobile to get into most
people's accounts.

(2) The technique that "extended" DNS' security is the same technique that
protects plenty of other core Internet protocols, so if it doesn't work at
least in the medium term, we're all doomed.

(3) The issue isn't _whether_ DNS is breakable --- it always has been --- it'
s _how easy_ it is. The problem is about cost, not about raw capability. If
you can't pull the attack off drive-by, it doesn't make a difference in 2009.

(4) Anybody who tries to sell you on a DPI solution to DNS security is
scamming you. You'd need a globally deployed network of DPI boxes, all
synchronized, to make a dent in the problem.

