Wed, 28 Sep 2011
Why it's important to defeat the network management infrastructure
I see the Internet as an ongoing conversation between millions of computers. Some of these computers are controlled by me or by my friends. When network administrators make it harder for our computers to send messages to each other, I get upset.
Angry, actually.
High school
I didn't always feel quite so strongly about this.
Twelve years ago, I was enjoying a foray into running a server at home. I was excited to connect to it from the Brighton High School computer network. I couldn't connect, though; I discovered that the high school's Internet connection was filtered through a proxy that only would connect to web servers.
I had an SSH server I wanted to connect to, so I could read my email in PINE. SSH isn't the web, so the proxy wouldn't let me through.
Then I learned about GNU httptunnel. This is a pair of programs:
- a server, that sits on my server at home and runs a fake web server; and
- a client, that I run at school, that lets me connect through the fake web server to the SSH service.
After some experimentation, I got the tools working.
From time to time, I would work on a file at home and forget to bring a copy to school. Now I could use the tunnel to connect to my desktop and download it.
From this experience, I took two lessons:
- Whatever network restrictions there are, I probably want to circumvent them.
- It will probably be reasonably easy to do so.
The experience reminds me of John Gilmore's famous quote:
The Net interprets censorship as damage and routes around it.
I enjoyed reading my email from school. I never felt I was endangering the high school network. I did try to set up my tunnels as fast as possible in case a teacher wandered by.
A conversation between computers
To many people, the Internet is a set of resources that humans can access.
To me, this is wrong for two important reasons:
- It is factually incorrect.
- It is a political mistake.
Factually speaking, every time you request a web page, you send a request to a remote computer to send it to you. That computer, upon receiving the request, can do whatever it wants. It is, approximately, sheer luck that when you visit an image like this twice, you see the same thing.
Politically speaking, this perspective hides one of the real crimes committed by Internet censors: fraud.
Four years ago or so, Comcast famously used heavy-handed techniques to prevent users from effectively using the BitTorrent file sharing software. If you belive in the Internet as a set of resources, there isn't all that much to complain about. After all, they let users access the whole World-Wide Web.
To see the world the way I do, you'll need some basic knowledge of Internet protocols. As a refresher, if you are on computer A, sending a file to computer B, Internet traffic between them generally looks like this.
First, a handshake:
- A -> B: Hi
- B -> A: Oh, hi!
- A -> B: I'm going to send you a file
- B -> A: Cool, go ahead.
Then the file transfer begins, sending chunks until they are all sent:
- A -> B: Here's one chunk
- B -> A: Great, send more chunks
- A -> B: All done sending
- B -> A: Hooray! I just love receiving files!
- B -> A: Okay, bye!
- A -> B: Bye!
Comcast does something exciting: in order to make the file transfer fail, Comcast sends you a specially-crafted message that appears to come from computer B. It says, "Okay, bye!"
So your computer stops sending.
From a user's perspective, the file transfer stops. At the network perspective, Comcast lied. Comcast is impersonating a remote party in a conversation.
Imagine with me, for a moment, that this is a phone conversation. When you call certain people, your phone operator is interrupting the conversation to play a message specially crafted to sound like your friend saying, "I have to go now!" You might hang up, thinking the call is over.
As it happens, in the Comcast BitTorrent blocking case, you can work around the tactic: if you configure your computer to ignore all "Okay, bye!" messages, the file transfer works fine.
If you see the web as a collection of resources, you might ask why your ISP is blocking access to a particular site. You might wonder why they're blocking BitTorrent.
If you're me, you'd ask: What gives them the right to lie about their identity when talking to you? To impersonate the computer operated by your friend across the 'net?
It strikes me as commercial fraud. Whatever sysadmin deployed this automated fraud technology needs to be put in jail -- if not him, then his boss.
Port blocking
Instead of actively impersonating a remote computer, another common tactic is to simply drop certain messages on the floor. This is most of what we ask "firewalls" to do. (Unless the network notifies you it did this, you can consider this a lie by omission.)
Many guest wifi networks drop Internet messages between computers based on the port number.
Different ports, for readers who don't know, are typically used for different kinds of services. A computer on the Internet can provide web service by listening on port number 80, and provide inbound email service at the same time by listening on port 25. The secure login service ("SSH") is usually found on port 22.
One of my housemates recently sent me an email complaining that she couldn't connect to her web hosting service. She was on someone else's wifi network. We eventually determined the cause: the network was dropping messages her computer sent to the hosting service on port 22. (Also, the organization in question outsourced their network management services, so there was no one in the building she could complain to.)
At this point, I got angry. The network admins are not making their network safer, but they are making it harder for her to do what she wants. Port 22 is not a dangerous thing to permit people to use.
So I configured one of my servers to listen on a port she could access. Like the GNU HTTP tunnel configuration I used in high school, the machine would relay messages from her limited network into the real Internet. In this case, we used sslh on the server, and configured her computer's SSH client to use a "ProxyCommand."
Moments like this remind me that the Internet -- that is, the routing of messages between computers, between (inter) networks (net) -- is vanishing before my eyes. I'm lucky in that I remember the old way; I started to use the Internet in an era where you could expect that packets would actually be sent to their destination, not rudely dropped on the floor or impersonated.
Summary
Now, it is normal to see packets mangled by Internet service providers. ISPs forge IP headers, sometimes to make the network seem faster, other times to insert advertisements into other people's web pages. Usually there is no way to opt out.
What all these network tricks have in common is that the ISP impersonates one party in the conversation.
When I ask the network to please send a message to another computer for me, I'm not asking to be lied-to.