Re: Project Fi and the Great Firewall

2015-11-15 Thread Todd Underwood 
Why not both?  So sad when you have to choose a single oppressive regime to
track your internet use.

T

On Sun, Nov 15, 2015, 09:04 Brandon Butterworth 
wrote:

> > This is what roaming data means, Your data packet is simply trunked to
> > your original operator to process.  So you will be having a US ip on
> > the web.
>
> And continuity of US tracking of your use rather than temporary Chinese
> tracking
>
> brandon
>

Re: Project Fi and the Great Firewall

2015-11-15 Thread Brandon Butterworth 
> This is what roaming data means, Your data packet is simply trunked to
> your original operator to process.  So you will be having a US ip on
> the web.

And continuity of US tracking of your use rather than temporary Chinese
tracking

brandon

Re: Project Fi and the Great Firewall

2015-11-15 Thread Christopher Morrow 
On Sun, Nov 15, 2015 at 9:21 AM, Todd Underwood  wrote:
> Why not both?  So sad when you have to choose a single oppressive regime to
> track your internet use.

to be fair, probably:
  o china sees the local mobile and can easily unwrap the probably not
encrypted outer packet headers to get your 'metadata'
  o five-eyes sees the over-water transimission(s) and does the same as above
  o US folk see at the GPRx in the US

So really there's 6 regimes all repressive, in their own right, involved.

> T
>
> On Sun, Nov 15, 2015, 09:04 Brandon Butterworth 
> wrote:
>
>> > This is what roaming data means, Your data packet is simply trunked to
>> > your original operator to process.  So you will be having a US ip on
>> > the web.
>>
>> And continuity of US tracking of your use rather than temporary Chinese
>> tracking
>>
>> brandon
>>

Re: Project Fi and the Great Firewall

2015-11-15 Thread Jean-Francois Mezei 
On 2015-11-14 23:59, Yucong Sun wrote:
> This is what roaming data means, Your data packet is simply trunked to
> your original operator to process.  So you will be having a US ip on
> the web.


Based on my understanding, the phone establishes a local IP aconnection
with equipment associated with an antenna and gets an IP a from it. It
then establishes a tunnel to the APN operated by your carrier and the
tunnel gets the IP address that your apps see/use.

The IP address your apps see/use is given by your home carrier and all
packlets flow through your home carrier's APN before going to the
internet and you use your home carrier's DNS.

Where I am unclear is what happens when you move from tower to tower.
Whether your local IP changes and the tunnel is transparently moved to
the new local IP, of whether the local IP address moves with you and
routing tables are changed.

Some phones have "debug" modes that will show both the local (local
antenna)  and the public IP address (from APN) in use.

As your traffic flows out of China, it passes through the "great wall of
routers" as traffic between you and your carrier's APN, not between you
and some banned site you are trying to access.


They'd have to do DPI and possibly decrypt tunnel traffic to catch where
you are trying to connect and block those.

Re: DNSSEC and ISPs faking DNS responses

2015-11-15 Thread Jaap Akkerhuis 
 "Roland Dobbins" writes:

 > On 14 Nov 2015, at 10:22, Owen DeLong wrote:
 > 
 > By a tiny minority of people.
 > 
 > Selection bias.
 > 
 > Most people do not know what a 'VPN' is, or how to install one and get 
 > it working.

Most people don't need to know. They just buy a cheap (EUR 50 or
so seems to be the starting price) application (rasberry Pi or
similar stuff based) which gives them what they want.

There is now a push to forbid the sales of these thingies.

jaap

Re: Project Fi and the Great Firewall

2015-11-15 Thread Jared Geiger 
When you roam onto another cellular network other than your home network,
your data is encapsulated and sent back to your home network before going
out to the internet. This is to provide a seamless experience for the
customer.

The network it rides on is the GRX/IPX which is a a worldwide MPLS network
that the GSMA specified to make the data roaming experience work. The
GRX/IPX also can carry voice and text back to the home network. Since it is
a separate network from the Internet, the Great Firewall was bypassed.

There are several GRX/IPX providers and they all peer with each other in
key locations which usually end up being in the same major Internet peering
locations. TATA, Syniverse, SAP, Telia, and many others run an IPX/GRX
network and Equinix has IPX/GRX peering exchanges.

The wikipedia articles will start you in the right direction for more
information:
https://en.wikipedia.org/wiki/GPRS_roaming_exchange
https://en.wikipedia.org/wiki/IP_exchange

~Jared

On Sat, Nov 14, 2015 at 6:27 PM, Jake Mertel <
jake.mer...@ubiquityhosting.com> wrote:

> I know the service/device uses VPN if you are using "wifi assist" to
> connect to an open WAP -- it automatically tunnels the traffic so it can't
> be read by nearby snoopers. Perhaps they employ a similar technology or are
> using something like PPP to take all of the traffic back to one (or many)
> "access servers" before sending it off to the Internet. I have no
> experience whatsoever in cellular network operations, but I know many
> providers employ similar methodologies to assist in meeting their CALEA
> requirements.
>
> On Saturday, November 14, 2015, Roland Dobbins  wrote:
>
> > On 15 Nov 2015, at 9:00, Sean Hunter wrote:
> >
> > While in China recently, I noticed that my Project Fi phone was accessing
> >> Google.
> >>
> >
> > Accessing, or attempting to access?
> >
> > Were you using a local SIM card, or roaming w/data?  What about WiFi?
> >
> > ---
> > Roland Dobbins 
> >
>
>
> --
>
>
> --
> Regards,
>
> Jake Mertel
> Ubiquity Hosting
>
>
>
> *Web: *https://www.ubiquityhosting.com
> *Phone (direct): *1-480-478-1510
> *Mail:* 5350 East High Street, Suite 300, Phoenix, AZ 85054
>

Re: Project Fi and the Great Firewall

2015-11-15 Thread Carlos Alcantar 

Similar to the SS7 phone network where call signaling data is done on a totally 
different path then the actual rtp path.

​
Carlos Alcantar
Race Communications / Race Team Member
1325 Howard Ave. #604, Burlingame, CA. 94010
Phone: +1 415 376 3314 / car...@race.com / http://www.race.com



From: NANOG  on behalf of Jared Geiger 

Sent: Saturday, November 14, 2015 7:08 PM
To: NANOG
Subject: Re: Project Fi and the Great Firewall

When you roam onto another cellular network other than your home network,
your data is encapsulated and sent back to your home network before going
out to the internet. This is to provide a seamless experience for the
customer.

The network it rides on is the GRX/IPX which is a a worldwide MPLS network
that the GSMA specified to make the data roaming experience work. The
GRX/IPX also can carry voice and text back to the home network. Since it is
a separate network from the Internet, the Great Firewall was bypassed.

There are several GRX/IPX providers and they all peer with each other in
key locations which usually end up being in the same major Internet peering
locations. TATA, Syniverse, SAP, Telia, and many others run an IPX/GRX
network and Equinix has IPX/GRX peering exchanges.

The wikipedia articles will start you in the right direction for more
information:
https://en.wikipedia.org/wiki/GPRS_roaming_exchange
https://en.wikipedia.org/wiki/IP_exchange

~Jared

On Sat, Nov 14, 2015 at 6:27 PM, Jake Mertel <
jake.mer...@ubiquityhosting.com> wrote:

> I know the service/device uses VPN if you are using "wifi assist" to
> connect to an open WAP -- it automatically tunnels the traffic so it can't
> be read by nearby snoopers. Perhaps they employ a similar technology or are
> using something like PPP to take all of the traffic back to one (or many)
> "access servers" before sending it off to the Internet. I have no
> experience whatsoever in cellular network operations, but I know many
> providers employ similar methodologies to assist in meeting their CALEA
> requirements.
>
> On Saturday, November 14, 2015, Roland Dobbins  wrote:
>
> > On 15 Nov 2015, at 9:00, Sean Hunter wrote:
> >
> > While in China recently, I noticed that my Project Fi phone was accessing
> >> Google.
> >>
> >
> > Accessing, or attempting to access?
> >
> > Were you using a local SIM card, or roaming w/data?  What about WiFi?
> >
> > ---
> > Roland Dobbins 
> >
>
>
> --
>
>
> --
> Regards,
>
> Jake Mertel
> Ubiquity Hosting
>
>
>
> *Web: *https://www.ubiquityhosting.com
> *Phone (direct): *1-480-478-1510
> *Mail:* 5350 East High Street, Suite 300, Phoenix, AZ 85054
>