Re: What do you consider acceptable packet / session modification for a network operator?

[snip]

Examples:

- Using different source IP ranges in CGNat for ‘web’ traffic vs ’non-web’ (i.e. port 80/443 vs all other ports) - this can break local IP discovery for peer-to-peer stuff if it relies on a ‘web’ port for an API endpoint

Even more annoying than basic CGNAT, and doesn’t really benefit the ISP.

- Using any form of NAT / packet translation with IPv6 (not including nat64 / other v4 transition related)

Pointless, annoying, unacceptable.

- Dropping non-TCP/UDP/ICMP protocols (outside of CGNat) - such as ‘raw’ IPSec ESP / AH without UDP encapsulation, or SCTP

Completely unacceptable.

- TCP MSS - MSS Clamping all connections

May be necessary in limited circumstances. Best avoided if possible.

- TCP MSS - MSS Clamping, but you instead (accidentally?) set MSS to your desired value even if it was lower before

That’s just dumb.

- Other TCP options - Dropping syn packets with invalid/unknown options

Annoying and probably ill-advised.

- TCP connection interception - Network operator terminates TCP session from user and then establishes a new one with the original destination. All TCP options, sequence numbers, .. are lost in this translation

I don’t know what you would call this form of proxy, but it’s not internet service.

- Related to above - Network accepts TCP connection which it will intercept (sends SYN/ACK to user) before it confirms that the destination is reachable

A particularly ill-advised version of the above.

- Dropping/resetting port 80 sessions that don't ‘look like’ HTTP

Unacceptable.

- Dropping/resetting port 443 sessions that don't ‘look like’ TLS

Unacceptable

- Redirecting port 53 DNS queries to ISP’s own servers, regardless of destination IP

Unacceptable

- HTTP header injection into port 80 HTTP traffic (i.e. for user tracking)

Unacceptable

- HTTP content injection into port 80 HTTP traffic (i.e. replacing ads, adding dialogs, …) (and not blanket redirection for non-payment)

Unacceptable Owen

Thanks,

Andrew ‘apalrd’ Palardy www.apalrd.net https://www.youtube.com/c/apalrdsadventures _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/JCNJISMB...