Re: Ok guys and girls -- just who is telling the truth. (Better edit)

[David Farber <dave () farber net>]

________________________________________
From: David P. Reed [dpreed () reed com]
Sent: Tuesday, May 27, 2008 9:23 PM
To: David Farber
Cc: ip
Subject: Re: [IP] Re:   Ok guys and girls -- just who is telling the truth. (Better edit)

Transparent Web Caches were rejected by web servers in the 1990's.
Akamai and similar non-transparent, source-controlled content
distribution networks is what commercial players use - not transparent,
and properly obeying the end-to-end principle, because they do what is
asked by the origin of the content, with the knowledge of the origin.
There is NO SUCH THING as a transparent web cache, and commercial
players do not accept IP address spoofing by intermediaries.

RFC 1919 does not suggest that routers are free to inject packets with
forged addresses.

There is no notion that larger RFC numbers "supersede" smaller ones.
The only case where an RFC supersedes a prior one is when it says so in
the text ("supersedes RFC xxx").

Does anyone actually find Brett's comments interesting?  Does any IETF
member find Brett's comments plausible?   I hardly think anyone could
find them authoritative.

That said, the man should be applauded for building a nice small
business in Wyoming.  I certainly think he can call that an
accomplishment.   That's why he's interesting.  However, his comments on
protocols are just wrong.


David Farber wrote:
> ________________________________________
> From: Brett Glass [brett () lariat net]
> Sent: Tuesday, May 27, 2008 8:38 PM
> To: David Farber; ip
> Subject: Re: Ok guys and girls -- just who is telling the truth. (Better edit)
>
> At 09:34 AM 5/27/2008, Joe Touch wrote:
>
>
> > Source IP addresses are supposed to be used only
> > by the endpoint to which they are assigned.
>
> As I mention in a white paper which is currently being drafted and
> reviewed, this may have been thought to be good practice in 1989
> but is not at all the case in the majority of modern networks. If it
> were so, then one could not have a transparent Web cache -- or,
> in fact, a transparent proxy of any kind. Such proxies are widely
> implemented and are beneficial. Nor could one have a router that
> implements network address translation.
>
> RFC 1919 (which post-dates the RFC you mentioned in your original
> message) notes that both firewalls and transparent proxies do,
> and should, transmit packets bearing the source addresses of other
> hosts. The Sandvine system is acting as a firewall appliance when
> it manages traffic.
>
>
> > As Tony Lauck noted, TCP is a transport layer protocol. The only way
> > this abuse by Comcast will stop is when we start using IPsec, or TCP-MD5
> > or somesuch to secure the identity of the origin of a packet.
>
> I'd like to second Dave's call for an end to loaded and pejorative language.
> To manage traffic on one's network is not abuse.
>
>
> > There IS a standard mechanism for a network to sever a connection, e.g.,
> > ICMPs.
>
> It is well known that ICMP is routinely firewalled and also has untoward
> side effects. When an address is stated to be "unreachable," traffic which
> was not intended to be affected may be stopped.
>
>
> > Comcast should be allowed to control and defend their network. When they
> > do it via standard means, that should be defended by all of us.
>
> The use of RST packets is a standard and common means of administratively
> terminating a connection. It has been used not only by Sandvine but by
> other products, such as WebSense, which are not only very useful but
> required by Federal legislation such as COPA. And it is a standard feature
> of every UNIX firewall program, including ipfw, pf, ipfilter, and iptables.
> As I've mentioned in an earlier message, our ISP has been using it for more
> than 15 years to protect users' privacy by terminating the sessions of
> dialup users who have disconnected. And so have hundreds if not thousands of
> educational institutions who use the same or similar software (it's open
> source, and though we've modified and improved it some over the years this
> feature was part of the original code).
>
>
> > When they to it by deception, that should be exposed as the deception it is -
> > by all of us.
>
> No one is being "deceived" by the administrative termination of connections
> by RST packets. Rather, the endpoints of a TCP connection are being informed
> that the connection has been administratively terminated.
>
> --Brett Glass
>
>
>
>
> -------------------------------------------
> Archives: http://www.listbox.com/member/archive/247/=now
> RSS Feed: http://www.listbox.com/member/archive/rss/247/
> Powered by Listbox: http://www.listbox.com



-------------------------------------------
Archives: http://www.listbox.com/member/archive/247/=now
RSS Feed: http://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com