nanog mailing list archives
Re: backbone transparent proxy / connection hijacking
From: Jeremy Porter <jerry () freeside fc net>
Date: Sat, 27 Jun 1998 21:37:12 -0500
Cisco policy routing can use source IP address for deciding to pass traffic to the cache engine. The cache engine, normaly can be configured to exempt destination. I believe that this fixes both issues. Expecting the customer to be able to have a clue to go to a www page is a bit much, tho. Some customers have setup IP based authentication on their NT server, but can't figure out how to configure SLL which wouldn't be cached, and would be more secure. The burden of making this work is on the cache operator. Also it turns out that the sites with the most problems with the cache are the ones paying the least money for service. Its hard to feel very sorry for a $20/month dialup customer, who is connecting to his coporate site with a broken NT server. If customers are using proxy's that break, its easy enough for them to speak ICP, and still get the same operational conditions, as far as the ISP side is concerned. As far as the asmetric routing issue, the traffic INSIDE the ISP isn't asmetric, and shouldn't need to be cached. I don't really see the problem here. (But it could be me.) In message <Pine.A41.3.96-heb-2.07.980627214536.55182A-100000 () max ibm net il>, Hank Nussbacher writes:
On Fri, 26 Jun 1998, Paul Gauthier wrote: From what I have seen, the Alteon/Inktomi/Netcache/Cisco solutions do *not* allow for an unlimited bypass list - both based on destination or source IP address. When that happens, the ISP, Digex in this case, can have a simple authenticated web page where a customer can add their CIDR block to a bypass list in the transparent proxy. Till then, all the bashing will continue. Add to the things that will break - simplex or asymetrric routing. More and more customers are ordering simplex satellite lines. Imagine a European company that buys a 512kb line from an ISP but also buys a T1 simplex satellite line to augment b/w. The http request goes out with the sat-link CIDR block as source. The request hits the transparent proxy for a USA based page. The proxy retrieves the page from the USA, using its expensive transAtlantic link. Page hits the proxy. Now the transparent proxy needs to deliver the page. But the requestors IP address is located at some satellite provider in the USA (previously discussed here), so the transparent proxy routes the page back across the Atlantic for delivery via the satellite simplex line. Same problems happen with assymetric routing. I blv Vern has a study that shows that 60% of all routes on the Internet are assymetric. Bottom line: w/o bypass based on source or destination, the bashing will continue.
--- Jeremy Porter, Freeside Communications, Inc. jerry () fc net PO BOX 80315 Austin, Tx 78708 | 512-458-9810 http://www.fc.net
Current thread:
- Re: backbone transparent proxy / connection hijacking, (continued)
- Re: backbone transparent proxy / connection hijacking Roeland M.J. Meyer (Jun 25)
- Re: backbone transparent proxy / connection hijacking Mark Skinner (Jun 26)
- Re: backbone transparent proxy / connection hijacking Robert Watson (Jun 26)
- Re: backbone transparent proxy / connection hijacking Rob Quinn (Jun 26)
- Re: backbone transparent proxy / connection hijacking Paul Gauthier (Jun 26)
- Re: backbone transparent proxy / connection hijacking alex (Jun 26)
- Re: backbone transparent proxy / connection hijacking Rich Sena (Jun 26)
- Re: backbone transparent proxy / connection hijacking Michael Dillon (Jun 26)
- Re: backbone transparent proxy / connection hijacking Patrick McManus (Jun 29)
- Re: backbone transparent proxy / connection hijacking Hank Nussbacher (Jun 27)
- Re: backbone transparent proxy / connection hijacking Jeremy Porter (Jun 27)
- Re: backbone transparent proxy / connection hijacking Patrick W. Gilmore (Jun 28)
- Re: backbone transparent proxy / connection hijacking Jeremy Porter (Jun 28)
- Re: backbone transparent proxy / connection hijacking Paul Vixie (Jun 29)
- Re: backbone transparent proxy / connection hijacking alex (Jun 26)
- Re: backbone transparent proxy / connection hijacking Jon Lewis (Jun 26)
- Re: backbone transparent proxy / connection hijacking Jeremy Porter (Jun 28)