The analogy of TCP/IP to Radio. The problem.
TCP/IP is very similar to directional radio waves. You can send data to
a destination (an address) and you can send it on a frequency (a port).
The problem is that the "airwaves" are getting extremely cluttered, with
utter shit from spam, with microsoft anti-virus downloads, with viruses,
with bittorrent "illegal" downloads and a multitude of badly-designed
VoIP systems, the majority of which use SIP.
SIP, as I've pointed out before, is especially bad because the ports
over which RTP is negotiated (RTP is the actual voice bit of SIP) are
chosen by the wrong end! You therefore need to mess badly with your
firewall, opening up a range of incoming UDP ports, or you need to have
a SIP proxy which sits on the outside of your firewall, NAT-proxying
the audio packets onto a sensible small range.
We have a situation where ISPs are desperate to make money, especially
when they happen also to be TelCos, and they see VoIP as a major threat
to their revenue stream. This example is what we need to learn from:
VoIP is only the first in a line of protocols of traditional communication
(voice) exploited ruthlessly by Cancerations (corporations that worship
profit with blatant disregard for the available resources).
We have a situation where the 'written word' (letters) are being
superceded by email, but that particular communications system isn't
very secure - it never was - and so it gets absolutely hammered.
Instant Messaging is about the only communications system that actually
works, and has made it onto the Internet mostly unmolested. The only
pity is that, other than CSpace, and
Skype, every other IM protocol is centrally controlled. Oh - other
than our old unix friend 'talk' which for some reason nobody uses any
more :)
And then there's file-sharing, which is used to communicate
intellectual property. like - intelligence can truly be enslaved.
Thank god for the free software movement: it recognises that
intelligence nor knowledge should be restricted.
File sharing is typically used to communicate what used to be
stories, and the reach of those 'stories' (mp3, mp4 and avi) is now
global in reach. And the Cancerations that believe that they control
these 'stories' are pretending to come down heavily on the ISPs
that transmit them.
I predict that, as the last of the major 'traditional' communications
successfully make their way onto the Internet, that we will see more
clashes and more restrictions. For example, the Video Broadcast program
Democracy is only in its infancy,
but it proves the model for true communication from anyone to anyone.
No centralised control. Imagine the shit-storm if that overtook
government-run television and Canceration-controlled movie distribution!
The best case scenario is that countries shut down their Internet at
the borders of their country, which is something that China is already
talking about doing.
So, the requirement to protect people from this kind of draconian
abuse is very clear and very real, and we are in a position to do
something about it. Not only that, but I envisage that it will be possible
to optimise VPNs as a result, by messing with the way that the packets
are sent.
What's the relevance of Skype?
Skype contains several stealth and firewall-busting technologies, but
it doesn't go far enough. Skype was developed by the people who brought
you Kazaa - the first really successful peer-to-peer file sharing
technology, that the designers sold and made a fortune on, and then
moved to the next Big Thing: voice. They've since moved on to video
(Joost)
Skype detects and uses your HTTP proxy if you're inside a corporate
firewall, and tunnels the SIP protocol over that. It detects if you've
neglected to switch on your firewall, and utilises that to route other
people's traffic through you. It utilises third parties to do UDP
NAT-busting by a simple well-known and (IETF RFC) documented method which
uses the third party to swap 'incoming' UDP port numbers which your
TCP/IP stack on each end created, then drops the connection to the
third party and utilises the two UDP ports, safe in the knowledge that
the NATs on each end will now be correctly set up!
Also, Skype solved the problems normally associated with SIP's RTP
protocol. Also, they provide Instant Messaging over their network.
Also, they provide a search mechanism so that you can look up your
friends. Also, they implement the usual 'IM' style of allowing
communications from contact lists, so that you don't get swamped
by unsolicited calls.
There are many many lessons to be learned from Skype, but the one thing
that they didn't implement - despite me banging on at them that they
really should do it - was this: utilising their infrastructure to add in
TCP/IP tunnelling. Allowing any traffic, not just VoIP and
IM and very slow fileswapping (3k/sec).
Then, about a year ago, Skype ran into a brick wall - just around the
time that they sold out to Ebay (oh what a coincidence). Over eighteen
months ago, the Telcos had worked out how to block Skype, and were
deploying it, whole-sale. By not bothering with the peer-to-peer
traffic, but by identifying the SIP (or more specifically the RTP)
packets, they have taken back control. The cancer of capitalism,
which, in the VoIP arena was stopped temporarily by Skype's innovation,
is now 'immune' to the Skype 'cure', and marches inexorably on to continue
its pathological consumption of resources.
Here's the thing: in the hands of a company like Ebay, Skype's technology
has the money behind it to tell the Telco's to back off - or to do deals
with them.
Unfortunately, Ebay now collects motherboard information and other
identifying statistics off of your machine if you use the Windows version
and you allow it to be upgraded. The days of Skype are numbered,
and the designers have moved on to Joost, to do video.
Fortunately, we can learn the lessons from Skype's technology, which
has been studied by several parties (myself included, at a higher level).
Even Mr Cringely received a Skype phone call from somewhere in China, just
like he predicted would happen, from a group claiming to not be using Skype,
to let him know that they'd cracked the protocol.
What's the big idea??
The big idea is very straightforward: apply standard stealth techniques
that are already known and proven to work from difference sciences, such
as radio communications (in particular, spread-spectrum transmission)
and cryptography (in particular, steganography).
The use of steganography is a little extreme - but it demonstrates a
point which is easily done: your VPN 'overlays' traffic into the stream
of, for example, HTTP traffic - a steganography-HTTP-VPN-proxy (whoa
that's a mouthful) - but it is removed transparently at the
other end (like rproxy). Packets are encoded into the whitespace of HTTP,
into the mime-encoding of HTTP POST Content Forms, and into images.
All of these things can be detected by a pre-arranged application of
spread-spectrum-technology using a Diffie-Helmann algorithm to negotiate
the secret key, whereupon it then becomes near-impossible to even notice
where the traffic is, because some of the traffic will be modified,
and some of it won't.
Anyone trying to stop that would have a bitch-awful job.
They would literally have to go back an era, starting with cutting
off the Internet entirely. As a direct result, their entire economy
(if they're a country) would be shot into turmoil.
But - for now, I wanted to expand on the much simpler approach, which is
hinted at, above: to use just the spread-spectrum technology over IPv4 to
tunnel IPv6. The great thing about this idea is that, strictly speaking,
you don't need encryption, all you really need is compression (which
makes it not look like a VPN, which is banned by some fascist ISPs in
the U.S.) Also, you can use the spread-spectrum algorithm as a way to
encode the session
(port + IP address or other state information), so you can do away with
that silly tunnelling header that is put on front of VPN packets!
In fact, strictly speaking, this algorithm is not really a VPN at all:
it's a tunnelling system. It's a carrier wave. It's a proxy. It's a bird.
no, it's a plane!
Now, here's the bit that's nice: the spread-spectrum concept doesn't
have to just include port numbers, it can also cover IP addresses, and
you would automatically get load-balancing over your IPv6 VPN, for free.
If you were to utilise the same principles that Skype do in their
peer-to-peer communications, which is that they use relays, and they
flip the relays occasionally, throughout the SIP call, you could set up
routing to multiple destinations, and encode the ultimate destination IP
address and port number into a combination of the UDP or TCP sequence number
plus the spread-spectrum algorithm, as opposed to ... this is starting
to hurt my brain :) It's Network Address Translation, using Spread-Spectrum
itself to encode the 'Translation' and also scrambling the source IP address
(in UDP packets), source port - and we haven't mentioned ICMP yet!
Effectively, you reimplement routing, over IPv4, but you implement it
in a simple manageable way. I'm writing this on-the-fly, and I'm thinking
about it... I think it might be possible to solve some of the issues
of routing in peer-to-peer distributed wireless mesh networking using
this spread-spectrum IP+port number approach, when attempting to get back
onto IPv4 from the wireless mesh network. Amongst other things.
It's basically incredibly exciting, and I'm just scratching the surface.
Hints and Possibilities
So: we know that people are trying to control the Internet for profit,
and succeeding. This is ironic, as the original requirement for the
Internet was that it was supposed to be an attack-resistant defense network.
So, the only way to get round them is to move to the next level: treat
IPv4 as simply the carrier wave for a new form of Internet, and fortunately
IPv6 has come along and can be used as the basis for that new form of
Internet.
The use of spread-spectrum technology on top of IPv4, to encode state
information such as the real destination IPv6 address and port number
basically allows you to completely disregard all of the normal rules
that apply to IPv4. Of course, it will be necessary to obey some of
them, for example, it will be necessary to obey IPv4 firewall rules,
and it will be necessary to utilise that NAT-busting scheme (the one
which uses a third party to set up two UDP connections: the end result
is that both your NATs have the right UDP port redirections open).
But everything else is completely free-for-all, including and especially
ICMP. And, if you don't want to run a firewall on your box that's running
this kind of 'gateway', then ironically you open up the possibilities
even more.
I especially like the fact that you don't need to add header packets.
Also, the steganography idea is just wriggling the knife around a bit,
because it bluntly states: "there isn't any point in you trying to work
around this: we're a step ahead of you. You can carry on thinking that
you can control everything, but you're deluding yourselves."
Things to watch out for
Entire countries or organisations cutting themselves off from
the Internet. Large Communities going 'dark' - not just in communication
but also in culture. Fortunately, if such a thing occurs, the citizens
themselves are quite likely to rebel.
Migration of spam, viruses etc. onto the new Internet. There are
ways to deal with this: nmap 'fingerprinting' of the machine that's
doing the transmissions, finding out if it's windows, and banning it,
outright.
Using protocols that use RSA keys or OpenID or other public
key infrastructure to identify the person and the service that
they're using, as a priority over-and-above the IP address - like
CSpace already does.
Maintaining a peer-to-peer distributed database of IPv6 IP
addresses, RSA keys and OpenID keys that are banned from utilising the
network, and using trust
metrics and/or
keynote
(RFC
2704)
and/or reptile as the mechanism to make
decisions about whether the person reporting the abuse is trustworthy.
Conclusion
The internet used to be a good thing - but it was naive of us to think
that it wouldn't get abused by Cancerations. By treating the IPv4
network just like radio waves, we can utilise it to create a new
Internet - and, hopefully, apply an infrastructure which is resistant
to the mistakes of the past.
Luckily, if that all goes belly-up as well, then, just like in the
Neal Stephenson and William Gibson Sci-fi books, we simply... move
the infrastructure up to a level. Like my University lecturers
liked to say: "Got a problem? Add another layer of indirection" :)
Notes and Further Reading
When I checked earlier and saw five new replies I thought my the thing I was striving to not cause (a flame war) had erupted, only to find it was yourself replying four times. Phew I guess - anyways...
Moving on with the argument about the Radio analogy - In the computer network model, if I want to send some information to a computer, then I pick a protocol, and then address it to a particular IP address and port number, and those packets go along the network as according to protocol and the rules of the routers and gateways, being forwarded over several networks till they reach their destination.
In this IP world, if someone controlling one of these routers or gateways has the ability to monitor you, stop you and even change the packets that are going through (for instance proxy’s modifying headers, NAT etc).
In Radio, if I want to talk to a particular person, the simplest way to do so is to use CW/Morse, where I pick a frequency and generate an electromagnetic wave which is propagated through the atmosphere in various ways as according to the laws of physics.
Now, if you wanted to stop the radio traffic, then you’re stuck. You can try to cause interference, or, more likely, just drown out the signal with a much stronger signal on the same frequency. But you would be unable to “adapt” that signal in any ways. You would be unable to pick the signal out of the air and replace it with something else (the closest thing you can get to that is actually a repeater station, which allows low power mobile users to communicate through the use of an automatic static station, which you broadcast to on a 600 KHz offset and it broadcasts it back on. However, the note there is that it can’t just take the original signal out of the air – there has to be that frequency difference.
--
On other notes, let’s say that I want to use VOIP (or indeed video) over this virtual network, for which I want to get a relatively high percentage of packets getting through, and also in a particular latency period. If I am starting the transmission by spreading them out to lots of different places, how does this affect the average latency, and if the packets are all taking different amounts of time to get there, how do the systems which put the information back in line hold up (I am presuming here that the re-ordering algorithms don’t actually get used that much – when I was doing VOIP testing at Uni, we found that the number of packets out of place was a minority, and then the number of packets that where only marginally out of place the majority of this minority (Based upon people testing all over the UK through to a US server and back). Because of this, the algorithm we used to re-order the packets in the playback buffer was quite primitive, and certainly did not hold up very efficiently when we spoofed the packet fragmentation at higher rates.
Are you still going to be in a position that this undetectable and unstoppable transmission mechanism is still going to be less-performance useful then the ISP’s connection-optimized own brand?
del.icio.us
Digg
Google bookmark
reddit
Simpy
StumbleUpon
Furl
Newsvine
Technorati
Tailrank