Project Fi and the Great Firewall
Hello everyone, I come to you to humbly request your assistance, on or off list. This not an urgent technical matter, but something I'm rather fascinated by at the moment. While in China recently, I noticed that my Project Fi phone was accessing Google. Not only Google, but Facebook, YouTube, Gmail, Twitter, and many other normally perma-blocked websites. It's taken me a few days of sleep deprived thinking to realize this, but I'm seeing the same or similar 26.x.x.x addresses across countries I've visited, including China, Spain, Malaysia, and Hong Kong. I'm not a cellular guy and I know even less about MVNO's, but I'm curious if I'm inferring the technical operations of the network correctly. It sounds like the local cellular companies are provisioning access upon arrival, then packing up the packets and shipping them off at layer 2 or below to Google, who's then handling the IP stack and up internet access. I'm also assuming the Great Firewall then acts above these layers since it's not blocking access on my phone. If my inference is correct, I'd be curious to see if those responsible for the Great Firewall are aware of this deal Google has with a Chinese cellular provider and the technical specifics of how it works. Might we be seeing a softening of Great Firewall policies for foreigners, or just another soon to be inspected or blocked flow of traffic? Anyway, I'd just love to hear from a knowledgeable engineer about how this works. If you've read this far, thanks for your time and have a great day!
On 15 Nov 2015, at 9:00, Sean Hunter wrote:
While in China recently, I noticed that my Project Fi phone was accessing Google.
Accessing, or attempting to access? Were you using a local SIM card, or roaming w/data? What about WiFi? ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
I know the service/device uses VPN if you are using "wifi assist" to connect to an open WAP -- it automatically tunnels the traffic so it can't be read by nearby snoopers. Perhaps they employ a similar technology or are using something like PPP to take all of the traffic back to one (or many) "access servers" before sending it off to the Internet. I have no experience whatsoever in cellular network operations, but I know many providers employ similar methodologies to assist in meeting their CALEA requirements. On Saturday, November 14, 2015, Roland Dobbins <rdobbins@arbor.net> wrote:
On 15 Nov 2015, at 9:00, Sean Hunter wrote:
While in China recently, I noticed that my Project Fi phone was accessing
Google.
Accessing, or attempting to access?
Were you using a local SIM card, or roaming w/data? What about WiFi?
----------------------------------- Roland Dobbins <rdobbins@arbor.net>
-- -- Regards, Jake Mertel Ubiquity Hosting *Web: *https://www.ubiquityhosting.com *Phone (direct): *1-480-478-1510 *Mail:* 5350 East High Street, Suite 300, Phoenix, AZ 85054
When you roam onto another cellular network other than your home network, your data is encapsulated and sent back to your home network before going out to the internet. This is to provide a seamless experience for the customer. The network it rides on is the GRX/IPX which is a a worldwide MPLS network that the GSMA specified to make the data roaming experience work. The GRX/IPX also can carry voice and text back to the home network. Since it is a separate network from the Internet, the Great Firewall was bypassed. There are several GRX/IPX providers and they all peer with each other in key locations which usually end up being in the same major Internet peering locations. TATA, Syniverse, SAP, Telia, and many others run an IPX/GRX network and Equinix has IPX/GRX peering exchanges. The wikipedia articles will start you in the right direction for more information: https://en.wikipedia.org/wiki/GPRS_roaming_exchange https://en.wikipedia.org/wiki/IP_exchange ~Jared On Sat, Nov 14, 2015 at 6:27 PM, Jake Mertel < jake.mertel@ubiquityhosting.com> wrote:
I know the service/device uses VPN if you are using "wifi assist" to connect to an open WAP -- it automatically tunnels the traffic so it can't be read by nearby snoopers. Perhaps they employ a similar technology or are using something like PPP to take all of the traffic back to one (or many) "access servers" before sending it off to the Internet. I have no experience whatsoever in cellular network operations, but I know many providers employ similar methodologies to assist in meeting their CALEA requirements.
On Saturday, November 14, 2015, Roland Dobbins <rdobbins@arbor.net> wrote:
On 15 Nov 2015, at 9:00, Sean Hunter wrote:
While in China recently, I noticed that my Project Fi phone was accessing
Google.
Accessing, or attempting to access?
Were you using a local SIM card, or roaming w/data? What about WiFi?
----------------------------------- Roland Dobbins <rdobbins@arbor.net>
--
-- Regards,
Jake Mertel Ubiquity Hosting
*Web: *https://www.ubiquityhosting.com *Phone (direct): *1-480-478-1510 *Mail:* 5350 East High Street, Suite 300, Phoenix, AZ 85054
Similar to the SS7 phone network where call signaling data is done on a totally different path then the actual rtp path. Carlos Alcantar Race Communications / Race Team Member 1325 Howard Ave. #604, Burlingame, CA. 94010 Phone: +1 415 376 3314 / carlos@race.com / http://www.race.com ________________________________________ From: NANOG <nanog-bounces@nanog.org> on behalf of Jared Geiger <jared@compuwizz.net> Sent: Saturday, November 14, 2015 7:08 PM To: NANOG Subject: Re: Project Fi and the Great Firewall When you roam onto another cellular network other than your home network, your data is encapsulated and sent back to your home network before going out to the internet. This is to provide a seamless experience for the customer. The network it rides on is the GRX/IPX which is a a worldwide MPLS network that the GSMA specified to make the data roaming experience work. The GRX/IPX also can carry voice and text back to the home network. Since it is a separate network from the Internet, the Great Firewall was bypassed. There are several GRX/IPX providers and they all peer with each other in key locations which usually end up being in the same major Internet peering locations. TATA, Syniverse, SAP, Telia, and many others run an IPX/GRX network and Equinix has IPX/GRX peering exchanges. The wikipedia articles will start you in the right direction for more information: https://en.wikipedia.org/wiki/GPRS_roaming_exchange https://en.wikipedia.org/wiki/IP_exchange ~Jared On Sat, Nov 14, 2015 at 6:27 PM, Jake Mertel < jake.mertel@ubiquityhosting.com> wrote:
I know the service/device uses VPN if you are using "wifi assist" to connect to an open WAP -- it automatically tunnels the traffic so it can't be read by nearby snoopers. Perhaps they employ a similar technology or are using something like PPP to take all of the traffic back to one (or many) "access servers" before sending it off to the Internet. I have no experience whatsoever in cellular network operations, but I know many providers employ similar methodologies to assist in meeting their CALEA requirements.
On Saturday, November 14, 2015, Roland Dobbins <rdobbins@arbor.net> wrote:
On 15 Nov 2015, at 9:00, Sean Hunter wrote:
While in China recently, I noticed that my Project Fi phone was accessing
Google.
Accessing, or attempting to access?
Were you using a local SIM card, or roaming w/data? What about WiFi?
----------------------------------- Roland Dobbins <rdobbins@arbor.net>
--
-- Regards,
Jake Mertel Ubiquity Hosting
*Web: *https://www.ubiquityhosting.com *Phone (direct): *1-480-478-1510 *Mail:* 5350 East High Street, Suite 300, Phoenix, AZ 85054
With Wi-Fi calling it gets a bit more simplified (no "transit" operators in user plane) and may provide better privacy (only your home country will monitor your calls, lol). The UE establishes IPsec tunnel over the Internet to the home operator and uses it for native VoIP/messaging applications. On Sun, Nov 15, 2015 at 9:33 PM, Carlos Alcantar <carlos@race.com> wrote:
Similar to the SS7 phone network where call signaling data is done on a totally different path then the actual rtp path.
Carlos Alcantar Race Communications / Race Team Member 1325 Howard Ave. #604, Burlingame, CA. 94010 Phone: +1 415 376 3314 / carlos@race.com / http://www.race.com
________________________________________ From: NANOG <nanog-bounces@nanog.org> on behalf of Jared Geiger < jared@compuwizz.net> Sent: Saturday, November 14, 2015 7:08 PM To: NANOG Subject: Re: Project Fi and the Great Firewall
When you roam onto another cellular network other than your home network, your data is encapsulated and sent back to your home network before going out to the internet. This is to provide a seamless experience for the customer.
The network it rides on is the GRX/IPX which is a a worldwide MPLS network that the GSMA specified to make the data roaming experience work. The GRX/IPX also can carry voice and text back to the home network. Since it is a separate network from the Internet, the Great Firewall was bypassed.
There are several GRX/IPX providers and they all peer with each other in key locations which usually end up being in the same major Internet peering locations. TATA, Syniverse, SAP, Telia, and many others run an IPX/GRX network and Equinix has IPX/GRX peering exchanges.
The wikipedia articles will start you in the right direction for more information: https://en.wikipedia.org/wiki/GPRS_roaming_exchange https://en.wikipedia.org/wiki/IP_exchange
~Jared
On Sat, Nov 14, 2015 at 6:27 PM, Jake Mertel < jake.mertel@ubiquityhosting.com> wrote:
I know the service/device uses VPN if you are using "wifi assist" to connect to an open WAP -- it automatically tunnels the traffic so it can't be read by nearby snoopers. Perhaps they employ a similar technology or are using something like PPP to take all of the traffic back to one (or many) "access servers" before sending it off to the Internet. I have no experience whatsoever in cellular network operations, but I know many providers employ similar methodologies to assist in meeting their CALEA requirements.
On Saturday, November 14, 2015, Roland Dobbins <rdobbins@arbor.net> wrote:
On 15 Nov 2015, at 9:00, Sean Hunter wrote:
While in China recently, I noticed that my Project Fi phone was accessing
Google.
Accessing, or attempting to access?
Were you using a local SIM card, or roaming w/data? What about WiFi?
-- Best regards, Yury.
On 15/Nov/15 05:08, Jared Geiger wrote:
When you roam onto another cellular network other than your home network, your data is encapsulated and sent back to your home network before going out to the internet. This is to provide a seamless experience for the customer.
I always felt it was just to ease billing headaches. Local hand-off has the potential to make billing more difficult. Not doing that is at the expense of a better experience for the customer. Mark.
Sent from my iPhone
On Nov 14, 2015, at 18:00, Sean Hunter <jamesb2147@gmail.com> wrote:
Hello everyone,
I come to you to humbly request your assistance, on or off list. This not an urgent technical matter, but something I'm rather fascinated by at the moment.
While in China recently, I noticed that my Project Fi phone was accessing Google. Not only Google, but Facebook, YouTube, Gmail, Twitter, and many other normally perma-blocked websites. It's taken me a few days of sleep deprived thinking to realize this, but I'm seeing the same or similar 26.x.x.x addresses across countries I've visited, including China, Spain, Malaysia, and Hong Kong.
26/8 is T-Mobile using DOD space for their internal addressing. Irrespective of where you are your connected to the Same APN and traffic from your UE is indeed tunneled through the PGW https://en.m.wikipedia.org/wiki/System_Architecture_Evolution#
I'm not a cellular guy and I know even less about MVNO's, but I'm curious if I'm inferring the technical operations of the network correctly. It sounds like the local cellular companies are provisioning access upon arrival, then packing up the packets and shipping them off at layer 2 or below to Google, who's then handling the IP stack and up internet access. I'm also assuming the Great Firewall then acts above these layers since it's not blocking access on my phone.
If my inference is correct, I'd be curious to see if those responsible for the Great Firewall are aware of this deal Google has with a Chinese cellular provider and the technical specifics of how it works. Might we be seeing a softening of Great Firewall policies for foreigners, or just another soon to be inspected or blocked flow of traffic?
Anyway, I'd just love to hear from a knowledgeable engineer about how this works.
If you've read this far, thanks for your time and have a great day!
My team mate was traveling to China with his Nexus 6 (with Project Fi SIM-card) and was able to access Google services. The phone uses roaming data to access Google and your phone gets IP assigned by your home mobile network packet gateway (P-GW). There is no local data break-out. On Sat, Nov 14, 2015 at 6:00 PM, Sean Hunter <jamesb2147@gmail.com> wrote:
Hello everyone,
I come to you to humbly request your assistance, on or off list. This not an urgent technical matter, but something I'm rather fascinated by at the moment.
While in China recently, I noticed that my Project Fi phone was accessing Google. Not only Google, but Facebook, YouTube, Gmail, Twitter, and many other normally perma-blocked websites. It's taken me a few days of sleep deprived thinking to realize this, but I'm seeing the same or similar 26.x.x.x addresses across countries I've visited, including China, Spain, Malaysia, and Hong Kong.
I'm not a cellular guy and I know even less about MVNO's, but I'm curious if I'm inferring the technical operations of the network correctly. It sounds like the local cellular companies are provisioning access upon arrival, then packing up the packets and shipping them off at layer 2 or below to Google, who's then handling the IP stack and up internet access. I'm also assuming the Great Firewall then acts above these layers since it's not blocking access on my phone.
If my inference is correct, I'd be curious to see if those responsible for the Great Firewall are aware of this deal Google has with a Chinese cellular provider and the technical specifics of how it works. Might we be seeing a softening of Great Firewall policies for foreigners, or just another soon to be inspected or blocked flow of traffic?
Anyway, I'd just love to hear from a knowledgeable engineer about how this works.
If you've read this far, thanks for your time and have a great day!
-- Best regards, Yury.
On 15 Nov 2015, at 11:02, Yury Shefer wrote:
The phone uses roaming data to access Google and your phone gets IP assigned by your home mobile network packet gateway (P-GW).
This is what I thought, as well - thanks for confirming! ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
This is what roaming data means, Your data packet is simply trunked to your original operator to process. So you will be having a US ip on the web. On Sun, Nov 15, 2015 at 12:02 PM, Yury Shefer <shefys@gmail.com> wrote:
My team mate was traveling to China with his Nexus 6 (with Project Fi SIM-card) and was able to access Google services. The phone uses roaming data to access Google and your phone gets IP assigned by your home mobile network packet gateway (P-GW). There is no local data break-out.
On Sat, Nov 14, 2015 at 6:00 PM, Sean Hunter <jamesb2147@gmail.com> wrote:
Hello everyone,
I come to you to humbly request your assistance, on or off list. This not an urgent technical matter, but something I'm rather fascinated by at the moment.
While in China recently, I noticed that my Project Fi phone was accessing Google. Not only Google, but Facebook, YouTube, Gmail, Twitter, and many other normally perma-blocked websites. It's taken me a few days of sleep deprived thinking to realize this, but I'm seeing the same or similar 26.x.x.x addresses across countries I've visited, including China, Spain, Malaysia, and Hong Kong.
I'm not a cellular guy and I know even less about MVNO's, but I'm curious if I'm inferring the technical operations of the network correctly. It sounds like the local cellular companies are provisioning access upon arrival, then packing up the packets and shipping them off at layer 2 or below to Google, who's then handling the IP stack and up internet access. I'm also assuming the Great Firewall then acts above these layers since it's not blocking access on my phone.
If my inference is correct, I'd be curious to see if those responsible for the Great Firewall are aware of this deal Google has with a Chinese cellular provider and the technical specifics of how it works. Might we be seeing a softening of Great Firewall policies for foreigners, or just another soon to be inspected or blocked flow of traffic?
Anyway, I'd just love to hear from a knowledgeable engineer about how this works.
If you've read this far, thanks for your time and have a great day!
-- Best regards, Yury.
On 2015-11-14 23:59, Yucong Sun wrote:
This is what roaming data means, Your data packet is simply trunked to your original operator to process. So you will be having a US ip on the web.
Based on my understanding, the phone establishes a local IP aconnection with equipment associated with an antenna and gets an IP a from it. It then establishes a tunnel to the APN operated by your carrier and the tunnel gets the IP address that your apps see/use. The IP address your apps see/use is given by your home carrier and all packlets flow through your home carrier's APN before going to the internet and you use your home carrier's DNS. Where I am unclear is what happens when you move from tower to tower. Whether your local IP changes and the tunnel is transparently moved to the new local IP, of whether the local IP address moves with you and routing tables are changed. Some phones have "debug" modes that will show both the local (local antenna) and the public IP address (from APN) in use. As your traffic flows out of China, it passes through the "great wall of routers" as traffic between you and your carrier's APN, not between you and some banned site you are trying to access. They'd have to do DPI and possibly decrypt tunnel traffic to catch where you are trying to connect and block those.
On 15/Nov/15 06:02, Yury Shefer wrote:
My team mate was traveling to China with his Nexus 6 (with Project Fi SIM-card) and was able to access Google services. The phone uses roaming data to access Google and your phone gets IP assigned by your home mobile network packet gateway (P-GW). There is no local data break-out.
Part of the IPX spiel has been about encouraging local break-out to improve the practical experience of the roamer. However, the excuse this does not happen is the difficulty that brings to billing, despite all the talk about Diametre signaling in IPX infrastructure... You can imagine what my experience is like roaming in Honolulu when I live in South Africa... Mark.
participants (10)
-
Carlos Alcantar
-
Jake Mertel
-
Jared Geiger
-
Jean-Francois Mezei
-
Joel Jaeggli
-
Mark Tinka
-
Roland Dobbins
-
Sean Hunter
-
Yucong Sun
-
Yury Shefer