Re: Ok guys and girls -- just who is telling the truth. (Better edit)

[David Farber <dave () farber net>]

________________________________________
From: Brett Glass [brett () lariat net]
Sent: Tuesday, May 27, 2008 8:38 PM
To: David Farber; ip
Subject: Re: Ok guys and girls -- just who is telling the truth. (Better edit)

At 09:34 AM 5/27/2008, Joe Touch wrote:

> Source IP addresses are supposed to be used only
> by the endpoint to which they are assigned.

As I mention in a white paper which is currently being drafted and
reviewed, this may have been thought to be good practice in 1989
but is not at all the case in the majority of modern networks. If it
were so, then one could not have a transparent Web cache -- or,
in fact, a transparent proxy of any kind. Such proxies are widely
implemented and are beneficial. Nor could one have a router that
implements network address translation.

RFC 1919 (which post-dates the RFC you mentioned in your original
message) notes that both firewalls and transparent proxies do,
and should, transmit packets bearing the source addresses of other
hosts. The Sandvine system is acting as a firewall appliance when
it manages traffic.

> As Tony Lauck noted, TCP is a transport layer protocol. The only way
> this abuse by Comcast will stop is when we start using IPsec, or TCP-MD5
> or somesuch to secure the identity of the origin of a packet.

I'd like to second Dave's call for an end to loaded and pejorative language.
To manage traffic on one's network is not abuse.

> There IS a standard mechanism for a network to sever a connection, e.g.,
> ICMPs.

It is well known that ICMP is routinely firewalled and also has untoward
side effects. When an address is stated to be "unreachable," traffic which
was not intended to be affected may be stopped.

> Comcast should be allowed to control and defend their network. When they
> do it via standard means, that should be defended by all of us.

The use of RST packets is a standard and common means of administratively
terminating a connection. It has been used not only by Sandvine but by
other products, such as WebSense, which are not only very useful but
required by Federal legislation such as COPA. And it is a standard feature
of every UNIX firewall program, including ipfw, pf, ipfilter, and iptables.
As I've mentioned in an earlier message, our ISP has been using it for more
than 15 years to protect users' privacy by terminating the sessions of
dialup users who have disconnected. And so have hundreds if not thousands of
educational institutions who use the same or similar software (it's open
source, and though we've modified and improved it some over the years this
feature was part of the original code).

> When they to it by deception, that should be exposed as the deception it is -
> by all of us.

No one is being "deceived" by the administrative termination of connections
by RST packets. Rather, the endpoints of a TCP connection are being informed
that the connection has been administratively terminated.

--Brett Glass




-------------------------------------------
Archives: http://www.listbox.com/member/archive/247/=now
RSS Feed: http://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com