Engineers from APNIC have been gathering from all over the region at the Apricot 2015 conference in Japan to sort out how the underlying infrastructure of the Internet should work going forward. Away from the talk of single stack vs dual-stack IPv6 on mobile networks, encryption workshops and threat analysis of the various types of amplified DDoS attacks, I had the chance to sit down with APNIC’s chief technologist Geoff Huston over lunch who gave but a few examples of how both telcos and handset makers were oblivious to how irrelevant they were quickly becoming.
Take the iPhone boot sequence for example. Huston said he’s been looking at packets and all it does after being turned on is it sets up an encrypted connection to Apple’s servers and after a few packets, the network goes completely dark as to what the phone is doing.
What is more worrisome (from the carrier’s point of view) in that Apple now uses Multipath TCP for Siri. MPTCP allows data to flow across multiple connections to get to the destination, in this case, both cellular data and WiFi. Suddenly, the telephone sold and often subsidised by the telephone company is sending encrypted data over someone else’s network (WiFi) in a way that leaves the cellular operator with no choice, insight or understanding of what the handset is doing at all. The relationship with the telco is totally disintermediated and it becomes one with Apple over any choice of heterogenous network.
Visibility from the telco, though many deny using it, is a goldmine of information. A telco’s NAT (network address translation) log is essentially a snapshot of what everyone on their network is doing at any time, showing what websites they are visiting or what kind of data they are streaming (video or music). Everything, that is, other than the encrypted communications with Apple thought it would show that something is happening with Apple.
Going to a full IPv6 mobile stack with real v6 IPs would remove this NAT log and it’s accidental snapshot of all its subscribers, Huston told me with a slight dose of skepticism. The point is under 44 NAT (private IPv4 to public IPv4) telcos already have the perfect, compact log to hand over to spy agencies who want to do mass surveillance without having to actively put in a logger to do the spying.
The same could be said for DNS servers and here things get interesting.
Huston said that Google DNS was pretty much a snapshot of what the entire world is doing at any one time. It shows Google exactly what services people are accessing. The heartbeat of the world.
It is not just end users who configure their DNS to the easy to remember 22.214.171.124 and 126.96.36.199 IP addresses, but he said that a major ISP in Vietnam had done the same as are many others across the world. He estimated that up to one third of Vietnam is resolving via Google DNS. With so many ISPs using Google DNS, the level of insight they have into what the world is doing is verging omnipotence.
Encryption is one way that the telco is losing control, another is the rise of apps that do not trust the underlying services, like DNS, provided to it from the device platform or network. One example of how was video streaming service Netflix.
In a recent update Netflix now includes its own DNS resolver built right into the app, no longer trusting the DNS provided by the handset or the telco. Netflix traditionally uses the source of a DNS query for geolocation, which can be easily reconfigured so the change was meant as one to enforce their digital rights management policy. By having its DNS resolver built right into the app, it solves the problem (from Netflix’s point of view) of people using DNS to get around geo-blocks.
Another example was Skype, which actually comes with an encrypted, obfuscated binary that makes it almost impossible to see what is happening with current analysis tools.
If all apps were to include a DNS resolver inside rather than trust the platform, then the telco or Google (if you use Google DNS) would, for better or for worse, lose a lot of visibility into your life.
Huston said that the boys in Barcelona - both handset makers and operators - are being pushed by the potential of ever more powerful handsets allowing software developers incorporating these network elements right into their code into being a dumb pipe and a dumb platform and everyone there in the old world is too busy congratulating themselves to see this sea change coming.