[Cryptography] Apple's iCloud+ "VPN"

Bill Woodcock woody at pch.net
Tue Jun 29 17:11:14 EDT 2021 

> On Jun 29, 2021, at 4:48 PM, Jerry Leichter <leichter at lrw.com> wrote:
>>> of course this is in a situation where there are at most tens of thousands of beta users.  What will happen when there are hundreds of millions
>> You are radically overestimating the number of users.  This service applies only to paid iCloud subscribers who opt in.
> An analysis back at the beginning of 2018 claimed there were 170 million paying customers… an estimate about 7 months back reported 585 million paid subscribers across all Apple services.

I appreciate your methodology, and that was my assumption, roughly, as well…  There are also 290 million users of Apple hardware, which I had taken to be a maximum bound.  But this is all speculation, so I guess I’ll just wait and see.

>>> Given the large number of very well-connected POP's both parties have, it's quite possible that the effective diameter might end up lower.
>> 
>> No, that is not possible.  Tromboning a path through two additional points cannot make the path shorter.
> 
> I'm not sure why you say that.  It's certainly true when the path between servers is public - as would be the case for Tor.  But both Apple and the big CDN's have plenty of private connections between their own endpoints.  A single hop over one of these connections could easily bypass multiple public point-to-point links.

So, again, discussing content, not DNS, an average path might look like this (while the shortest possible path would have one intervening AS between the user and the content, I’ve diagrammed a more typical three):

User / AS1 / AS2 | AS3 \ Content

The shortest possible trombone path occurs if AS1 is directly peered with Apple and the content is hosted by one of the CDNs which is hosting exit nodes.  Note, as I pointed out before, that this latter is the worst possible case from a privacy perspective, because it annuls the anonymity entirely, making the whole exercise pointless.  In that case, the path looks like this, three AS hops between the user and the content:

User / AS1 | Apple / CDN \ Content

According to HE’s (admittedly imperfect) looking-glass, Apple peers with 378 other networks, compared with more than 6,000 or Level 3, Cogent, and Hurricane Electric, and out of nearly 72,000 networks in total right now.  So, that’s the case for 0.53% of networks.

A few credible-seeming studies show Akamai as having roughly 35% market share, Fastly 13%, and Cloudflare 4%, so, collectively, 52%.  I wasn’t able to find great up-to-date stats on the portion of traffic that’s web traffic, but most of the numbers I see show TCP being about 50%, with HTTP/HTTPS being 80% of that, or 40% of the total.  If we assume (big assumption here) that three quarters of web traffic is hosted on CDNs, you’d think we’d get 52% x 40% x 75% = 15.6% for the content side, but remember that Apple, as the entry node, _can’t optimize which_ CDN to hand off traffic to…  It’s using other metrics, so let’s say it round-robins, and each gets 33% of the traffic.  Akamai will get 33% of the traffic, of which (35% x 40% x 75% =) 10.5% (3.5% overall) will be bound for it, and the remaining 96.5% will have to traverse at least one more intervening AS, but more likely at least two. Fastly will get 33% of the traffic, of which (13% x 40% x 75% =) 3.9% (1.3% overall) will be bound for it, and the remaining 98.7% will have to traverse at least one, but probably two or more, additional ASes.  Cloudflare will get 33% of the traffic, of which (4% x 40% x 75% =) 1.2% (0.39% overall) will be bound for it, and the remaining 99.6% will have to traverse at least one, but probably two or more, additional ASes. So, on average, 1.7% of the traffic coming out of the exit nodes will be able to reach its destination without traversing any additional intervening ASes, while 98.3% of the traffic will have to traverse at least one more, but probably two or more, additional ASes before reaching its destination.

So this shortest-possible-path of three intervening ASes could be expected to apply (0.53% x 1.7% =) 0.009% of the time, or less than one in ten thousand.

A more common path would look like:

User / AS1 / AS2 | Apple / Exit Node / AS3 | CDN \ Content

or

User / AS1 / AS2 \ Apple / Exit Node / AS3 | CDN \ Content

or

User / AS1 / AS2 | Apple / Exit Node | AS3 \ CDN \ Content

or

User / AS1 / AS2 \ Apple / Exit Node | AS3 \ CDN \ Content

with six or more intervening ASes.

I may well be wrong about the percentage of Internet traffic that’s HTTP/HTTPS.  Let’s go crazy and say it’s 70% rather than 40%…  That changes the final number from 0.009% to 0.015%.  It’s not going to change things much.

                                -Bill

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210629/afee58a4/attachment.sig>

More information about the cryptography mailing list