Bypassing
IRI National Internet Wall
How
to Neutralize IRI Filtering - Part 3 Sam Ghandchi
Iranscope@hotmail.com
October 16, 2007
Over a year ago Islamic Republic of Iran (IRI) announced that
it is building for Iran, what it called, a "National Internet,"
and said the project's goal was to improve price-performance for
the domestic Internet users.
Regardless
of the above irreproachable declared objectives, a group in IRI
has been very clear about its own agenda for pushing this IT architecture
for Iran. Their goal was to turn the global Internet in Iran,
into one giant *Intranet* network, where *all* Internet services
can easily be filtered on a fly, by applying policies on the national
border routers, as they recently did with Google in Iran, and
later said it was just an error, but I think they were testing
their new super expensive infrastructure of their so-called "National
Internet".
The way IRI
blocks with this new architecture is by having someone who catches
the announcement of a service address for any Internet service
they want to block. Blocking Google was no doubt by null routing
it- basically, they don't advertise the route through the ISPs,
or they advertise it and say that the next hop address is an address
that goes to /dev/null. In other words, they null route the address,
instead of using the method they have been using to filter the
web sites in the last 5 years, by blocking millions of sites at
the ISPs.
Therefore
there will not be the lapse time from creating lists by intelligence
authorities, to the implementing of filtering at ISP's, as it
has been in the last 5 years. Also they can implement all kinds
of policies, for example, not just web sites. but they can even
block emails based on semantic rules, even those originating from
Google, Yahoo, or MSN, when a blocked URL or the latest proxy
addresses are found in the body of the email. They have been doing
that to email customers of Iran_based ISPs for a few years now,
but with their new National Internet structure they will extend
this censorship to Google, Yahoo, and MSN email customers and
this is what they were testing when they killed all Google access
including its search engine in Iran. If it was up to security
officials, they would have blocked all services of Google, Yahoo,
and MSN a long time ago but they know that these are critical
to Iranian businesses and even after spending all their money
on the so-called National Internet, they well know that Internet
is a global phenomena and they cannot replace such global services
and their main goal is not to replace them, but is to raise the
fences for whatever is not amiable to IRI. Yes, this iron curtain
is a new system to reinforce the prison walls blocking Iranian
Internet users from accessing the "undesired" content
in the outside world in the most efficient way possible.
Most of the
past methods the Iranian opposition has been using to pass through
filtering will not work once this new National Internet infrastructure
is in place, and from what we witnessed recently in the case of
Google, it seems like we are not that far from the point when
this new iron curtain will be what we, in the opposition, need
to deal with. Most of the suggestions I made in the last two parts
of this series, to neutralize IRI filtering, will not work soon.
Public http proxies and even the secured types (https) may not
work in a few months. Of course personal solutions like psiphone,
which requires having a friend with good technical expertise outside
Iran, will still work, although it is not a very comfortable solution
to use. I discussed that solution in details in my interview with
Mr. Ahmad Baharloo of VOA nine months ago for those who may still
be interested to set it up:
Sam
Ghandchi Interview with VOA on Internet Filter Breakers
Also another
solution I mentioned in the above interview, namely using Peer-to-Peer
(P2P) networks inside Iran, will work, but it requires one user
in the network to be able to bring in the content of the banned
sites. So for that one person, the question of how to do it by
other methods, will still need to be solved. Also I should say
that P2P networks such as BitTorrent, are still not that wide-spread
in Iran, and it may not work as a solution for most of the Internet
users, because not all P2P networks would be open to providing
banned content, as it is a shared environment. At any rate, I
discussed P2P networks and TOR in the second part of this series
and those interested can refer to that article:
How
to Neutralize IRI Filtering - Parts 1 and 2
My topic in
this article is how to deal with the new situation and actually
the sooner we build the new response structure to what is happening
the better off we will be when the National Internet wall of Iran
is fully operational because that will be like being in a jail
with the thickest stonewalls surrounding us.
***
A former colleague
of mine and an Internet guru, in a conversation with me, when
discussing the situation of National Internet wall of Iran and
the ways to tunnel to the outside world, defined a whole new paradigm
for approaching the filtering issue in his following statement:
"Imagine
just for yucks if every router in the region became a proxy server"
The above
is such a great response to IRI. Yes IRI's new National Internet
is turning every router owned by the Minister of Information and
Communication Technology (ICT) of Islamic Republic of Iran into
a prison citadel and my friend is suggesting to turn every router
*outside* of those prison walls into a proxy server. His suggestion
is in my opinion the most ingenious thought I had ever heard in
dealing with the issue of filtering.
My friend
continued that every router out there already has the capability,
given appropriate configuration. For example, he noted that Cisco
isn't going to predetermine its customer's configurations.
Tunneling
can be configured using a number of different technologies. IP/IP,
GRE, IPsec, SSH, etc. For example, one can SSH to quite a variety
of places, and they don't have to be either near or far. Only
the router needs to configure its SSH server for those who have
the key, to be able to access it. For example a user using an
IPsec tunnel infrastructure, may have a dozen places in the world
where s/he can set an encrypted tunnel from a laptop. Another
word for any kind of tunnel infrastructure is "VPN".
Anything that allows you to set up an ad hoc VPN accomplishes
the goal.
In other words,
if owners of routers such as those who are currently making http
proxies available for Iranians, such as VOA, can turn their routers
into VPN servers, to help Iranian users to tunnel to the outside
world. If they distribute a great number of VPN keys to the users,
and a number of generalized one, before the email blocks of IRI
National Internet prevent most of the contacts with the outside
world, then a lot of people will have the tunneling capability
to the outside world when that happens.
Here are some
useful documents about tunneling for those who have Cisco routers,
which they can use to turn them into VPN servers:
Practical
Uses of SSH Tunneling in the Internetwork (CISCO)
Port
Forwarding (SSH)
As my friend
said, "imagine just for yucks if every router in the region
became an SSH proxy, perhaps using randomized port numbers and
advertising multiple router addresses to prevent filtering of
SSH. You can tell people to SSH to an outside system with a well-known
key (everyone is supposed to get their own, but there's no reason
that one couldn't use a *generalized* one for this purpose) and
then redirect their traffic through the tunnel." Yes, he
is right, this is doable and I am sure Iranian technical experts
and friends of Iranians in the outside world, who have helped
us so much all these years with making http proxies, will set
up many of these VPN servers for people to use, and in this Dark
Ages of Islamic Republic, Iranian Internet users will still be
able to have Internet as a *global* network and *not* a National
Intranet with IRI's Iron Curtain blocking Iranians from the rest
of the world, as these petrified IRI officials want to deform
it.
I should note
that there is a company in Iran that sells VPN service:
Gold
VPN ir: Secure Surfing
They may be
worth looking at, but unfortunately I do not know them personally.
I hope those
who have been providing the Iranian Internet community with great
proxy service in the last few years to help out now with providing
free VPN service for those living in Iran. Actually I hope they
do, because people who have trusted a provider for proxy service
in the last 5 years, can also trust them for VPN service, because
whoever owns the server, can see people's addresses, just like
the way the proxy server providers today are able to see them.
At least in most of the solutions that I am aware of, this is
the case, including psiphone. As a little digression, I should
note that sites like alexa.com do not collect statistics on the
traffic that goes thru proxies even if they can, because of their
privacy policy therefore their stats for banned sites are totally
wrong.
Let's return
to our topic, in the past, I refrained from recommending VPN because
it used to cost a lot to make it available to thousands of people.
But nowadays with every Cisco router having the capability to
become a VPN server, it is only a matter of configuring the router,
for those owning routers, to offer this service.
Hoping for
a day to live in an Iran with no censorship,
Back to Movement Index
Back to Sam Ghandchi Index
|