Re: deep packet inspection over no TLS/SSL traffic
I know. But yes it is to not get provider fees or shutdown. When I'll have more fees from my service, a rural wireless service provider, I'll acquire space in some IXP and then mount a vmd based host. >Hope you are doing well, Fighting hard because I'm a victim of human trade. Kindly regards, On Tue, May 10, 2022 at 2:17 AM deich...@placebonol.com < deich...@placebonol.com> wrote: > > > On May 9, 2022 2:16:51 AM MDT, Stuart Henderson > wrote: > > > SNIP > > (anyway, by the time you have used DPI > >to detect the protocol, it is too late to make a decision on packet > >routing). > SNIP > > Well, not necessarily true, imagine GCHQ ... > Just saying > > Hope you are doing well, > diana > > -- Name: Riccardo Giuntoli Email: tag...@gmail.com Location: sant Pere de Ribes, BCN, Spain PGP Key: 0x67123739 PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739 Key server: hkp://wwwkeys.eu.pgp.net
Re: deep packet inspection over no TLS/SSL traffic
On May 9, 2022 2:16:51 AM MDT, Stuart Henderson wrote: > SNIP > (anyway, by the time you have used DPI >to detect the protocol, it is too late to make a decision on packet >routing). SNIP Well, not necessarily true, imagine GCHQ ... Just saying Hope you are doing well, diana
Re: deep packet inspection over no TLS/SSL traffic
Correct it simple pass through interfaces: root@arnuwanda:/etc# ipsecctl -sa | grep 94.72.143.163 flow esp in proto gre from 94.72.143.163 to 65.20.98.172 peer 94.72.143.163 srcid ASN1_DN//C=ES/ST=Madrid/L=Madrid/O=Telecom Lobby/OU=VPNC/CN= choopa.telecomlobby.com dstid ASN1_DN//C=BG/ST=Lovech/L=Troyan/O=Telecom Lobby/OU=VPNC/CN=bg.telecomlobby.com type require flow esp out proto gre from 65.20.98.172 to 94.72.143.163 peer 94.72.143.163 srcid ASN1_DN//C=ES/ST=Madrid/L=Madrid/O=Telecom Lobby/OU=VPNC/CN=choopa.telecomlobby.com dstid ASN1_DN//C=BG/ST=Lovech/L=Troyan/O=Telecom Lobby/OU=VPNC/CN= bg.telecomlobby.com type require esp transport from 65.20.98.172 to 94.72.143.163 spi 0x7a783fbb enc chacha20-poly1305 esp transport from 94.72.143.163 to 65.20.98.172 spi 0xa0fd6c20 enc chacha20-poly1305 root@arnuwanda:/etc# ifconfig gre3 gre3: flags=8051 mtu 1392 description: bg.telecomlobby.com index 15 priority 0 llprio 6 keepalive: timeout 5 count 2 encap: vnetid none txprio payload rxprio packet groups: gre status: active tunnel: inet 65.20.98.172 --> 94.72.143.163 ttl 64 nodf ecn inet 10.10.9.81 --> 10.10.9.82 netmask 0xfffc root@arnuwanda:/etc# Next go out to the internet following default rdomain 0: root@arnuwanda:/etc# route -n show | grep default | head -n 1 default65.20.98.1 UGS 12 835576762 - 8 vio0 root@arnuwanda:/etc# Vultr has physical sites in all europe but they apply DMCA worldwide! On Mon, May 9, 2022 at 11:22 AM Stuart Henderson wrote: > On 2022/05/09 10:46, Riccardo Giuntoli wrote: > > Yes I know. With rdomains and pair it would be nice to write a daemon > > that inspect L7 search for bittorrent identification and take action > > above those packets. > > Yes. DMCA is a complete overkill. Vultr applies it. When business will > > It doesn't make sense though, DMCA relates to hosted content, you aren't > hosting on the VPS though, right? If I understand correctly you just > route through it? > > > grow I will host in some data center a pair of servers and do vmd > > machines. But I've got to register for RIPE, get an IPv4 and IPv6 > > class, and so on. It's a temporary solution. For now I'm using ndpi on > > linux and changing DSCP. > > If you're in Europe, running this service via US-territory VPS seems a > legal minefield and a bad idea both for network performance and privacy > related reasons. > > -- Name: Riccardo Giuntoli Email: tag...@gmail.com Location: sant Pere de Ribes, BCN, Spain PGP Key: 0x67123739 PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739 Key server: hkp://wwwkeys.eu.pgp.net
Re: deep packet inspection over no TLS/SSL traffic
On 2022/05/09 10:46, Riccardo Giuntoli wrote: > Yes I know. With rdomains and pair it would be nice to write a daemon > that inspect L7 search for bittorrent identification and take action > above those packets. > Yes. DMCA is a complete overkill. Vultr applies it. When business will It doesn't make sense though, DMCA relates to hosted content, you aren't hosting on the VPS though, right? If I understand correctly you just route through it? > grow I will host in some data center a pair of servers and do vmd > machines. But I've got to register for RIPE, get an IPv4 and IPv6 > class, and so on. It's a temporary solution. For now I'm using ndpi on > linux and changing DSCP. If you're in Europe, running this service via US-territory VPS seems a legal minefield and a bad idea both for network performance and privacy related reasons.
Re: deep packet inspection over no TLS/SSL traffic
Yes I know. With rdomains and pair it would be nice to write a daemon that inspect L7 search for bittorrent identification and take action above those packets. Yes. DMCA is a complete overkill. Vultr applies it. When business will grow I will host in some data center a pair of servers and do vmd machines. But I've got to register for RIPE, get an IPv4 and IPv6 class, and so on. It's a temporary solution. For now I'm using ndpi on linux and changing DSCP. On Mon, May 9, 2022 at 10:18 AM Stuart Henderson wrote: > On 2022-05-09, Riccardo Giuntoli wrote: > > I've found a distfiles on the fr openbsd mirror: > > > > https://ftp.fr.openbsd.org/pub/OpenBSD/distfiles/ndpi-4.2.tar.gz > > > > Someone try it? > > This is used by ntopng, we don't have anything to use this to make > packet forwarding decisions (anyway, by the time you have used DPI > to detect the protocol, it is too late to make a decision on packet > routing). > > Also, I have found it to be a bit crashy. It's not so bad for ntopng > if you're just using it to identify a network problem etc, but doesn't > seem good as a continuously-running thing. > > >> On Sunday, May 8, 2022, Riccardo Giuntoli wrote: > >> > >> > Hello there, I've got a little wireless service provider where the > edge > >> > connect to different VPS providers in many geographic locations. One > of > >> > them, based in US, is applying DMCA doing DPI above no encrypted > traffic. > > This seems complete overkill from the provider, I would replace them. > > > -- Name: Riccardo Giuntoli Email: tag...@gmail.com Location: sant Pere de Ribes, BCN, Spain PGP Key: 0x67123739 PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739 Key server: hkp://wwwkeys.eu.pgp.net
Re: deep packet inspection over no TLS/SSL traffic
On 2022-05-09, Riccardo Giuntoli wrote: > I've found a distfiles on the fr openbsd mirror: > > https://ftp.fr.openbsd.org/pub/OpenBSD/distfiles/ndpi-4.2.tar.gz > > Someone try it? This is used by ntopng, we don't have anything to use this to make packet forwarding decisions (anyway, by the time you have used DPI to detect the protocol, it is too late to make a decision on packet routing). Also, I have found it to be a bit crashy. It's not so bad for ntopng if you're just using it to identify a network problem etc, but doesn't seem good as a continuously-running thing. >> On Sunday, May 8, 2022, Riccardo Giuntoli wrote: >> >> > Hello there, I've got a little wireless service provider where the edge >> > connect to different VPS providers in many geographic locations. One of >> > them, based in US, is applying DMCA doing DPI above no encrypted traffic. This seems complete overkill from the provider, I would replace them.
Re: deep packet inspection over no TLS/SSL traffic
It could be and I already done using rdomains, pair and pf match with tag and pass with route-to. What I just start to use (yesterday after writing this email) is in the head of the wireless internet service provider, one application of my network, is using nDPI iptables module in mangle PREROUTING just to create different ToS, better saying, DSCP classes and then route in the OSPF OpenBSD network over IKEv2 depending on the value assigned to this IPv4 field. I've found a distfiles on the fr openbsd mirror: https://ftp.fr.openbsd.org/pub/OpenBSD/distfiles/ndpi-4.2.tar.gz Someone try it? Nice regards, On Mon, May 9, 2022 at 1:19 AM Fabio Martins wrote: > On Sunday, May 8, 2022, Riccardo Giuntoli wrote: > > > Hello there, I've got a little wireless service provider where the edge > > connect to different VPS providers in many geographic locations. One of > > them, based in US, is applying DMCA doing DPI above no encrypted traffic. > > > > Now all my VPS are OpenBSD I want to apply the same policy to not incur > in > > service problems or fees. > > > > Want I want to archive is redirect all no TLS/SSL traffic to an engine > > (nDPI? relayd?) that could after interact with PF using an anchor. > > > > Someone got an idea to do this? > > > > Kindly regards, > > > > -- > > Name: Riccardo Giuntoli > > Email: tag...@gmail.com > > Location: sant Pere de Ribes, BCN, Spain > > PGP Key: 0x67123739 > > PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739 > > Key server: hkp://wwwkeys.eu.pgp.net > > > > Would this solution be ok? > > Setup a VPN (wireguard?) between the USA VPS and other VPS in a different > region ( Asia for example). > > Let 443 and other tls ports (465, 993) go normally via USA default route > for the VPS. > > All other ports will use PF binat to masquerade the non-tls traffic via the > Asian endpoint of the VPN. > > Cheers. > > > -- > Atenciosamente, > > Fabio Martins > > (+5521) 97914-8106 (Signal) > https://www.linkedin.com/in/fabio1337br/ > -- Name: Riccardo Giuntoli Email: tag...@gmail.com Location: sant Pere de Ribes, BCN, Spain PGP Key: 0x67123739 PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739 Key server: hkp://wwwkeys.eu.pgp.net
Re: deep packet inspection over no TLS/SSL traffic
On Sunday, May 8, 2022, Riccardo Giuntoli wrote: > Hello there, I've got a little wireless service provider where the edge > connect to different VPS providers in many geographic locations. One of > them, based in US, is applying DMCA doing DPI above no encrypted traffic. > > Now all my VPS are OpenBSD I want to apply the same policy to not incur in > service problems or fees. > > Want I want to archive is redirect all no TLS/SSL traffic to an engine > (nDPI? relayd?) that could after interact with PF using an anchor. > > Someone got an idea to do this? > > Kindly regards, > > -- > Name: Riccardo Giuntoli > Email: tag...@gmail.com > Location: sant Pere de Ribes, BCN, Spain > PGP Key: 0x67123739 > PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739 > Key server: hkp://wwwkeys.eu.pgp.net > Would this solution be ok? Setup a VPN (wireguard?) between the USA VPS and other VPS in a different region ( Asia for example). Let 443 and other tls ports (465, 993) go normally via USA default route for the VPS. All other ports will use PF binat to masquerade the non-tls traffic via the Asian endpoint of the VPN. Cheers. -- Atenciosamente, Fabio Martins (+5521) 97914-8106 (Signal) https://www.linkedin.com/in/fabio1337br/