From d025085eb2e91e4f353107a7206d03c52f8403ac Mon Sep 17 00:00:00 2001 From: Joe Landers Date: Mon, 18 Dec 2017 21:09:27 +0100 Subject: [PATCH] Create ts-022-dpi-fragmentation.md --- test-specs/ts-022-dpi-fragmentation.md | 69 ++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 test-specs/ts-022-dpi-fragmentation.md diff --git a/test-specs/ts-022-dpi-fragmentation.md b/test-specs/ts-022-dpi-fragmentation.md new file mode 100644 index 00000000..a779743b --- /dev/null +++ b/test-specs/ts-022-dpi-fragmentation.md @@ -0,0 +1,69 @@ +# Specification version number + +2017-12-18-001 + +# Specification name + +[XXX] DPI Detection Test? + +# Test preconditions + + * An internet connection. + * A URL we suspect is being blocked by a stateless/non-reassembling DPI box. + +# Expected impact + + * If a URL is being blocked by DPI (not by IP or DNS blocking) into the TCP + stream, we should be able to determine whether that DPI box reassembles + streams or if it only looks at one packet at a time. + +# Expected inputs + + * A list of URLs to be tested (that we already know are blocked in + some fashion). + +## Semantics + +The test takes as input a list of URLs, one per line. For example: + + http://torproject.org + https://ooni.nu + +# Test description + +For every hostname, we perform two HTTP connections--one with fragmentation +and one without--and compare them to see if the response differs. If the +input scheme is http, we fragment on the HTTP Host header; if the scheme +is https, we fragment on the SNI header in the TLS Client Hello. + +# Expected output + +## Parent data format + +df-001-httpt [XXX?] + +## Semantics + +[XXX] I think there will be one boolean value for each URL input: whether +or not fragmenting around the plaintext hostname results in a different +HTTP response. Also, we will want to include the DNS requests +and responses, and the full HTTP requests and responses. + +## Possible conclusions + +Determing whether or not a censorship device reassembles TCP streams can +narrow down what type of technology is being used. For example, an HTTP +proxy like Squid has a stream-level view of the connection, while a DPI +box from Cisco probably does not reassemble lower-level packets into a +stream. + +## Example output sample + +``` +{ +} +``` + +# Privacy considerations + +[XXX]