Traffic shaping and ports....

The Gnutella network (Bearshare, Limeware, Shareaza,
gtk-gnutella....etc....) appears to be able to use any port.

I have one system on a port in the 10ks and another on a port in the
30ks....and obth work fine.

How would any traffic shaping work out what the application is when the
port used is - apparently - almost random?

 

They simply inspect the packets, layer 7 inspection.
So if an ISP is using this it won't matter what port you use your p2p
on, they will know

Of course not all ISP's use this and usually only start shaping p2p
traffic when other traffic is suffering.

 

Hmmm... curious.

I would be surprised if any NZ ISP had the kind of processing power (and
money) to do that kind of thing.

The US Govt - possibly.

Sniffing a packet is one thing, sniffing literally millions every
second, let alone decoding them into meaningful data - assuming you've
guessed the right protocol (i.e. layers about TCP/IP), not even counting
packets with encrypted payloads, and doing all this in realtime?

However, perhaps there's something I'm missing?

Do you know what mechanism they're using to sniff packets, and what
method of shaping is being implemented?

 

Oops, that should read "layers above TCP/IP"..

 

It seems Orcon are doing it. I'm out of my depth here but from what is said
on this page:

http://www.orcon.net.nz/help/status/bitstream/

It seems they are doing layer 7 inspection.

Are you surprised?

 

Interesting - thanks for the info.

I came across this as my first primer to L7 QOS filtering:
http://l7-filter.sourceforge.net/L7-HOWTO-Netfilter

Yes, pattern matching packet headers for protocols did occur to me when
I was writing the post.

So, it's not totally fool proof, but, it'll certainly catch people who
just use different port numbers for P2P traffic - assuming they are one
of the "suspected" ones (i.e. do enough traffic to warrant L7 QOS
filtering).

I guess, the other option (assuming it hasn't already been done) is to
simply do P2P over an ssh tunnel. That would defeat the L7 QOS, and I
guess things will eventually go that way anyway.

 

I was of course assuming that that an ISP would let high bandwidth SSL
traffic through unfiltered, as they don't know what's inside.

Otherwise, they could just do L7 filtering on SSL traffic. Which would
be a bit annoying since they don't know what the "real" traffic is.

Which brings us back full circle to the reasons behind doing traffic
shaping in the first place.

I like the model where you pay for what you use. It's fairer and doesn't
penalise low capacity users. Of course, since the prmary DSL capacity
provider has a monopoly, things aren't always so simple.

 

But doing that you then have to centralise, or (I guess) multiple ssh
tunnels to multiple hosts... kinda annoying, but I guess it could be
done and automated...

 

You're welcome. Your comment about layer 7 fired off a vague memory so I
hunted it down. I actually know nothing about it.

Hmmm. Out of my league again. I'm not a p2p user, or at least very,
very rarelt so I'll just use defaults I think.

Cheers,

 

I think its funny that you don't think "any NZ ISP" can afford a
shaping device but that they can afford multi-gigabits of bandwidth
(which would be required for "millions of packets/second"). A shaping
device allows you to put 3-4 times more customers on a network, so they
pay for themselves as soon as you plug them in. A device that can
"sniff" 300K pps is about US$ 5K, which is probably what they'd pay per
month for a couple of T1s in NZ (ie not very much).


The trend is towards shaping all of the traffic on your IP so "L7
inspections" are not required, which allows for the case of being able
to shape traffic at gigabit speeds. The effects are somewhat the same
to you, as p2p applications will quickly eat up your allotment due to
their parasitic nature. By shaping your entire IP it doesn't matter
what you run or what port you run it on; the controls are global so as
soon as you start eating up bandwidth you are defeated.

You can defeat L7 bandwidth management by tunneling to an external
system, preferably with encryption. If the ISP has per IP controls
there is nothing you can do realistically to get around it.

DB
Emerging Technologies, Inc.
Bandwidth Management Solutions
www.etinc.com

 

Yes.. its done via Layer7. There are quite a number of companies
offereing boxes which do Layer 7 QOS. Cisco,Allot,ETINC?,.. + more

There are still a lot (mos?t) who do no layer7 so do something like
port 80 is higher priority and everything else is slow.

Or they do nothing and everythign is slow (as P2P is 90% of the
traffic).

ISP's only have a limited pipe they can use. either limited by Telecom
(such as for UBS) or limited on the amount of bandwidth they can
afford for its customers. And they have to do something to make it
"the best for the greater good".

Yes people complain about P2P speeds.. but do you really think that
downloading illegal material off the net is "right". If any kind of
P2P was removed from the internet then maybe ISP's can offer you UBS
at $10/Month with no caps. Until then, ISP's have to offer customers
what makes most people happy/


At slow speeds (say under 100M) even a linux box can do Layer7
perfectly well. (and its free)

Yes.. a device which will do a few T1's (E1's in NZ) is quite
cheaper.(4-5Mbit of traffic). Getting up to Gigabit speeds does
increase the amount by a lot.

Thanks
Craig

 

If it wasnt for p2p I would just be on a 24/7 dialup connection, its not like
128k out makes any non p2p apps work that much better then dialup, still useless
for voip and other use at the same time.

 

If by 'illegal' you mean copyrighted, then yes - I do think it is right.
IP law exists at the sufferance of the electorate. That electorate is now
displaying it's dissatisfaction with IP law by disobeying it en-mass; IP
law has no mandate for it's current incarnation.

Slippery slope, Craig. The moment you start exerting control over useage of
their connection, you forfeit any common carrier arguments and might be
found liable as contributory offenders.

Crap. p2p is the killer app of broadband.

If your employer has built a business model around people not fully
utilising what they have paid for, that is Orcon's problem.

--

.... Brendan

#329409 +(3857)- [X]

<benja> A worldwide survey was conducted by the UN. The only question
asked was:"Would you please give your honest opinion about solutions to the
food shortage in the rest of the world?"
<benja> The survey was a huge failure...
<benja> In Africa they didn't know what "food" meant.
<benja> In Eastern Europe they didn't know what "honest" meant.
<benja> In Western Europe they didn't know what "shortage" meant.
<benja> In China they didn't know what "opinion" meant.
<benja> In the Middle East they didn't know what "solution" meant.
<benja> In South America they didn't know what "please" meant.
<benja> And in the USA they didn't know what "the rest of the world" meant


Note: All my comments are copyright 16/08/2005 10:24:54 p.m. and are opinion only where not otherwise stated and always "to the best of my recollection". www.computerman.orcon.net.nz.

 

ISPs aren't usually Oxford graduates. Offering something that can't be
delivered is a marketing technique thats been used since the beginning
of time.

And lets try to be accurate, p2p is not "Level 7". Its L3 and/or L4. L7
would imply application level stuff, such as knowing which user is
logged it, or which command is being executed. protocols run at L3/L4
generally.

Whether its "right" or not is and should not be an ISP issue. In my
view, ISPs should not decide which applications are good and which are
bad. They should manage bandwidth. You get "this much" for what you
pay. If you use more, you'll be throttled. ISPs are bandwidth
resellers, not content watchdogs. Most of them just aren't smart enough
to figure out any other way to do things.

DB

 

Interesting.

How long before these apps start to encrypt traffic - and layers other than
purely IP routing - once the peer to peer connection is established?

 

I hope your ISP throttles you if you ever want to download the latest
Knoppix release with a torrent client.


Cheers,
Nicholas Sherlock

 

*SNIP*

Much as I hate to agree with someone who brands all P2P traffic as
"illegal" (Craig should know better!), he's right. P2P stuff runs well
above layer four - layer, not level, for starters, and calling it "level"
shows your ignorance. Layer four is TCP/UDP, and you can't tell diddly
about a connection if you're inspecting so far down the stack. You need to
be looking at least to layer six to get some idea of what's going on
inside the connection.

 

Ermmm hes kinda right. The products he talks about are L3/L4 products that
look at packet headers for traffic shaping and use protocol based
information to make decisions. This is fundamentally flawed though and would
assume P2P apps don't port hop (which would be very easy to do). Where he
does get things wrong is assuming L7 is not used, which it is. However L7
products are a lot more complex and expensive than L3/4 products, as the L7
products look inside the data, reassemble it, and analyze it.

Most L7 products are not used for traffic shaping, they are used for
security purposes (ie identifying and blocking P2P traffic, worms etc). A
typical 200Mbps throughput L7 device lists for around $30k NZ. Going to
gigabit level your talking in excess of $100k. Then you have to build in
redundancy. If you took a 10Gb environment and wanted to put L7 on it with
redundancy then you are talking in the millions of dollars plus ongoing
annual maintainance.

 

Very, very interesting.

In that case, I wonder if Orcon are using genuine L7 products? (well
thay say L7 QOS on their website)

 

In reality its doubtful. However the problem these days is so many products
confuse terminology. One products "l7 QOS" might be just identifying
application traffic by port numbers, so while its not real L7 people could
argue all day over the semantics. So if you moved a P2P app to a
non-standard port its most likely their shaping would not pick it up, unless
of course they shape in reverse. What I mean by reverse is that everything
is low priority by default, then escalated if its identified. For example,
web traffic (port 80) is seen and given high priority, but say you access a
web server on a nonstandard port (say port 81) the traffic is not recognised
as web and give low priority.

A smart ISP would do it that way, adding protocols they want given priority,
such as http, https, smtp, pop3, smtp, then gaming ports and so on.

The only danger with such a system is people who run p2p apps on the
standard ports effectively bypassing the shaping. However, that is rare, and
some isps proxying process will break that.