

Open-Source Deep Packet Inspection - javanix
http://arstechnica.com/open-source/news/2009/09/deep-packet-inspection-engine-goes-open-source.ars

======
tptacek
A surprising miscue from Ars Technica; this "technology" has been available in
GPL open source from Snort since forever.

~~~
javanix
Ah, I wasn't aware that Snort had that capability.

However, at the very least the open-sourcing of some subset of a commercial
DPI product is interesting in that it provides more information than any other
company (that I'm aware of, anyway) has revealed on the subject thus far.

edit: Not to say that it alleviates many of the concerns about packet
monitoring, but some information is better than no information.

~~~
tptacek
It's really not rocket science. If you understand what Snort is doing, you
know pretty much everything Sandvine does. Generally speaking, the commercial
high-speed products do less than Snort, because they have hardware
constraints.

~~~
javanix
No, its not rocket science as to how it works. But, at least one of these
companies is making a good-faith show of openness.

As the article mentioned, the scary part of this technology isn't the
technology itself - it is the potential applications of the technology. Any
openness coming from a company with an application like this is a positive
market pressure.

I'm perfectly fine (and I think most people would be) with certain
applications being throttled (to a reasonable extent) as long as I am told up
front about it in my ToS, and as long as I _know_ that my data is not being
stored anywhere.

A first step to that kind of trustworthiness is more openness as to the
filtering software being used.

~~~
brl
One of those potential scary applications of this technology is censorship.
During the protests following the contested Iranian election last June, the
government worked to prevent people from being able to use the internet to
communicate information (especially photographs and video) of the repression
to the outside world.

The state censorship policy in Iran is mainly implemented with transparent web
proxies that identify prohibited URLs and redirect to a warning page. Internet
users in Iran have become quite adept at bypassing the filters by either using
specific circumvention tools or by tunneling their traffic out over VPNs or
protocols such as SSL or SSH.

During the protests, the Iranian authorities began to restrict access to
specific protocols by throttling them down to a trickle of bytes so that
business users could still access some SSL services or foreign VPNs with
enough patience, but the channels were no longer usable for mass tunneling to
restricted websites.

The traffic throttling is implemented with the same techniques that ISPs use
to restrict P2P file trading traffic. It's the exact same DPI vendor hardware.

------
sophacles
This is ok, but it's really not much of an improvement on Linux's layer7
modules for netfilter. It is still not very useful for identifying encrypted
traffic. Much cooler are statistical approaches, because they can frequently
get around encryption for protocol identification purposes. E.G. spid (don't
know if it gets around the encryption thing...)
<http://sourceforge.net/projects/spid/>

