Interesting People mailing list archives
Re: Ok guys and girls -- just who is telling the truth. (Better edit)
From: David Farber <dave () farber net>
Date: Tue, 27 May 2008 18:50:52 -0700
________________________________________ From: David P. Reed [dpreed () reed com] Sent: Tuesday, May 27, 2008 9:23 PM To: David Farber Cc: ip Subject: Re: [IP] Re: Ok guys and girls -- just who is telling the truth. (Better edit) Transparent Web Caches were rejected by web servers in the 1990's. Akamai and similar non-transparent, source-controlled content distribution networks is what commercial players use - not transparent, and properly obeying the end-to-end principle, because they do what is asked by the origin of the content, with the knowledge of the origin. There is NO SUCH THING as a transparent web cache, and commercial players do not accept IP address spoofing by intermediaries. RFC 1919 does not suggest that routers are free to inject packets with forged addresses. There is no notion that larger RFC numbers "supersede" smaller ones. The only case where an RFC supersedes a prior one is when it says so in the text ("supersedes RFC xxx"). Does anyone actually find Brett's comments interesting? Does any IETF member find Brett's comments plausible? I hardly think anyone could find them authoritative. That said, the man should be applauded for building a nice small business in Wyoming. I certainly think he can call that an accomplishment. That's why he's interesting. However, his comments on protocols are just wrong. David Farber wrote:
________________________________________ From: Brett Glass [brett () lariat net] Sent: Tuesday, May 27, 2008 8:38 PM To: David Farber; ip Subject: Re: Ok guys and girls -- just who is telling the truth. (Better edit) At 09:34 AM 5/27/2008, Joe Touch wrote:Source IP addresses are supposed to be used only by the endpoint to which they are assigned.As I mention in a white paper which is currently being drafted and reviewed, this may have been thought to be good practice in 1989 but is not at all the case in the majority of modern networks. If it were so, then one could not have a transparent Web cache -- or, in fact, a transparent proxy of any kind. Such proxies are widely implemented and are beneficial. Nor could one have a router that implements network address translation. RFC 1919 (which post-dates the RFC you mentioned in your original message) notes that both firewalls and transparent proxies do, and should, transmit packets bearing the source addresses of other hosts. The Sandvine system is acting as a firewall appliance when it manages traffic.As Tony Lauck noted, TCP is a transport layer protocol. The only way this abuse by Comcast will stop is when we start using IPsec, or TCP-MD5 or somesuch to secure the identity of the origin of a packet.I'd like to second Dave's call for an end to loaded and pejorative language. To manage traffic on one's network is not abuse.There IS a standard mechanism for a network to sever a connection, e.g., ICMPs.It is well known that ICMP is routinely firewalled and also has untoward side effects. When an address is stated to be "unreachable," traffic which was not intended to be affected may be stopped.Comcast should be allowed to control and defend their network. When they do it via standard means, that should be defended by all of us.The use of RST packets is a standard and common means of administratively terminating a connection. It has been used not only by Sandvine but by other products, such as WebSense, which are not only very useful but required by Federal legislation such as COPA. And it is a standard feature of every UNIX firewall program, including ipfw, pf, ipfilter, and iptables. As I've mentioned in an earlier message, our ISP has been using it for more than 15 years to protect users' privacy by terminating the sessions of dialup users who have disconnected. And so have hundreds if not thousands of educational institutions who use the same or similar software (it's open source, and though we've modified and improved it some over the years this feature was part of the original code).When they to it by deception, that should be exposed as the deception it is - by all of us.No one is being "deceived" by the administrative termination of connections by RST packets. Rather, the endpoints of a TCP connection are being informed that the connection has been administratively terminated. --Brett Glass ------------------------------------------- Archives: http://www.listbox.com/member/archive/247/=now RSS Feed: http://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
------------------------------------------- Archives: http://www.listbox.com/member/archive/247/=now RSS Feed: http://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- Re: Ok guys and girls -- just who is telling the truth. (Better edit) David Farber (May 27)
- <Possible follow-ups>
- Re: Ok guys and girls -- just who is telling the truth. (Better edit) David Farber (May 27)