On Thu, Jun 25, 1998 at 04:11:18PM -0400, Jon Lewis wrote:
[...] We've got customers with web sites that are broken now because they can't communicate with things like Cybercash, because their outgoing http requests are hijacked and sent through a Digex web cache.
Odd. The box we used to sell through Mirror Image Internet has no problems reaching Cybercash's site -- though I'll admit that we had a lot of angry customers for a long time while we found all the wierd little unspecified protocol violations that "just work" if no "hijacking" takes place. I don't think Digex is using one of our boxes, and if they are using one of the "just run Inktomi software on a Solaris box and put an Alteon next to it" then there are going to be some wierd little unspecified protocol violations that only Alteon, and a new protocol between Alteon and Inktomi, could fix. (Our box integrates forwarding and "hijacking" and this is why.) karl@mcs.net (Karl Denninger) adds:
Sigh...... why did I know this kind of crap (hijacking connections) was going to start. Grrr.....
I understand why people do it, but I do NOT approve of it.
The box we built was designed for access providers -- you know, put 1,000 modems in a room and sell dialup accounts. It works fine in that context. And, dialup users are usually not terribly deep as technologists, and they are used to having their bits mutilated in the great cause of "overcommit." While a T1 data rate would present no real problem, a T1 customer who would usually recognize what was happening to them AND care about it, *would* represent a problem. And besides, a T1 customer would probably be willing and able to use ICP or at least run their own local cache and point their browsers at it nontransparently. -- Paul Vixie La Honda, CA "Many NANOG members have been around <paul@vix.com> longer than most." --Jim Fleming pacbell!vixie!paul (An H.323 GateKeeper for the IPv8 Network)
On Thu, Jun 25, 1998 at 05:12:08PM -0700, Paul Vixie wrote:
The box we built was designed for access providers -- you know, put 1,000 modems in a room and sell dialup accounts. It works fine in that context. And, dialup users are usually not terribly deep as technologists, and they are used to having their bits mutilated in the great cause of "overcommit."
While a T1 data rate would present no real problem, a T1 customer who would usually recognize what was happening to them AND care about it, *would* represent a problem. And besides, a T1 customer would probably be willing and able to use ICP or at least run their own local cache and point their browsers at it nontransparently. -- Paul Vixie La Honda, CA "Many NANOG members have been around <paul@vix.com> longer than most." --Jim Fleming pacbell!vixie!paul (An H.323 GateKeeper for the IPv8 Network)
Putting these in a POP and hijacking the connections can dramatically lower the amount of money an NSP needs to spend on long-haul connections (every locally-fed entry is one you don't pay to transport (again)). Why do you think this is so popular with the cable modem folks? However, the first time a customer who didn't know about this gets an aged quote on a stock (and loses their shirt), or something else happens that causes real trouble, you've got a major problem, and it might be a legal rather than an operational one. I don't consider this kind of thing, done without full disclosure, to be proper in ANY context. To accomplish the goal you have to *steal* the packet flow that was given to you and monkey with it. That act is at least somewhat likely to constitute "wiretapping", and since its done without the consent or even knowledge of *any* of the parties to the communication at hand...... -- -- Karl Denninger (karl@MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin http://www.mcs.net/ | T1's from $600 monthly / All Lines K56Flex/DOV | NEW! Corporate ISDN Prices dropped by up to 50%! Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS Fax: [+1 312 803-4929] | *SPAMBLOCK* Technology now included at no cost
On 25 Jun 1998, Paul Vixie wrote:
I don't think Digex is using one of our boxes, and if they are using one of the "just run Inktomi software on a Solaris box and put an Alteon next to it" then there are going to be some wierd little unspecified protocol violations that only Alteon, and a new protocol between Alteon and Inktomi,
The proxy we seem to be trapped with is: REMOTE_HOST = dca1-wc2.atlas.digex.net REMOTE_ADDR = 165.117.17.251 Trying 165.117.17.251... Connected to 165.117.17.251. Escape character is '^]'. SunOS 5.6 login: ------------------------------------------------------------------ Jon Lewis <jlewis@fdt.net> | Spammers will be winnuked or Network Administrator | drawn and quartered...whichever Florida Digital Turnpike | is more convenient. ______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____
Darn shame DiGex does not have a NOC. </sarcasm> randy
...that would be an inktomi traffic server: Trying 165.117.17.251... Connected to dca1-wc2.atlas.digex.net. Escape character is '^]'. ! <HEAD><TITLE>Bad Request Header</TITLE></HEAD> <BODY BGCOLOR="white" FGCOLOR="black"><H1>Bad Request Header</H1><HR> <FONT FACE="Helvetica,Arial"><B> Description: Couldn't process this request. Bad HTTP header syntax. </B></FONT> <HR> <!-- (This "Bad Request Header" response (HTTP status 500) comes from a Traffic-Server/1.1.1 network cache.)--> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ </BODY> Connection closed by foreign host.
The proxy we seem to be trapped with is: REMOTE_HOST = dca1-wc2.atlas.digex.net REMOTE_ADDR = 165.117.17.251
Trying 165.117.17.251... Connected to 165.117.17.251. Escape character is '^]'.
SunOS 5.6
login:
That's odd, they point you to a proxy in DC?!? I don't see any ports open besides some standard services. You'd think there'd be a port for the proxy or something... -|super-g|-$ strobe !!$ strobe 165.117.17.251 strobe 1.04 (c) 1995-1997 Julian Assange (proff@suburbia.net). 165.117.17.251 22 ssh Secure Shell - RSA encrypted rsh -> SSH-1.5-1.2.22\n 165.117.17.251 25 smtp Simple Mail Transfer [102,JBP] -> 220 dca1-wc2.atlas.digex.net ESMTP Sendmail 8.8.8/8.8.5; Thu, 25 Jun 1998 21:02 -> :46 -0400 (EDT)\r\n 165.117.17.251 37 time Time [108,JBP] -> \185=q\182 165.117.17.251 21 ftp File Transfer [Control] [96,JBP] -> 220 dca1-wc2 FTP server (Version wu-2.4(1) Tue Jun 18 14:54:28 EDT 1996) ready. -> \r\n 165.117.17.251 23 telnet Telnet [112,JBP] -> \255\253\24\255\253\31\255\253#\255\253'\255\253$ Charles ~~~~~~~~~ ~~~~~~~~~~~ Charles Sprickman Internet Channel INCH System Administration Team (212)243-5200 spork@inch.com access@inch.com On Thu, 25 Jun 1998, Jon Lewis wrote:
Date: Thu, 25 Jun 1998 20:36:13 -0400 (EDT) From: Jon Lewis <jlewis@inorganic5.fdt.net> To: Paul Vixie <vixie@wisdom.rc.vix.com> Cc: nanog@merit.edu Subject: Re: backbone transparent proxy / connection hijacking
On 25 Jun 1998, Paul Vixie wrote:
I don't think Digex is using one of our boxes, and if they are using one of the "just run Inktomi software on a Solaris box and put an Alteon next to it" then there are going to be some wierd little unspecified protocol violations that only Alteon, and a new protocol between Alteon and Inktomi,
The proxy we seem to be trapped with is: REMOTE_HOST = dca1-wc2.atlas.digex.net REMOTE_ADDR = 165.117.17.251
Trying 165.117.17.251... Connected to 165.117.17.251. Escape character is '^]'.
SunOS 5.6
login:
------------------------------------------------------------------ Jon Lewis <jlewis@fdt.net> | Spammers will be winnuked or Network Administrator | drawn and quartered...whichever Florida Digital Turnpike | is more convenient. ______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____
The Vixie Interceptor is really the only product on the market that handles this particualr situation correctly - it is a fine product in that respect. Paul and his group - worked thorugh that issue with very fine detail. To the best of my knowledge Digex is using the Inktomi/Alteon solution. On 25 Jun 1998, Paul Vixie wrote:
Odd. The box we used to sell through Mirror Image Internet has no problems reaching Cybercash's site -- though I'll admit that we had a lot of angry customers for a long time while we found all the wierd little unspecified protocol violations that "just work" if no "hijacking" takes place.
I don't think Digex is using one of our boxes, and if they are using one of the "just run Inktomi software on a Solaris box and put an Alteon next to it" then there are going to be some wierd little unspecified protocol violations that only Alteon, and a new protocol between Alteon and Inktomi, could fix. (Our box integrates forwarding and "hijacking" and this is why.)
<snip>
The box we built was designed for access providers -- you know, put 1,000 modems in a room and sell dialup accounts. It works fine in that context. And, dialup users are usually not terribly deep as technologists, and they are used to having their bits mutilated in the great cause of "overcommit."
While a T1 data rate would present no real problem, a T1 customer who would usually recognize what was happening to them AND care about it, *would* represent a problem. And besides, a T1 customer would probably be willing and able to use ICP or at least run their own local cache and point their browsers at it nontransparently.
-- I am nothing if not net-Q! - ras@poppa.clubrich.tiac.net
On Fri, 26 Jun 1998, Rich Sena wrote:
The Vixie Interceptor is really the only product on the market that handles this particualr situation correctly - it is a fine product in that respect. Paul and his group - worked thorugh that issue with very fine detail.
Yet Rich, in the end all our production experience taught that if you error on the side of correctness even with extensive depth, contrary to many an assertion, using client side caching has limitations that exceed many customers expectations for how much bandwidth can be avoided. Particularly those who see it as relatively cheap. The good news for the marketing folk is that Inktomi and Cisco are going to have a much slower uptake on that point. --david
participants (8)
-
^Faust^
-
Charles Sprickman
-
David S. Holub
-
Jon Lewis
-
Karl Denninger
-
Paul Vixie
-
Randy Bush
-
Rich Sena