ZeroTier | Connect All The Things

Connect All The Things!

The ZeroTier Blog

Network Neutrality Through Virtualization

Robert Cringely of I, Cringely fame recently penned an article proposing ZeroTier to counter the traffic discrimination that is likely to follow a net neturality repeal. We thought we should respond by correcting a few minor things and then discussing the topic in general.

Before we really get started we'd like to answer a question many people asked on various forums: "was this an ad for ZeroTier?"

One of the things I (the founder of ZeroTier) have learned getting this venture off the ground is that there's quite a bit of soft payola in the enterprise networking sector. I've decided that ZeroTier isn't going to pay into this system. We don't buy into any of the enterprise "research" gatekeeping schemes (that shall not be named), nor do we slip payments to journalists under the table. So no, we did not know Cringely was going to mention us and we didn't provide any input for his article.

Now on to the real topic, namely whether network virtualization can help keep the Internet open.

... read more

What is a Neutral Internet?

Network neutrality means your ISP routes data packets without prejudice. All it does is examine each packet's IP address and send it toward where it's going. Source, destination, or content doesn't matter. The only exceptions might be quality of service load balancing to ensure fair allocation of bandwidth, blocking denial of service attacks, and preventing abuse such as IP spoofing.

So why is this important?

A neutral Internet is a level playing field open to permissionless innovation. While regulations requiring network neutrality might superficially look like restrictions placed upon it, they're actually there to protect the relatively free market that exists on the net from another kind of much more arbitrary regulation by proxy.

You or I can't just go build a last-mile ISP or a mobile phone carrier. It's not just a matter of having the money. Building an ISP requires negotiation of a byzantine political maze to obtain permits and licenses from federal, state, and local authorities. Existing players have lobbyists working within those levels of government to prevent new competition from entering. In some cases carriers are even the recipients of direct government subsidies.

Consumer telecoms are government-granted monopolies (or oligopoies in some markets) whose position in the market is guaranteed. Their behavior can't be adequately checked by normal market forces because it's extremely difficult or impossible to compete with them. In the USA most customers have only one choice for wired broadband Internet and only a few for mobile. The latter is likely to shrink due to constant pressure to consolidate in the mobile carrier market.

ISPs could easily leverage their state-guaranteed market position to "regulate" the Internet by proxy. They could pick winners in the market for Internet products and services, demand special fees from large ones, and block products and services arbitrarily. Network neutrality regulations are an attempt to compensate for this market imbalance by limiting the ability of ISPs to do these things.

Opening the ISP market to more competition could be another way to fix this problem, but so far it's proven extremely difficult to do so. Last mile wired telecom is a natural monopoly to a great degree, and even neglecting this barrier there are just too many different government agencies with overlapping jurisdiction to make streamlining of permitting and licensing achieavable. So far network neutrality rules have been the thing we've been able to actually get done and unless something dramatic changes politically or technologically this is likely to remain true for the forseeable future.

As an Internet company innovating in the area of network protocols this is an issue that concerns us greatly. There is a risk that without network neutrality ISPs could choose to simply block protocols like ours or allow customers to use them only with costly "business class" connections. This would harm not only our business but that of any other company doing anything with the Internet more exotic than serving HTTP from the cloud. Of course it doesn't stop with protocols. ISPs could block or degrade sites or services based on hosting provider, location, content, or anything else they desire, and there's little consumers could do to work around it given their lack of choice in the carrier market.

Encrypt All The Things?

If politics fails to protect us from telecom monopolies is there anything else we can do about it? Is there a technical solution?

Much of the ISP traffic discrimination everyone fears relies on a technology known as DPI or deep packet inspection. DPI just means routers that inspect the entire content of a packet instead of the usual IP header fields and correlate packets to organize them into flows. This information can then be used to prioritize traffic, block or degrade sites or protocols, perform surveillance, censor content, insert ads, or even perform man-in-the-middle attacks to disable encryption so users can be subjected to surveillance.

DPI relies upon the transparency of network traffic. The ability to modify traffic (inserting ads, etc.) relies upon the absence of secure authentication. Encrypted traffic can't be inspected. Cryptographically authenticated traffic can be blocked but not modified.

Could it be that simple? If we encrypt all our traffic then DPI is rendered useless, right? For this reason and others there has been a strong push in recent years to deploy as much encryption as possible. Efforts like Lets Encrypt and the popularity of privacy VPNs have transformed an increasing amount of the Internet's traffic into opaque gibberish. It wouldn't be that hard to keep going until encryption is deployed everywhere. Why is everyone still so concerned?

Unfortunately crypto only solves a subset of the problem. Universal deployment of cryptography will eliminate some of the worst DPI-powered abuses like mass surveillance, ad injection, and man-in-the-middle attacks, but it doesn't prevent ISPs from taxing Internet companies, blocking or degrading certain products and services, preventing peer to peer connectivity, or picking winners in the Internet market. It doesn't prevent these things because IP addresses (and hostnames in the case of HTTPS with SNI) are still visible and these can easily be tied to their owners.

Now we'll start discussing ZeroTier and Cringely's comments about it more specifically. ZeroTier does encryption, but can it do more?

Connectivity vs. Anonymity

Anonymity and connectivity are antagonistic engineering goals. To efficiently connect two endpoints means provisioning the shortest possible path between them. This implicitly reveals location information if by no other means than the ability to triangulate through measurements of latency. Straightforward addressing schemes are also needed for efficient connectivity since any form of address obfuscation or indirection will require multiple round trips to resolve and will therefore add latency, meaning addresses are also likely something that can be tied to location or identity.

Since anonymity and connectivity are antagonistic, they can't both be achieved in the same system or layer. ZeroTier is a connectivity system not an anonymity system. It provides encryption but as discussed above this is not enough to prevent ISPs from picking winners in the Internet market.

Tor by contrast is an anonymity system. It's designed to conceal user location and identity. To do this it routes traffic inefficiently by design, choosing long multi-hop onion-routed paths and even adding extra artificial latency to ensure that triangulation is not possible.

The trouble with Tor and similar systems is that it's horribly slow and will not scale to support a large fraction of existing Internet traffic. Consumers are not likely to use services whose performance is so noticably degraded. Keeping the Internet fast for consumers regardless of which services they use is a huge part of the point of this whole exercise.

Weak Anonymity: A Proposal

ZeroTier alone and in its present form would not serve as an effective barrier against all forms of traffic discrimination, but that doesn't mean nothing can be done. If we're willing to sacrifice just a tiny amount of performance (so little it might not be noticable) it might be possible to severely limit ISP regulatory options.

Data centers and cloud regions generally have more than one tenant. Traffic within the same data center or region is also generally free, and internal links are usually quite a bit faster than the Internet.

The ZeroTier protocol supports relaying. All connections start out that way until a direct link is made, and if a direct link can't be made relaying can continue indefinitely. At present ZeroTier is designed to find a way to avoid relaying as quickly as possible, but this is code and code can be changed.

Anonymity and connectivity might be antagonistic goals, but the choice is not binary. Preventing the organized deployment of traffic discrimination and censorship would not require the level of global-scale anonymity provided by systems like Tor and I2P. The goal here isn't to protect users from repressive governments and hackers but merely to make make it hard for ISPs to make money by restricting and prioritizing Internet traffic. To do so we just have to render endpoint identity fuzzy enough to prevent the creation of a database reliable enough for business purposes.

It would not be terribly hard to extend the ZeroTier protocol to allow nodes within the same data center or cloud region (or that are otherwise very close to one another) to relay. This would effectively randomize IP addresses at the data center, cloud region, or neighborhood level.

The worrisome scenario in a post-neutrality world isn't that ISPs will suddenly start blocking everything. That would provoke a consumer backlash so severe it could easily sway elections. Instead the concern is that a "gerrymandered" Internet marketplace could be rolled out slowly and incrementally. It would start with "zero rating" and fast lanes for services that pay the ISPs to reach consumers. From there it could proceed to discounted Internet packages offering select services at full speed and severely degraded performance for everything else. Over time as consumers are conditioned to expect this, ISPs could proceed to offer bundles that only include select services.

Censorship is also a concern. Like all censors the ISPs would begin by restricting access to the most offensive and most legally questionable products and services, but from there it would not be hard to gradually expand the scope.

Gradual clamp-down scenarios like these are only possible if ISPs can classify Internet participants with high accuracy. "Fuzzing" IPs in the manner suggested above forces a binary choice: block a lot of things and evoke serious consumer backlash or do nothing.

This isn't something we are actively working on and we hope it won't be necessary. Nobody really wins if customer-hostile behavior from ISPs forces us to engage in some kind of technical cold war with them. Our services would all degrade, and history shows that customer-hostile behavior never ends well for companies that engage in it. Nevertheless if we are pushed down this path we will respond by applying our knowledge of protocols, systems, and networks to defend the open Internet as well as our own business. I don't think we are alone.


Adam Ierymenko
Founder and CEO
ZeroTier, Inc.