[ NNSquad ] Re: Thoughts on DNS Redirection

[Stefano Quintarelli <stefano@quintarelli.it>]

Let me introduce myself: I'm the past president of Italy's ISPs  
Association

In 2003 Italy's TLC incumbent operator Telecom Italia made DNS  
redirection for its DSL users ("Alice" is the name of their broadband  
offering).

A user trying to access any site on the Internet was redirected to an  
internal web site called "Casa di Alice" (Alice's home)

there they found a desktop with a living room metaphor where the user,  
if he wanted to buy some music, had to click on the radio; to buy a  
video, had to click on the TV set; to access the Internet had to click  
on the PC.

this was possible because there was no legal definition of what "The  
Internet" is and as a matter of fact they were advertising and selling  
a "broadband service" allowing to connect to the Internet.

they had discriminatory pricing on these services. e.g. the cost of  
traffic (not the cost of content) to access those services provided by  
Telecom Italia was 0, while there was a cost of traffic to access the  
Internet; furthermore users were requested to double-register in order  
to access the Internet. (There was no confirmation that all Internet  
traffic was logged, but there were rumors)

The italian ISPs association brought TI to the Antitrust in Brussels  
for anticompetitive behaviours, as they were building a walled garden  
and Telecom Italia was notified by trustbusters as an operator having  
Significant Market Power.

we succeeded and settled with Telecom Italia, obtaining that they  
close this "Casa di Alice" and provide users a plain access to the  
Internet.

"traffic discrimination" based on price is something very difficult to  
face with, in legal terms, but this is what is increasingly happening  
in Europe.

take for example Internet access provided by "mobile" operators,  
something that is increasingly popular thanks to the availability of  
HSDPA and HSUPA (3-4Mbps downlink)

you can send an SMS for 15Eurocents each. Should you want to use your  
Messenger on a smartphone, you need to establish a data connection  
which is charged 1Euro or more for a "connection setup fee" which  
includes the first 5 minutes (or more) of data airtime (which is good  
to download mail but obviously is not good to send a twit).

the net effect is that you are not going to use your Messenger on the  
smartphone but rather you will keep using SMS instead. Defend their  
traditional revenues through discriminatory pricing structure.

the consequence is that ALL sporadic transaction-based applications  
are heavily inhibited by pricing policies.

there is no mangling of traffic here, just pricing policies.

For example, you could subscribe to mobile broadband contracts with  
different data transmission pricing depending on the site you access:  
operator-partnered popular internet applications (youtube, myspace,  
ebay, google, maps) at 0,29Cent/session; the rest of the Internet at  
1Euro/session. (Why did Google agree to this ?)

mobile operators are legally allowed to this as they are not notified  
by Antitrust of having Significant Market Power and hence they cannot  
be forced to avoid discriminatory pricing. (none of the mobile  
operators have >50% market share, something that allows lobbied  
authorities to say that "we have competition") (even with an HHI index  
of around 0,38)

For example, in Italy, we have two main mobile operators which have  
similar offers (with price discrimination of content) and they account  
for more than 80% of the subscribers. This two operators have around  
45% gross margin and double digit net profit; the two remaining  
operators, due to the structure of mobile voice pricing (the largest  
portion of their business), having very little market shares, are  
trying to survive (even with historically negative gross margins).

Of course it is very difficult to prove in legal terms that there is a  
joint dominance (let alone a cartel). In Italy for example Antitrust  
has decide there is not.

Debt laden telcos (in Europe more than 50% of corporate bonds are  
emitted by Telcos (let's hope not a subprime-like story)) need to have  
big margins; they priced broadband based on demand elasticity rather  
than true costs (including cost of debt) and it's very difficult once  
you've broken somethng to put pieces back together (i.e. generally  
raise prices for plain vanilla-data connections). Margins from  
traditional services are shrinking as volumes reduce. Services are  
going outside of the operator's scope and, together with regulation  
imposing wholesale access to SMP operators) force the industry to  
restructure towards a low-cost industry.

in this process, the (wrong) idea that they could squeeze revenues  
from traffic discrimination, is just one important part of the story.

As ex-monopolists fixed operators have to provide access to  
infrastructure at wholesale, regulated, "cost-plus" prices, neutrality  
on the fixed network is more likely to remain (there are hundreds of  
fixed line ISPs).

As mobile operators are non monopolists (in legal terms) yet control  
an essential facility (and a couple of them in each country have  
significant margins), traffic and price discrimination on wireless/ 
mobile access is very likely to increase in the future.

Its effects will likely show-up later through bundling pricing on  
large fixed operators, as the industry converges toward mobile  
operators increasingly acquiring fixed-line operators.

Any legal provision in the US enforcing Net Neutrality and NON price  
discrimination will reverberate its positive effects in Europe as well.

So, please, don't understimate discriminatory pricing..

best, s.

Il giorno 18/mar/08, alle ore 00:34, Bob Poortinga ha scritto:

> I am not surprised at all by this turn of events.  Everyone should
> have seen this coming sooner or later as a result of the SiteFinder
> fiasco.  At this point, the redirection appears to be for only
> domains with an unrecognized GTLD or that return NXDOMAIN as a result
> of a DNS query.  This is the first step in DNS hijacking, and,
> although a nuisance, is fairly benign.  The main problem introduced
> by this scheme is that some mail systems are configured to reject
> mail with an unknown sender domain as an anti-spam measure.
> However, anyone who runs a mail server should also be running their
> own DNS resolver.  Running your own resolver won't work with ISPs
> who actually intercept and proxy all DNS queries, though.
>
> Taking DNS hijacking to the next level will involve substituting an
> IP address of the ISP's choice for a the IP address returned from a
> legitimate DNS query.  There is nothing in law (except maybe
> trademark law) to prevent this from happening.  There is quite a bit
> of ad revenue generated from type-in traffic for generic domain
> names like 'weddingrings.com' and this will be the next type of
> traffic that these ISPs will go after.  There will undoubtedly be a
> huge confrontation over this, and, unless there are legal
> protections for domain owners codified in law, the ISPs will
> probably get away with it.
>
> --
> Bob Poortinga  K9SQL
> Bloomington, IN  US
>
>   [ With this initial round of tests, we don't really know all
>     of the interception parameters or conditions.  There is
>     likely to be considerable variation.  For example, some results
>     so far suggest that HughesNet is intercepting port 53 UDP  
> (ordinary
>     DNS lookups) but perhaps not 53 TCP (zone transfers).  On the  
> other
>     hand, early indications from initial reports are that Sprint EVDO
>     is intercepting 53 UDP and TCP.
>
>     The nslookup and dig tests specified are quite explicit.  The
>     test arguments specify that the query is to be made to a
>     *specific* server.  By the way, there is no requirement that
>     the contents of DNS servers only include globally-known TLDs --
>     it is not uncommon for "private" names to be included in DNS
>     servers for special purposes that can only be obtained with
>     direct queries to those servers.
>
>     To the extent that ISP port-based redirection prevents subscribers
>     from directly querying specified DNS servers, and in fact return
>     falsified data, this is potentially a pretty big deal even now.
>
>       -- Lauren Weinstein
>          NNSquad Moderator ]