1

It is well known that ISPs use deep packet inspection to deprioritize certain types of network traffic, such as that belonging to filesharing applications. If ISPs achieve this throttling of traffic by examining the payload of IP datagrams, couldn't encrypting the payload with IPsec prevent such throttling?

aeb0
  • 640
  • 5
  • 8

1 Answers1

2

IPSec or other kind of VPN will prevent the ISP from using DPI to analyze the different kinds of traffic transported. But the ISP can detect that there is a IPSec/VPN tunnel and can treat it as low priority traffic, this way making it even worse for you.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • So the average ISP assumes there aren't likely to be 'legitimate' uses of IPsec, and categorically marks them low priority? – aeb0 Feb 20 '17 at 21:15
  • That's not what was said... In Europe ISPs aren't allowed to do DPI and unnecessary prioritization of traffic at all. Net neutrality is a good thing :) – Sander Steffann Feb 20 '17 at 22:27
  • 1
    @aeb0: in an ideal world you don't need traffic prioritization because you have enough room for traffic spikes. In the real world and especially in the mobile world you don't have enough so you need to prioritize what is important and what not. In an ideal world this would be easy because traffic has specific tags. In the real world you cannot trust these user given tags so you try to guess by looking closer at the packet. DPI is comparably expensive so most ISP would rather do without but if you want to get the best experience for all users from limited resources prioritization is needed. – Steffen Ullrich Feb 21 '17 at 03:42
  • 1
    @SanderSteffann: Net neutrality does not forbid DPI and does not forbid prioritization because if you have limited resources you need to somehow manage it to get the best user experience. Net neutrality does not forbid use of such techniques but it forbids *misuse* of such techniques, i.e. it allows to prefer VoIP vs. HTTP but it does not allow to limit traffic from competitors or prefer your own traffic. The idea is not to have no rules but to have the same and non-discriminating rules for everybody. – Steffen Ullrich Feb 21 '17 at 03:46
  • @Steffen: the rules are stricter than you seem to think. Take a look at http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2015.310.01.0001.01.ENG&toc=OJ:L:2015:310:TOC. Especially items 9 to 12. It allows for reasonable traffic management but explicitly points out that reasonable traffic management does not require DPI. Specific to this question: VPN traffic does not havecurrent requirements in terms of bandwidth, latency etc than normal traffic, so specific traffic management rules for VPNs are not reasonable and therefore not allowed. – Sander Steffann Feb 21 '17 at 07:59
  • @SanderSteffann: I don't see anything which forbids the use of DPI in this rules. And it is hard to differ between VoIP and Bittorrent without since both using dynamic ports. And while the provider should not simply slow down VPN just to annoy the user it can still consider it less important than other kinds of traffic which means that in case of limited resources a VoIP done through the VPN connection might be implicitly worse than a VoIP connection outside of VPN - since because of the limited visibility the ISP simply cannot prioritize in-VPN traffic the same way as traffic outside VPN. – Steffen Ullrich Feb 21 '17 at 08:50
  • 1
    @SanderSteffann: maybe we have a different understanding of what DPI is. For me this includes everything which looks at the content of the packet, i.e. not only at IP, port and protocol. In ISP environments this is usually not the invasive DPI found in firewalls which is used to block based on URL's or detect malware. Instead it is a fast and less invasive DPI which just tries to use heuristics for classifying the traffic apart from what is possible with IP, port and protocol. – Steffen Ullrich Feb 21 '17 at 09:03
  • The original Dutch Net Neutrality laws were much stronger than the current EU guidelines, so our understanding of what is/was allowed will be different. And it will vary per country as well. The (European) ISPs that I work with usually stay away from anything deeper in the packet than addresses, protocols and ports. Of course there are exceptions, but not that many. – Sander Steffann Feb 21 '17 at 13:27