Owning the networking equipment in your network

It seems there’s a new trend in India amongst Internet Service Providers to supply their own router.

The primary reason ISPs do this is to reduce the amount of on-site support required, which is a very much valid reason.

When an ISP has to deal with multiple user supplied equipment – it increases their work as they have to train their staff to understand the configuration semantics of different devices the users may bring.

While ISP supplying their own equipment is in itself harmless and in fact, for the consumer it is a good option as it is least of their concern that a device they might have procured will work with the said ISP. All the consumer is interested in is a working internet connection.

But as it stands for pretty much everything in this world, there are always two sides to a thing, the darker side being privacy and security concerns, as pointed out in this IndiaToday article.

These devices often run customized software which usually have long update cycles, so there may be zero day / security bugs which are not fixed for a long duration which can possibly compromise your network. That definitely sounds scary.

In addition to that, there is a privacy concerns, these routers can be used for analysing browsing patterns – data mining, creating a user profile out of what you do with your internet connection. In last few years, initiatives like LetsEncrypt have done a lot of benefit to the internet since it gave free SSL certificates for everyone.

There have been technological advancements to help with user privacy such as DNS Over TLS and DNS Over HTTPS in the last few years. With these, the ISP cannot read your DNS queries, which is a good/bad thing, depending on how you look at it – access to illegal sites cannot be blocked at a DNS level which was trivial earlier, all you had to do is redirect the traffic on port 53 to your own DNS server which will return some fake IP address for a blocked website. At the same time, it gave the power to the operators of networks and such devices to block access to legitimate websites as well.

Even with DoH/DoT it is still possible for an ISP/router to know which website one is browsing (over HTTPS), by inspecting TLS negotiation packets. The SSL infrastructure previously allowed only one single SSL website for a given IP address. If one were to host multiple SSL websites on a single server – it required the clients connecting to the server to support TLS which has an extension Server Name Indication (SNI). The older SSL protocols have been deprecated now, so all HTTPS connections happen over TLS. So for every HTTPS connection in the initial negotiation the hostname you are connecting to is exposed. There is a detailed article, with packet dumps on how ISPs exploit this SNI feature of TLS packets to block websites.

The most recent security standard – that is TLS 1.3 has a new extension to circumvent the above limitation, which is Encrypted Client Hello (previously Encrypted SNI). In this the SNI payload is itself encrypted, so no router or ISP can read what site is being requested from a given IP address.

Unsurprisingly, TLS 1.3 / ECH / ESNI has been blocked in certain countries which wield control over it’s people by way of controlling what content they can browse on the Internet. Until TLS 1.3 is widely deployed – both at the server and client end (browsers), the privacy concerns will remain. One can’t exactly say when that will happen.

Furthermore, it is very much possible to correlate the connection tracking logs provided by conntrack in Linux (most of these routers run some form of embedded Linux) with the DNS logs to get a even more detailed picture. There are some devices in the higher price segment which report how much % of traffic is consumed by different categories – such as Social Media, etc using Deep Packet Inspection (fishing for SNI is one example of DPI).

Such data mining becomes computationally very expensive when the processing has to be done at the NOC/data centre level, relatively easier on individual devices like routers because the amount of traffic to be handled is less (packets per second). The computational power available at such embedded devices has been ever increasing – for example how quickly Raspberry Pi evolved to quite a powerful single board computer since it’s original launch in 2012.

That said, the reason to have your own networking equipment instead of ISPs – there is a wide range of choice available in the free market and often with better performance/security. Granted, there is nothing top secret level going on in a home, or say a home office network, but at the end it’s a matter of choice. Why should someone force you to use certain equipment?