nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: backbone transparent proxy / connection hijacking

From: Jeremy Porter <jerry () freeside fc net>
Date: Sat, 27 Jun 1998 21:37:12 -0500

Cisco policy routing can use source IP address for deciding to pass
traffic to the cache engine.  The cache engine, normaly can be
configured to exempt destination.  I believe that this fixes both
issues. Expecting the customer to be able to have a clue to
go to a www page is a bit much, tho.  Some customers have setup
IP based authentication on their NT server, but can't figure out how
to configure SLL which wouldn't be cached, and would be more secure.
The burden of making this work is on the cache operator.  Also it turns
out that the sites with the most problems with the cache are the ones
paying the least money for service.  Its hard to feel very sorry for
a $20/month dialup customer, who is connecting to his coporate site
with a broken NT server. 

If customers are using proxy's that break, its easy enough for them
to speak ICP, and still get the same operational conditions, as far
as the ISP side is concerned.

As far as the asmetric routing issue, the traffic INSIDE the ISP isn't
asmetric, and shouldn't need to be cached.  I don't really see the
problem here.  (But it could be me.)

In message <Pine.A41.3.96-heb-2.07.980627214536.55182A-100000 () max ibm net il>, 
Hank Nussbacher writes:


On Fri, 26 Jun 1998, Paul Gauthier wrote:
From what I have seen, the Alteon/Inktomi/Netcache/Cisco solutions do
*not* allow for an unlimited bypass list - both based on destination or
source IP address.  When that happens, the ISP, Digex in this case, can
have a simple authenticated web page where a customer can add their CIDR
block to a bypass list in the transparent proxy.  Till then, all the
bashing will continue. 

Add to the things that will break - simplex or asymetrric routing.  More
and more customers are ordering simplex satellite lines.  Imagine a
European company that buys a 512kb line from an ISP but also buys a T1
simplex satellite line to augment b/w.  The http request goes out with the
sat-link CIDR block as source.  The request hits the transparent proxy for
a USA based page.  The proxy retrieves the page from the USA, using its
expensive transAtlantic link.  Page hits the proxy.  Now the transparent
proxy needs to deliver the page.  But the requestors IP address is located
at some satellite provider in the USA (previously discussed here), so the
transparent proxy routes the page back across the Atlantic for delivery
via the satellite simplex line. 

Same problems happen with assymetric routing.  I blv Vern has a study that
shows that 60% of all routes on the Internet are assymetric.

Bottom line: w/o bypass based on source or destination, the bashing will
continue.


---
Jeremy Porter, Freeside Communications, Inc.      jerry () fc net
PO BOX 80315 Austin, Tx 78708  | 512-458-9810
http://www.fc.net
Previous By Date Next
Previous By Thread Next

Current thread: