Interesting People mailing list archives
Re: Ok guys and girls -- just who is telling the truth. (Better edit)
From: David Farber <dave () farber net>
Date: Tue, 27 May 2008 17:46:50 -0700
________________________________________ From: Brett Glass [brett () lariat net] Sent: Tuesday, May 27, 2008 8:38 PM To: David Farber; ip Subject: Re: Ok guys and girls -- just who is telling the truth. (Better edit) At 09:34 AM 5/27/2008, Joe Touch wrote:
Source IP addresses are supposed to be used only by the endpoint to which they are assigned.
As I mention in a white paper which is currently being drafted and reviewed, this may have been thought to be good practice in 1989 but is not at all the case in the majority of modern networks. If it were so, then one could not have a transparent Web cache -- or, in fact, a transparent proxy of any kind. Such proxies are widely implemented and are beneficial. Nor could one have a router that implements network address translation. RFC 1919 (which post-dates the RFC you mentioned in your original message) notes that both firewalls and transparent proxies do, and should, transmit packets bearing the source addresses of other hosts. The Sandvine system is acting as a firewall appliance when it manages traffic.
As Tony Lauck noted, TCP is a transport layer protocol. The only way this abuse by Comcast will stop is when we start using IPsec, or TCP-MD5 or somesuch to secure the identity of the origin of a packet.
I'd like to second Dave's call for an end to loaded and pejorative language. To manage traffic on one's network is not abuse.
There IS a standard mechanism for a network to sever a connection, e.g., ICMPs.
It is well known that ICMP is routinely firewalled and also has untoward side effects. When an address is stated to be "unreachable," traffic which was not intended to be affected may be stopped.
Comcast should be allowed to control and defend their network. When they do it via standard means, that should be defended by all of us.
The use of RST packets is a standard and common means of administratively terminating a connection. It has been used not only by Sandvine but by other products, such as WebSense, which are not only very useful but required by Federal legislation such as COPA. And it is a standard feature of every UNIX firewall program, including ipfw, pf, ipfilter, and iptables. As I've mentioned in an earlier message, our ISP has been using it for more than 15 years to protect users' privacy by terminating the sessions of dialup users who have disconnected. And so have hundreds if not thousands of educational institutions who use the same or similar software (it's open source, and though we've modified and improved it some over the years this feature was part of the original code).
When they to it by deception, that should be exposed as the deception it is - by all of us.
No one is being "deceived" by the administrative termination of connections by RST packets. Rather, the endpoints of a TCP connection are being informed that the connection has been administratively terminated. --Brett Glass ------------------------------------------- Archives: http://www.listbox.com/member/archive/247/=now RSS Feed: http://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- Re: Ok guys and girls -- just who is telling the truth. (Better edit) David Farber (May 27)
- <Possible follow-ups>
- Re: Ok guys and girls -- just who is telling the truth. (Better edit) David Farber (May 27)