Fwd: SlashDot: "Comcast Gunning for NAT Users"
I got this forwarded to me. I'm not impressed. Based upon the general desire for providers to have NAT'ed users and to reduce IP-space usage where appropriate, does this make sense? I can understand the providers desire to increase revenue, but I don't believe this is a good way to do it. Besides the technical difficulties of detecting a household that is running a NAT'ed router, why not win over the customer with a low-cost extra IP address vs: the customers one-time hardware cost for the router. There are people who would be willing to pay some amount monthly vs: (let's say) $100 for a NAT box. Does anyone know what percentage of home broadband users run NAT? Does anyone have stats for IP-addresses saved by using NAT? Martin ------ Forwarded Message From: Ward Clark <ward@joyofmacs.com> Date: Sat, 26 Jan 2002 15:00:32 -0500 To: "NetTalk" <nettalk@sustworks.com> Subject: SlashDot: "Comcast Gunning for NAT Users" Today's MacInTouch links to a report that appeared in SlashDot on Thursday: "A co-worker of mine resigned today. His new job at Comcast: Hunting down 'abusers' of the service. More specifically, anyone using NAT to connect more than one computer to their cable modem to get Internet access- whether or not you're running servers or violating any other Acceptable Use Policies. Comcast has an entire department dedicated to eradicating NAT users from their network. ... did anyone think they'd already be harassing people that are using nothing more than the bandwidth for which they are paying? ..." Earthlink and Comcast have both been advertising lately their single-household, multi-computer services (and additional fees) -- probably amusing to many thousands of broadband-router owners, at least until the cable companies really crack down. There's a huge number of responses (691 at the moment), which I quickly scanned out of curiosity. I'm not a Comcast or Earthlink user. You can start here: http://slashdot.org/articles/02/01/24/1957236.shtml -- ward -------------------- To unsubscribe <mailto:requests@sustworks.com> with message body "unsubscribe nettalk" ------ End of Forwarded Message
On Thu, 31 Jan 2002, Martin J. Levy wrote:
I got this forwarded to me. I'm not impressed.
Based upon the general desire for providers to have NAT'ed users and to reduce IP-space usage where appropriate, does this make sense? I can understand the providers desire to increase revenue, but I don't believe this is a good way to do it.
Slashdot, the tabloid of the tech world. I believe if you read through all the comments no one ever came up with any proof of this and reading through Commcast's AUP doesn't reveal this policy either. I think it was largely trollbait. andy -- PGP Key Available at http://www.tigerteam.net/andy/pgp
Andy Walden <andy@tigerteam.net> writes:
... reading through Commcast's AUP doesn't reveal this policy either. I think it was largely trollbait.
Could be. But AT&T Broadband out here just resent its terms of service with the monthly bill, and stated that it's strictly prohibited to attach more than one device to the cable service. They reminded their customers that a second IP address is available for an extra $5/month. I suppose one could get lawyerly and argue that you *are* attaching a single device -- the NAT box -- to their network; other devices are merely attached to the NAT box. But I don't think that was their intent. Whether this pricing model is enforceable aside, it is also in direct conflict with the projection that some day soon, the refrigerator, the hot tub, the stove, the stereo, the room thermostat, the garage door opener, etc. will all be IP-addressable. I'll be damned if I'll spend an extra $5/month for my refrigerator to surf the web, and I'll bet I'm not alone :-). Jim Shankland
On Thu, 31 Jan 2002, Jim Shankland wrote:
opener, etc. will all be IP-addressable. I'll be damned if I'll spend an extra $5/month for my refrigerator to surf the web, and I'll bet I'm not alone :-).
Without rehashing the Slashdot discussion, no, I really don't think you are, and with the large market for home networking and steps people are taking toward security with NAT routers and pesonal firewalls, I think it would be an uphill battle to enforce a policy such as this. I guess we will see how it shakes out. andy -- PGP Key Available at http://www.tigerteam.net/andy/pgp
Wow, 30 messages and counting from people merely speculating.... Andy Walden wrote:
Slashdot, the tabloid of the tech world. I believe if you read through all the comments no one ever came up with any proof of this and reading through Commcast's AUP doesn't reveal this policy either. I think it was largely trollbait.
Daniel Golding wrote:
Hmm. I doubt Comcast is actually doing this - they are far too busy actually trying to build a network,
Did anyone actually read the little black booklet that came with the recent Comcast installation CD? (I did.) The CD that came broken in several pieces? The CD that would have installed software to monitor your computer, which they claim they will only do during tech support sessions? The software that Comcast had to put out press releases not to install, because it crashed many computers, and instead you were supposed to download a new version (over your cable) before installation? The installation that had to be done sometime during 3 days at the end of December, despite the broken CD, and bad unneccessary software? And then, the SMTP servers were down, so you couldn't access/send email anyway (they blocked port 25 to keep us from sending directly). Besides, reports are that Apple Airports won't work with Comcast anymore.... So, I wouldn't be able to use my laptop. Anyway, I'm back to dialup. So much more reliable.... -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
On Thu, 31 Jan 2002 07:57:38 PST, "Martin J. Levy" <mahtin@mahtin.com> said:
Based upon the general desire for providers to have NAT'ed users and to reduce IP-space usage where appropriate, does this make sense? I can understand the providers desire to increase revenue, but I don't believe this is a good way to do it.
Which do you resemble more? Dilbert, or his pointy-haired boss? Which does the person who made this business decision resemble more? Yes, it sounds like a dumb idea, if it's true (which I haven't seen supported yet). -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
Hmm. I doubt Comcast is actually doing this - they are far too busy actually trying to build a network, out of the ashes of the @home debacle. However, even if they were, there isn't really anything wrong with it. We scratch our heads, collectively, when a large broadband provider goes chapter 11, but then oppose a pricing model that might be profitable. Now, if a provider was refusing to provide extra IPs, then I could see the problem. However, if a provider is willing to provide extra IPs for something reasonable like $5/month, more power to them. There are several good reasons why they might want to ban NAT: 1 - When you come to the stadium, you can't bring in your own hot-dogs. It's the same sort of thing - the hot dogs are subsidizing the ticket price. In this case, extra fees for things like IP addresses and extra email boxes, are the concession items. 2 - Support issues - supporting a largely clue-challenged user base, is hard enough without people slapping linksys routers in, then expecting the ISP to, defacto, provide support. Anyone remember when the only supported router for UUNet ISDN lines was the Pipeline 50? This was to (in theory) enable supportability 3 - NAT is wonderful, but we aren't running out of IP addresses that quickly, and NAT will break some applications. Large scale NAT is probably not the solution to future IP address exhaustion problems. Providers who do this are not being bad guys, because extra IP addresses cost less than the costs of supporting NAT boxes. If folks don't like this, they can become involved with ARIN and propose some bizarre price-support scheme for IP addresses, to encourage NAT, I suppose. 4 - This is, of course, an unenforceable policy (which is why I suspect it does not exist). However, it is very reasonable for a provider to refuse to support a customer with a NAT box, if the customer is buying a single user service. One usage policy I would support: never again seeing the word "slashdot" in the subject line of a NANOG email :) - Daniel Golding
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Martin J. Levy Sent: Thursday, January 31, 2002 10:58 AM To: nanog@merit.edu Subject: Fwd: SlashDot: "Comcast Gunning for NAT Users"
I got this forwarded to me. I'm not impressed.
Based upon the general desire for providers to have NAT'ed users and to reduce IP-space usage where appropriate, does this make sense? I can understand the providers desire to increase revenue, but I don't believe this is a good way to do it.
Besides the technical difficulties of detecting a household that is running a NAT'ed router, why not win over the customer with a low-cost extra IP address vs: the customers one-time hardware cost for the router. There are people who would be willing to pay some amount monthly vs: (let's say) $100 for a NAT box.
Does anyone know what percentage of home broadband users run NAT? Does anyone have stats for IP-addresses saved by using NAT?
Martin
------ Forwarded Message From: Ward Clark <ward@joyofmacs.com> Date: Sat, 26 Jan 2002 15:00:32 -0500 To: "NetTalk" <nettalk@sustworks.com> Subject: SlashDot: "Comcast Gunning for NAT Users"
Today's MacInTouch links to a report that appeared in SlashDot on Thursday:
"A co-worker of mine resigned today. His new job at Comcast: Hunting down 'abusers' of the service. More specifically, anyone using NAT to connect more than one computer to their cable modem to get Internet access- whether or not you're running servers or violating any other Acceptable Use Policies. Comcast has an entire department dedicated to eradicating NAT users from their network. ... did anyone think they'd already be harassing people that are using nothing more than the bandwidth for which they are paying? ..." Earthlink and Comcast have both been advertising lately their single-household, multi-computer services (and additional fees) -- probably amusing to many thousands of broadband-router owners, at least until the cable companies really crack down.
There's a huge number of responses (691 at the moment), which I quickly scanned out of curiosity. I'm not a Comcast or Earthlink user.
You can start here:
http://slashdot.org/articles/02/01/24/1957236.shtml
-- ward
-------------------- To unsubscribe <mailto:requests@sustworks.com> with message body "unsubscribe nettalk"
------ End of Forwarded Message
At 12:15 PM 1/31/02, Daniel Golding wrote:
Hmm. I doubt Comcast is actually doing this - they are far too busy actually trying to build a network, out of the ashes of the @home debacle. However, even if they were, there isn't really anything wrong with it. We scratch our heads, collectively, when a large broadband provider goes chapter 11, but then oppose a pricing model that might be profitable. Now, if a provider was refusing to provide extra IPs, then I could see the problem. However, if a provider is willing to provide extra IPs for something reasonable like $5/month, more power to them. There are several good reasons why they might want to ban NAT:
1 - When you come to the stadium, you can't bring in your own hot-dogs. It's the same sort of thing - the hot dogs are subsidizing the ticket price. In this case, extra fees for things like IP addresses and extra email boxes, are the concession items.
2 - Support issues - supporting a largely clue-challenged user base, is hard enough without people slapping linksys routers in, then expecting the ISP to, defacto, provide support. Anyone remember when the only supported router for UUNet ISDN lines was the Pipeline 50? This was to (in theory) enable supportability
Especially considering the clue-challened support departments at Cable ISPs, this is a legitimate problem. Newer Linksys and similar routers can spoof the MAC address of the PC that's behind them as a way to avoid having to tell the cable company about the new "computer." Connected backwards, the Linksys routers appear to merrily spoof the default gateway off the segment (i.e. most likely the first MAC address the box hears) and create lots of support headaches.
3 - NAT is wonderful, but we aren't running out of IP addresses that quickly, and NAT will break some applications. Large scale NAT is probably not the solution to future IP address exhaustion problems. Providers who do this are not being bad guys, because extra IP addresses cost less than the costs of supporting NAT boxes. If folks don't like this, they can become involved with ARIN and propose some bizarre price-support scheme for IP addresses, to encourage NAT, I suppose.
Well, NAT saves the cable company from having to route subnets. ATT Broadband in Massachusetts is now offering "business" service. Reading the fine print, they provide a NAT router, and say you can have up to 253 users behind it. Of course any apps that wouldn't work with NAT will not work. As such, clearly they DO support and/or allow such use of routers. Actually, they've been doing this for a long time. They supply cable service to many schools in the area, and those are all supported using NAT boxes.
4 - This is, of course, an unenforceable policy (which is why I suspect it does not exist). However, it is very reasonable for a provider to refuse to support a customer with a NAT box, if the customer is buying a single user service.
Support is one thing. Trying to detect the presence is another entirely. Wasting time, effort and money trying to track down users who're using "cable routers" is looney. ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranth.com
2 comments 1) when your primary machine is an XP/2K box running ICS, is that illegal also? Are we to expect comcast to come knocking at the door wanting to inspect the configuration of our PCs to see if it has 2 NICs, or a wireless card in it? Are we supposed to willingly just open up our PCs so comcast can look inside? 2) I heard recently of ppl openly sharing their broadband connection using 802.11 access points, Airports etc among friends, neighbors, coworkers. I can see where your DSL or cable company would be a little more concerned about losing revenue like this, over just 2 or 3 PCs sharing at one domestic location. jm On Thursday, January 31, 2002, at 07:57 AM, Martin J. Levy wrote:
I got this forwarded to me. I'm not impressed.
Based upon the general desire for providers to have NAT'ed users and to reduce IP-space usage where appropriate, does this make sense? I can understand the providers desire to increase revenue, but I don't believe this is a good way to do it.
Besides the technical difficulties of detecting a household that is running a NAT'ed router, why not win over the customer with a low-cost extra IP address vs: the customers one-time hardware cost for the router. There are people who would be willing to pay some amount monthly vs: (let's say) $100 for a NAT box.
Does anyone know what percentage of home broadband users run NAT? Does anyone have stats for IP-addresses saved by using NAT?
Martin
------ Forwarded Message From: Ward Clark <ward@joyofmacs.com> Date: Sat, 26 Jan 2002 15:00:32 -0500 To: "NetTalk" <nettalk@sustworks.com> Subject: SlashDot: "Comcast Gunning for NAT Users"
Today's MacInTouch links to a report that appeared in SlashDot on Thursday:
"A co-worker of mine resigned today. His new job at Comcast: Hunting down 'abusers' of the service. More specifically, anyone using NAT to connect more than one computer to their cable modem to get Internet access- whether or not you're running servers or violating any other Acceptable Use Policies. Comcast has an entire department dedicated to eradicating NAT users from their network. ... did anyone think they'd already be harassing people that are using nothing more than the bandwidth for which they are paying? ..." Earthlink and Comcast have both been advertising lately their single-household, multi-computer services (and additional fees) -- probably amusing to many thousands of broadband-router owners, at least until the cable companies really crack down.
There's a huge number of responses (691 at the moment), which I quickly scanned out of curiosity. I'm not a Comcast or Earthlink user.
You can start here:
http://slashdot.org/articles/02/01/24/1957236.shtml
-- ward
-------------------- To unsubscribe <mailto:requests@sustworks.com> with message body "unsubscribe nettalk"
------ End of Forwarded Message
1/31/02 12:18:09 PM, Jon Mansey <jon@interpacket.net> wrote:
2) I heard recently of ppl openly sharing their broadband connection using 802.11 access points, Airports etc among friends, neighbors, coworkers. I can see where your DSL or cable company would be a little more concerned about losing revenue like this, over just 2 or 3 PCs sharing at one domestic location.
www.freenetworks.org The movement is quite large, and the implications of its continued growth are interesting. Perhaps this is the ultimate target? Community-owned networks are mildly free-riding for the time being. New DOCSIS specs give finer control on bandwidth usage which is more important than IP addresses. Comcast "hunting" NAT users - sounds like strong language, but I think the SlashDot reference has been pummeled enough. No residental SP should be burning support $$ for residential NAT, so a "public" policy of either charging for it or not supporting it sounds like good business to me. It's not very enforceable, so I'd be very surprised to see much money spent on this witch hunt. Marc (new to list)
On Thu, 31 Jan 2002, Marc Pierrat wrote:
It's not very enforceable, so I'd be very surprised to see much money spent on this witch hunt.
At least one provider has a fully staffed full time "anti-nat" divison now. But will they burn more cash in the nat witch-hunt than they save? I also wonder about false positives. Watch the lawsuits fly as they mistakenly cutoff non-nat customers. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
On Thu, 31 Jan 2002, Dan Hollis wrote: |+On Thu, 31 Jan 2002, Marc Pierrat wrote: |+> It's not very enforceable, so I'd be very surprised to see much money |+> spent on this witch hunt. |+ |+At least one provider has a fully staffed full time "anti-nat" divison |+now. But will they burn more cash in the nat witch-hunt than they save? |+ |+I also wonder about false positives. Watch the lawsuits fly as they |+mistakenly cutoff non-nat customers.
From a technical standpoint how does one detect NAT users over the network?
Keith
Keith Woodworth wrote:
From a technical standpoint how does one detect NAT users over the network?
You can't deterministically do so, but there are some telltale signs. NAT implementations (at least the ones I've seen) tend to choose very large port numbers (above 30,000) for the ports that they generate. Of course, this can happen without NAT. And it is possible to write NAT stacks that choose low-numbered ports (it's trivially easy to make this change in the Linux IPMASQ code, for instance.) Anybody who tries to detect NAT through these kinds of heuristic methods will end up with a lot of false positives and false negatives. And if it becomes a problem, the NAT implementors will simply alter their code to make it impossible to distinguish from a single host's traffic. -- David
On Thu, 31 Jan 2002, David Charlap wrote: |+ |+Keith Woodworth wrote: |+> |+> From a technical standpoint how does one detect NAT users over the |+> network? |+ |+You can't deterministically do so, but there are some telltale signs. |+NAT implementations (at least the ones I've seen) tend to choose very |+large port numbers (above 30,000) for the ports that they generate. That was my understanding. |+Anybody who tries to detect NAT through these kinds of heuristic methods |+will end up with a lot of false positives and false negatives. And if |+it becomes a problem, the NAT implementors will simply alter their code |+to make it impossible to distinguish from a single host's traffic. Thats sort of what I thought. Ive looked at some tcpdumps that are coming from a FreeBSD machine doing NAT a while ago to see what was in the packets exactly and I could not see how you could tell that box was doing NAT really. But I'm not completely proficient in deciphering packets so I may have missed something along the way. Keith
how to identify non-host based devices: 1) check out mac-address ranges 2) count flows/ip to determine if this pattern appears to be legit. (this in theory could also be done to prevent file sharing systems that keep a large number of peer-to-peer connections) 3) port/ip based filtering I suspect that for the people who went out and bought the linksys/other routers that want to link up their two home computers you will see a few that just say "hey, it's just another $5/mo and i don't have to worry about this device i got at frys/best buy/compusa/whatnot that i don't really understand". there's [almost alyways] a way to beat any system. I think they are just trying to reduce the support costs of people with these devices at a time when they are getting bad PR (at least here in MI) about the switchover from @home-> comcast. the uninitiated will blame comcast when it's their router/nat/whatnot unit. - jared On Thu, Jan 31, 2002 at 04:44:59PM -0500, David Charlap wrote:
Keith Woodworth wrote:
From a technical standpoint how does one detect NAT users over the network?
You can't deterministically do so, but there are some telltale signs. NAT implementations (at least the ones I've seen) tend to choose very large port numbers (above 30,000) for the ports that they generate.
Of course, this can happen without NAT. And it is possible to write NAT stacks that choose low-numbered ports (it's trivially easy to make this change in the Linux IPMASQ code, for instance.)
Anybody who tries to detect NAT through these kinds of heuristic methods will end up with a lot of false positives and false negatives. And if it becomes a problem, the NAT implementors will simply alter their code to make it impossible to distinguish from a single host's traffic.
-- David
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
At 05:02 PM 1/31/02, Jared Mauch wrote:
how to identify non-host based devices:
1) check out mac-address ranges
Many of the small boxes will spoof the MAC address of the PC behind them. They do this so that cable modem companies who track mac addresses don't need to be called to tell them. Of course you then have Linksys which makes both a NAT-box and LAN cards. So the MAC ranges are likely intermixed. On Cisco's, you can easily program any MAC address you want. ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranth.com
1) check out mac-address ranges 2) count flows/ip to determine if this pattern appears to be legit. (this in theory could also be done to prevent file sharing systems that keep a large number of peer-to-peer connections) 3) port/ip based filtering
4) TCP fingerprinting of flows. Not sure about all NAT implementations, but most seem to rewrite on the fly, not proxy (as would be sensible). Likewise, by watching sequence numbers, sack behavior, etc one could certainly recognize different strains of tcp stacks behind an address, and with practice determine multiple instances of the same strain. ..kg.. ObNoise. How would one construe whether its proper for multiple logical partitions of a machine to fetch comcast nntp pr0n?
Keith Woodworth wrote:
On Thu, 31 Jan 2002, Dan Hollis wrote:
|+On Thu, 31 Jan 2002, Marc Pierrat wrote: |+> It's not very enforceable, so I'd be very surprised to see much money |+> spent on this witch hunt. |+ |+At least one provider has a fully staffed full time "anti-nat" divison |+now. But will they burn more cash in the nat witch-hunt than they save? |+ |+I also wonder about false positives. Watch the lawsuits fly as they |+mistakenly cutoff non-nat customers.
From a technical standpoint how does one detect NAT users over the network?
Informants wherever Linksys router are sold.
Keith
-- Paul A. Bradford pbradford@adelphia.net
On Thu, 31 Jan 2002, Marc Pierrat wrote:
It's not very enforceable, so I'd be very surprised to see much money spent on this witch hunt.
At least one provider has a fully staffed full time "anti-nat" divison now. But will they burn more cash in the nat witch-hunt than they save?
I also wonder about false positives. Watch the lawsuits fly as they mistakenly cutoff non-nat customers.
assuming that they pull the plug prior to warning the accussed offender of the problem. They'd get no false positive from me, that's for sure ;-) Guilty as charged here. _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
Hmm, how can they prove it to _any_ court? They have not right to come in and look around. ----- Original Message ----- From: "Dan Hollis" <goemon@anime.net> To: "Marc Pierrat" <marc@sunchar.com> Cc: "Martin J. Levy" <mahtin@mahtin.com>; "Jon Mansey" <jon@interpacket.net>; <nanog@merit.edu> Sent: Thursday, January 31, 2002 1:27 PM Subject: Re: SlashDot: "Comcast Gunning for NAT Users"
On Thu, 31 Jan 2002, Marc Pierrat wrote:
It's not very enforceable, so I'd be very surprised to see much money spent on this witch hunt.
At least one provider has a fully staffed full time "anti-nat" divison now. But will they burn more cash in the nat witch-hunt than they save?
I also wonder about false positives. Watch the lawsuits fly as they mistakenly cutoff non-nat customers.
-Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
On Thu, 31 Jan 2002, Alexei Roudnev wrote:
Hmm, how can they prove it to _any_ court? They have not right to come in and look around.
software companies tried such tactics with their software licenses, quite recently. i wouldn't be suprised if cable operators claim such rights in their TOS. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
> Besides the technical difficulties of detecting a household that is > running a NAT... Can you think of a way of doing it reliably? Anything that provides anything more than a guess? -Bill
--On 01/31/2002 10:05:34 AM -0800 Bill Woodcock wrote:
> Besides the technical difficulties of detecting a household that is > running a NAT...
Can you think of a way of doing it reliably? Anything that provides anything more than a guess?
-Bill
You could look for systems that seem to have some level of security, and assume they must have a router with filtering fronting them. :-) jerry
At 10:05 AM 1/31/02 -0800, Bill Woodcock wrote:
> Besides the technical difficulties of detecting a household that is > running a NAT...
Can you think of a way of doing it reliably? Anything that provides anything more than a guess?
How about sniffing the packets going into the Carnivore box? Maybe there's no Carnivore box and the ISPs are providing the Feds with the data from their own logs. Now put a price tag on the cost of doing that and wince. Now find a cost-recovery option for acquiring that data in the first place (like $5 per month per machine using NAT). Best Regards, Simon -- ###
"Bill Woodcock" <woody@zocalo.net> wrote:
> Besides the technical difficulties of detecting a household that is > running a NAT...
Can you think of a way of doing it reliably? Anything that provides anything more than a guess?
Several ways: Comcast has a mail server, they could poke at the HELO banners and other identifiers. HTTP proxies indicating that multiple browsers are in use, especially if multiple platforms (Win95, WinXP, as simple test) More than ~4 simultaneous TCP connections open at once. None of those would be bothered by firewalls or other legitimate devices, and would probably all be within a legally-defensible purview of ~analysis. As to whether or not Comcast does any of this, I do not know. My brother has a friend who was a 2nd level tech with @Home, and he says they did it, so I would not be surprised that Comcast would also. The thing is that Comcast is trying to make money by selling ~consumer Internet access, and they have a perception problem with shared access (PacBell used to run great "bandwidth hog!" ads). They don't want people using more pipe than ~consumer access would normally imply. This is hard because they are selling bandwidth ("watch video") so they can't really cap the downloads, and they are selling always-on so they can't measure by time conveniently either. So they try to get the "bandwidth hogs" through contractual means. Comcast prohibits VPNs, and prohibits ~"attaching to another network", as examples. If you use too much bandwidth, they will use these to drop your service. -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Dan Hollis wrote:
On Thu, 31 Jan 2002, Eric A. Hall wrote:
More than ~4 simultaneous TCP connections open at once.
False positives galore...
Then use six or eight or 20000 or whatever number is above the 90% false positive threshold -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Date: Thu, 31 Jan 2002 16:34:21 -0600 From: Eric A. Hall <ehall@ehsco.com>
Then use six or eight or 20000 or whatever number is above the 90% false positive threshold
Which requires accurate correlation between number of sessions and shared connections. Still false positives, or false negatives galore... If one assumes a 10% duty cycle for someone casually browsing the Web using HTTP/1.1, many of those users could share a single physical connection with only a few open TCP connections. Eddy Brotsman & Dreger, Inc. - EverQuick Internet Division Phone: +1 (316) 794-8922 Wichita/(Inter)national Phone: +1 (785) 865-5885 Lawrence -- Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <blacklist@brics.com> To: blacklist@brics.com Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <blacklist@brics.com>, or you are likely to be blocked.
On Thu, 31 Jan 2002, Eric A. Hall wrote:
Dan Hollis wrote:
On Thu, 31 Jan 2002, Eric A. Hall wrote:
More than ~4 simultaneous TCP connections open at once.
False positives galore...
Then use six or eight or 20000 or whatever number is above the 90% false positive threshold
the unix box I'm sitting on, which isn't natted, and isn't serving anything, lists 133 open tcp connections.
-- -------------------------------------------------------------------------- Joel Jaeggli Academic User Services joelja@darkwing.uoregon.edu -- PGP Key Fingerprint: 1DE9 8FCA 51FB 4195 B42A 9C32 A30D 121E -- The accumulation of all powers, legislative, executive, and judiciary, in the same hands, whether of one, a few, or many, and whether hereditary, selfappointed, or elective, may justly be pronounced the very definition of tyranny. - James Madison, Federalist Papers 47 - Feb 1, 1788
Joel Jaeggli wrote:
the unix box I'm sitting on, which isn't natted, and isn't serving anything, lists 133 open tcp connections.
One would hope that a single metric would not be the basis for a termination. -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
On Thu, 31 Jan 2002, Eric A. Hall wrote:
Joel Jaeggli wrote:
the unix box I'm sitting on, which isn't natted, and isn't serving anything, lists 133 open tcp connections. One would hope that a single metric would not be the basis for a termination.
We are talking about cable companies here. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
One can hope all one wants, but I have had the misfortune to sit on my town's cable advisory board and I can assure you that these guys are abysmally ignorant on nearly everything (no experience with ComCast, just Time-Warner, Cox, and MediaOne). And they are arrogant to boot. David Leonard ShaysNet On Thu, 31 Jan 2002, Eric A. Hall wrote:
Joel Jaeggli wrote:
the unix box I'm sitting on, which isn't natted, and isn't serving anything, lists 133 open tcp connections.
One would hope that a single metric would not be the basis for a termination.
-- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
On Thu, 31 Jan 2002, Eric A. Hall wrote:
the unix box I'm sitting on, which isn't natted, and isn't serving anything, lists 133 open tcp connections.
One would hope that a single metric would not be the basis for a termination.
One would hope that *that* metric wouldn't be involved. I routinely could have a couple ssh clients, an ftp client and one or two web browsers open... 2 x ssh = 2 tcp connections. 1 x ftp = 2 tcp connections, 1 command and 1 data. 1 x browser = potentially several connections, depending on how much content there is on the page I'm viewing. -- JustThe.net LLC - Steve "Web Dude" Sobol, CTO ICQ: 56972932/WebDude216 website: http://JustThe.net email: sjsobol@JustThe.net phone: 216.619.2NET postal: 5686 Davis Drive, Mentor On The Lake, OH 44060-2752 DalNet: ZX-2
On Thu, 31 Jan 2002, Steven J. Sobol wrote:
2 x ssh = 2 tcp connections. 1 x ftp = 2 tcp connections, 1 command and 1 data. 1 x browser = potentially several connections, depending on how much content there is on the page I'm viewing.
The question I have is, by the letter of the terms, is running ssh a 'VPN'? Or if I use a VPN client to connect to my datacenters from home? Or is it you 'hosting' a VPN?
On Thu, 31 Jan 2002, Todd Suiter wrote:
The question I have is, by the letter of the terms, is running ssh a 'VPN'? Or if I use a VPN client to connect to my datacenters from home? Or is it you 'hosting' a VPN?
For my purposes, no. I don't do port forwarding. Although if you REALLY want to stretch the definition of a VPN you could still say I was running a VPN. I suppose if you wanted to stretch the definition, you could also say I'm running a VPN if I'm doing port forwarding... -- JustThe.net LLC - Steve "Web Dude" Sobol, CTO ICQ: 56972932/WebDude216 website: http://JustThe.net email: sjsobol@JustThe.net phone: 216.619.2NET postal: 5686 Davis Drive, Mentor On The Lake, OH 44060-2752 DalNet: ZX-2
I'm not sure how I got put into the position of defending their possible practices. I've already said that looking for NATs as a practice isn't a good idea. I suggest that people read the following (they seem to be cut-n-pasted from the @Home agreements, BTW): http://www.comcast.net/TermsofService/aup.asp Bandwidth, Data Storage and Other Limitations Users must ensure that their activity does not improperly restrict, inhibit, or degrade any other user's use of the Services, nor represent (in the sole judgment of Comcast High-Speed Internet Service) an unusually large burden on the network itself. [What's an "unusually large burden" (in Comcast's sole opinion)?] The Comcast High-Speed Internet Service residential service offering is a consumer product designed for your personal use of the Internet. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Violation of Acceptable Use Policy Comcast High-Speed Internet Service does not routinely monitor the activity of accounts for violation of this Policy. However, in our efforts to promote good citizenship within the Internet community, we will respond appropriately if we become aware of inappropriate use of our Services. http://www.comcast.net/TermsofService/subagree.asp 6. PROHIBITED USES OF THE SERVICE viii ... THE SERVICE IS TO BE USED SOLELY IN A PRIVATE RESIDENCE; LIVING QUARTERS IN A HOTEL, HOSPITAL, DORM, SORORITY OR FRATERNITY HOUSE, OR BOARDING HOUSE; OR THE RESIDENTIAL PORTION OF A PREMISES WHICH IS USED FOR BOTH BUSINESS AND RESIDENTIAL PURPOSES. [I'm in violation on that, since I have it feeding into my lab] THE SERVICE IS FOR PERSONAL AND NON-COMMERCIAL USE ONLY AND CUSTOMER AGREES NOT TO USE THE SERVICE FOR [...] ANY BUSINESS ENTERPRISE, OR AS AN END-POINT ON A NON-COMCAST LOCAL AREA NETWORK OR WIDE AREA NETWORK, OR IN CONJUNCTION WITH A VPN (VIRTUAL PRIVATE NETWORK) OR A VPN TUNNELING PROTOCOL; | "Steven J. Sobol" wrote: | > 2 x ssh = 2 tcp connections. So Steven would be in violation of that, unless he were using SSH to access a MUD. :p The point is that they do not want people using it for anything other than consumer-oriented Internet access. There are ways to cast a net and catch such fish. Yes, every system can be fooled, and every fool has a system. If you show up on their radar, chances are that they can still yank you for something else even if the first filter proves false. It's also interesting that NATs are not explicitly mentioned in either of the above specifications, and I saw no reference anywhere else on their web site (not that it matters; violation is within their discretion). http://www.comcastonline.com/FAQsList.asp?.=.&FAQCategoryID=2#15 Can I use the service on more than one computer? Yes, customers with home networks may order additional network addresses in order to connect several computers to the service through one cable modem. You must first subscribe to the basic Comcast High-Speed Internet Service. Once you become a subscriber, you can sign up for a second and third address. You will need to have access to network expertise because Comcast High-Speed Internet Service neither installs nor supports networks. The cost is $6.95 per month for each additional outlet. Customers can have two additional addresses, for a total of three. Comcast will install the network card and software on a second and third computer for a change of $49 for each computer. http://www.comcastonline.com/howmuch.asp?.=. additional IP addresses "$6.95 - 9.95/each" As far as I can tell, using a NAT is permitted. Running a server, staying connected to corporate mail systems 24x7, and doing other non-consumer stuff is still the only thing forbidden. -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
"Eric A. Hall" wrote:
I'm not sure how I got put into the position of defending their possible practices. I've already said that looking for NATs as a practice isn't a good idea.
Sorry 'bout that.
THE SERVICE IS FOR PERSONAL AND NON-COMMERCIAL USE ONLY AND CUSTOMER AGREES NOT TO USE THE SERVICE FOR [...] ANY BUSINESS ENTERPRISE, OR AS AN END-POINT ON A NON-COMCAST LOCAL AREA NETWORK OR WIDE AREA NETWORK, OR IN CONJUNCTION WITH A VPN (VIRTUAL PRIVATE NETWORK) OR A VPN TUNNELING PROTOCOL;
Here's their out against NATs. They are prohibiting use "as an end-point of a non-compast local area network". So, if you have a LAN, and you didn't purchase each and every IP address from Comcast (presumably also the one for your printer, and any other non-public devices you may have), then you're in violation. They want to be in total control of your home LAN or they'll cry to mother, take their ball and go home. -- David
On Fri, 01 Feb 2002 10:38:24 EST, David Charlap <David.Charlap@marconi.com> said:
Here's their out against NATs. They are prohibiting use "as an end-point of a non-compast local area network".
Ahh... but the box doing the NAT isn't an end-point, it's a router. ;) And if they want to argue "but it's also an endpoint for a LAN", they'll have to figure out how that's any different than a USB or FireWire setup (after all, those *are* networks too, if you think about it....) RFC2734 IPv4 over IEEE 1394. P. Johansson. December 1999. (Format: TXT=69314 bytes) (Status: PROPOSED STANDARD) Slippery slope there..... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Valdis.Kletnieks@vt.edu Sent: Friday, February 01, 2002 11:18 AM To: David Charlap Cc: nanog@merit.edu Subject: Re: Fwd: SlashDot: "Comcast Gunning for NAT Users" RFC2734 IPv4 over IEEE 1394. P. Johansson. December 1999. (Format: TXT=69314 bytes) (Status: PROPOSED STANDARD) Better yet: use RFC1149 or 2549 which adds QoS... just think of the possiblities.
On Fri, Feb 01, 2002 at 11:17:56AM -0500, Valdis.Kletnieks@vt.edu wrote:
RFC2734 IPv4 over IEEE 1394. P. Johansson. December 1999. (Format: TXT=69314 bytes) (Status: PROPOSED STANDARD)
Slippery slope there.....
Of course, there's also the cable modems that connect to the PC via USB, does that make USB keyboards, mouses, speakers, printers and scanners, etc. part of a non-comcast local area network?
-- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
-- Matthew S. Hallacy CACU, PWGCS, and BOFH Certified http://techmonkeys.org/~poptix GPG public key 0x01938203
On Mon, 04 Feb 2002 17:21:25 CST, "Matthew S. Hallacy" said:
Of course, there's also the cable modems that connect to the PC via USB, does that make USB keyboards, mouses, speakers, printers and scanners, etc. part of a non-comcast local area network?
I couldn't find an IP-over-USB RFC when I was writing that. ;)
While most ISPs really don't care if folks use a VPN, there is a reason for this inclusion in the T&C's. When a service provider is trying to sell 500 accounts to an enterprise, for VPN connectivity, they want to be able to charge more. There are also support issues, which include the nightmarish scenerio of a user calling Tech Support, wanting assistance setting up or using their corporate VPN client. To say that this is beyond the skills of the average Tech Support staffer, is an understatement. And, of course, it's not his job to help a user do this. The other interesting part of this is that the Comcast T&C's DON'T mention NAT, and it looks like they don't have a "NAT POLICE" group, scouting for violators on their network. I'm sure this is a crushing blow to the tinfoil-hat wearing set on NANOG, but it shouldn't be a surprise, except to those who spend their free time reading slashdot, and cursing the "forces of corporate evil" who are looking to confiscate their linksys NAT boxes. :) - Daniel Golding
Eric Hall Said...
I'm not sure how I got put into the position of defending their possible practices. I've already said that looking for NATs as a practice isn't a good idea.
I suggest that people read the following (they seem to be cut-n-pasted from the @Home agreements, BTW):
http://www.comcast.net/TermsofService/aup.asp
Bandwidth, Data Storage and Other Limitations
Users must ensure that their activity does not improperly restrict, inhibit, or degrade any other user's use of the Services, nor represent (in the sole judgment of Comcast High-Speed Internet Service) an unusually large burden on the network itself.
[What's an "unusually large burden" (in Comcast's sole opinion)?]
The Comcast High-Speed Internet Service residential service offering is a consumer product designed for your personal use of the Internet. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Violation of Acceptable Use Policy
Comcast High-Speed Internet Service does not routinely monitor the activity of accounts for violation of this Policy. However, in our efforts to promote good citizenship within the Internet community, we will respond appropriately if we become aware of inappropriate use of our Services.
http://www.comcast.net/TermsofService/subagree.asp
6. PROHIBITED USES OF THE SERVICE
viii ...
THE SERVICE IS TO BE USED SOLELY IN A PRIVATE RESIDENCE; LIVING QUARTERS IN A HOTEL, HOSPITAL, DORM, SORORITY OR FRATERNITY HOUSE, OR BOARDING HOUSE; OR THE RESIDENTIAL PORTION OF A PREMISES WHICH IS USED FOR BOTH BUSINESS AND RESIDENTIAL PURPOSES.
[I'm in violation on that, since I have it feeding into my lab]
THE SERVICE IS FOR PERSONAL AND NON-COMMERCIAL USE ONLY AND CUSTOMER AGREES NOT TO USE THE SERVICE FOR [...] ANY BUSINESS ENTERPRISE, OR AS AN END-POINT ON A NON-COMCAST LOCAL AREA NETWORK OR WIDE AREA NETWORK, OR IN CONJUNCTION WITH A VPN (VIRTUAL PRIVATE NETWORK) OR A VPN TUNNELING PROTOCOL;
| "Steven J. Sobol" wrote:
| > 2 x ssh = 2 tcp connections.
So Steven would be in violation of that, unless he were using SSH to access a MUD. :p
The point is that they do not want people using it for anything other than consumer-oriented Internet access. There are ways to cast a net and catch such fish. Yes, every system can be fooled, and every fool has a system. If you show up on their radar, chances are that they can still yank you for something else even if the first filter proves false.
It's also interesting that NATs are not explicitly mentioned in either of the above specifications, and I saw no reference anywhere else on their web site (not that it matters; violation is within their discretion).
http://www.comcastonline.com/FAQsList.asp?.=.&FAQCategoryID=2#15
Can I use the service on more than one computer?
Yes, customers with home networks may order additional network addresses in order to connect several computers to the service through one cable modem.
You must first subscribe to the basic Comcast High-Speed Internet Service.
Once you become a subscriber, you can sign up for a second and third address.
You will need to have access to network expertise because Comcast High-Speed Internet Service neither installs nor supports networks.
The cost is $6.95 per month for each additional outlet. Customers can have two additional addresses, for a total of three.
Comcast will install the network card and software on a second and third computer for a change of $49 for each computer.
http://www.comcastonline.com/howmuch.asp?.=.
additional IP addresses "$6.95 - 9.95/each"
As far as I can tell, using a NAT is permitted. Running a server, staying connected to corporate mail systems 24x7, and doing other non-consumer stuff is still the only thing forbidden.
-- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
On Fri, 1 Feb 2002, Daniel Golding wrote:
The other interesting part of this is that the Comcast T&C's DON'T mention NAT, and it looks like they don't have a "NAT POLICE" group, scouting for violators on their network.
So phillymjs is a liar? http://slashdot.org/article.pl?sid=02/01/24/1957236&mode=thread -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
"Eric A. Hall" wrote:
If you use too much bandwidth, they will [] drop your service.
ps--the original message sounds like they have gone beyond hunting down the people running warez servers and the like, and have gone into an agressive mode of pursuing anybody with a NAT regardless of their utilization. I have no idea if that is true. I don't think it would be a smart move on their part but that probably doesn't enter the equation. -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
You know, if I had a cable modem I would have some sort of firewall router just to preserve my peace of mind. I might even run NAT on the LAN side. So the question is this: can a customer use a firewall for *one* computer? If so, how can the cableco determine whether there is a single computer or two computers or more behind a firewall? I really don't think they can except in cases of egregious abuse. David Leonard ShaysNet On Thu, 31 Jan 2002, Eric A. Hall wrote:
"Eric A. Hall" wrote:
If you use too much bandwidth, they will [] drop your service.
ps--the original message sounds like they have gone beyond hunting down the people running warez servers and the like, and have gone into an agressive mode of pursuing anybody with a NAT regardless of their utilization. I have no idea if that is true. I don't think it would be a smart move on their part but that probably doesn't enter the equation.
-- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Indeed, I DO have a a linksys for just that reason, in fact its a 1 wan/1 lan version...'Course, its plugged into a switch, that has an airport attached as well but... I have been, and am constantly probed for just about everything under the, er, sun. Considering the amount of people out there who have less than a full allotment of clue for these types of things, the larger issue is the OS vendors should probably make an effort to not turn on every less-than-secure service out of the box on a default install. But thats probably off topic... Having some sort of firewall is a good start, though not a complete solution. The comcasts of the world are only going to hurt themselves more if they continue to make a huge stink out of this. (Yes, I know a fw!=NAT, but do you think the vendor will make that distinction?) toddler (ps yes, at times I think using a computer on the internet should require a license) On Thu, 31 Jan 2002, M. David Leonard wrote:
You know, if I had a cable modem I would have some sort of firewall router just to preserve my peace of mind. I might even run NAT on the LAN side. So the question is this: can a customer use a firewall for *one* computer? If so, how can the cableco determine whether there is a single computer or two computers or more behind a firewall? I really don't think they can except in cases of egregious abuse.
David Leonard ShaysNet
On Thu, 31 Jan 2002, Eric A. Hall wrote:
"Eric A. Hall" wrote:
If you use too much bandwidth, they will [] drop your service.
ps--the original message sounds like they have gone beyond hunting down the people running warez servers and the like, and have gone into an agressive mode of pursuing anybody with a NAT regardless of their utilization. I have no idea if that is true. I don't think it would be a smart move on their part but that probably doesn't enter the equation.
-- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Date: Thu, 31 Jan 2002 16:09:47 -0600 From: Eric A. Hall <ehall@ehsco.com>
(Put "SlashDot" in the title, and the thread suffers the effect...)
"Bill Woodcock" <woody@zocalo.net> wrote:
Can you think of a way of doing it reliably? Anything that provides anything more than a guess?
Several ways:
Comcast has a mail server, they could poke at the HELO banners and other identifiers.
Can be overridden by an SMTP proxy. Relay the message, drop the old "Received:" lines, and perhaps mutate the message ID.
HTTP proxies indicating that multiple browsers are in use, especially if multiple platforms (Win95, WinXP, as simple
Can also be overriden by Squid, among others.
More than ~4 simultaneous TCP connections open at once.
I'm known to download four or five large tarballs, run a couple rsync sessions, and browse the Web with multiple browser windows... all simultaneously.
None of those would be bothered by firewalls or other legitimate devices, and would probably all be within a legally-defensible purview of ~analysis.
Perhaps... but false negatives and positives alike are trivial. [ snip ]
This is hard because they are selling bandwidth ("watch video") so they can't really cap the downloads, and they are selling always-on so they can't measure by time conveniently either. So they try to get the "bandwidth hogs" through contractual means. Comcast prohibits VPNs, and prohibits ~"attaching to another network", as examples. If you use too much bandwidth, they will use these to drop your service.
There it is... how many bits is the customer actually moving? As for the person who mentioned modifying Linux IP code to alter the port range... it's a simple set of sysctl tunables in BSD (at least FreeBSD). Eddy Brotsman & Dreger, Inc. - EverQuick Internet Division Phone: +1 (316) 794-8922 Wichita/(Inter)national Phone: +1 (785) 865-5885 Lawrence -- Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <blacklist@brics.com> To: blacklist@brics.com Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <blacklist@brics.com>, or you are likely to be blocked.
On Thu, Jan 31, 2002 at 10:40:10PM +0000, E.B. Dreger wrote:
This is hard because they are selling bandwidth ("watch video") so they can't really cap the downloads, and they are selling always-on so they can't measure by time conveniently either. So they try to get the "bandwidth hogs" through contractual means. Comcast prohibits VPNs, and prohibits ~"attaching to another network", as examples. If you use too much bandwidth, they will use these to drop your service.
There it is... how many bits is the customer actually moving?
As for the person who mentioned modifying Linux IP code to alter the port range... it's a simple set of sysctl tunables in BSD (at least FreeBSD).
And it just came to my mind, a solaris machine uses by default high port numbers to open tcp connections: root@backup:~[15] > ndd /dev/tcp tcp_smallest_anon_port 32768 That settings determines which port number it uses to open outbound connection from what I know. -- Regards, Ulf. --------------------------------------------------------------------- Ulf Zimmermann, 1525 Pacific Ave., Alameda, CA-94501, #: 510-865-0204 You can find my resume at: http://seven.Alameda.net/~ulf/resume.html
"Eric A. Hall" wrote:
Comcast has a mail server, they could poke at the HELO banners and other identifiers.
Won't work. Mail clients (like Netscape) often announce a domain in HELO that is derived from the From: address. For instance, my copy at home announces "HELO yahoo.com", because my return address is an @yahoo.com. They do not generally announce raw IP addresses, so you're not going to see any private address space.
HTTP proxies indicating that multiple browsers are in use, especially if multiple platforms (Win95, WinXP, as simple test)
Also unreliable. I regularly run two different browsers at a time on one computer. Sometimes three (Netscape, IE, Mozilla). As for multiple platforms, my home PC can boot into three different operating systems. Also, Mac users can run Virtual PC and run several different OS's at once. None of which are in violation of any ISP's TOS.
More than ~4 simultaneous TCP connections open at once.
I often have several dozen connections at once on a single computer. Like when I'm fetching RedHat updates from their FTP server. Your rules would boot off 90% of the power users on the network, leaving behind only the clueless idiots. Maybe that's OK for you, but I think that would greatly increase the tech-support costs per customer.
None of those would be bothered by firewalls or other legitimate devices, and would probably all be within a legally-defensible purview of ~analysis.
And they would generate tons of false positives.
The thing is that Comcast is trying to make money by selling ~consumer Internet access, and they have a perception problem with shared access (PacBell used to run great "bandwidth hog!" ads). They don't want people using more pipe than ~consumer access would normally imply.
That's what rate limiting is for. If people are chewing up too much bandwidth, then figure out what they are entitled to under their contract, and rate-limit them to that amount when the network gets congested. The number of computers behind a single IP address has no relationship whatsoever to the amount of bandwidth consumed at a given time. -- David
OK. I am running VMWare and run virtual machine on my PC; is it 2 computers or 1 computer? There is not ANY sharp boundary between 1 computer and many computers -:). It can be less that 1 computer, 1.0 computer, 1.02 computer and so on -:)... ----- Original Message ----- From: "Eric A. Hall" <ehall@ehsco.com> To: "Bill Woodcock" <woody@zocalo.net>; "Martin J. Levy" <mahtin@mahtin.com> Cc: <nanog@merit.edu> Sent: Thursday, January 31, 2002 2:09 PM Subject: Re: Fwd: SlashDot: "Comcast Gunning for NAT Users"
"Bill Woodcock" <woody@zocalo.net> wrote:
> Besides the technical difficulties of detecting a household that is > running a NAT...
Can you think of a way of doing it reliably? Anything that provides anything more than a guess?
Several ways:
Comcast has a mail server, they could poke at the HELO banners and other identifiers.
HTTP proxies indicating that multiple browsers are in use, especially if multiple platforms (Win95, WinXP, as simple test)
More than ~4 simultaneous TCP connections open at once.
None of those would be bothered by firewalls or other legitimate devices, and would probably all be within a legally-defensible purview of ~analysis.
As to whether or not Comcast does any of this, I do not know. My brother has a friend who was a 2nd level tech with @Home, and he says they did it, so I would not be surprised that Comcast would also.
The thing is that Comcast is trying to make money by selling ~consumer Internet access, and they have a perception problem with shared access (PacBell used to run great "bandwidth hog!" ads). They don't want people using more pipe than ~consumer access would normally imply.
This is hard because they are selling bandwidth ("watch video") so they can't really cap the downloads, and they are selling always-on so they can't measure by time conveniently either. So they try to get the "bandwidth hogs" through contractual means. Comcast prohibits VPNs, and prohibits ~"attaching to another network", as examples. If you use too much bandwidth, they will use these to drop your service.
-- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
On Thu, Jan 31, 2002 at 10:35:47AM -0800, Alexei Roudnev wrote:
I am running VMWare and run virtual machine on my PC; is it 2 computers or 1 computer?
yeah, and what about a ibm z/800 with a few thousand linux images inside? ;)
There is not ANY sharp boundary between 1 computer and many computers -:). It can be less that 1 computer, 1.0 computer, 1.02 computer and so on -:)...
-- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York
yeah, and what about a ibm z/800 with a few thousand linux images inside? ;)
I have ONE computer on my cable; it's an ARM processor. Now, there are some helper CPU's in the intelligent peripherals: a Duron in one, a T-bird in another, but hey...the ARM box has to farm out some tasks...right? -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
On Fri, Feb 01, 2002 at 01:45:58AM -0500, Henry Yen wrote:
On Thu, Jan 31, 2002 at 10:35:47AM -0800, Alexei Roudnev wrote:
I am running VMWare and run virtual machine on my PC; is it 2 computers or 1 computer?
yeah, and what about a ibm z/800 with a few thousand linux images inside? ;)
There's something deeply amusing about the idea of one of those being connected to the Internet via a Comcast residential cable modem... -- Bob <melange@yip.org> | Please don't feed the sock puppet.
On Thursday, January 31, 2002, at 10:35 , Alexei Roudnev wrote:
OK.
I am running VMWare and run virtual machine on my PC; is it 2 computers or 1 computer?
There is not ANY sharp boundary between 1 computer and many computers -:). It can be less that 1 computer, 1.0 computer, 1.02 computer and so on -:)...
On the flip side, even if they ignore all non-Microsoft systems both Windows Terminal server and Windows XP can have multiple, simultaneous users, so a single-user ban wouldn't work much better. Chris
On Thursday, January 31, 2002, at 02:09 , Eric A. Hall wrote:
"Bill Woodcock" <woody@zocalo.net> wrote:
Besides the technical difficulties of detecting a household that is running a NAT...
Can you think of a way of doing it reliably? Anything that provides anything more than a guess?
HTTP proxies indicating that multiple browsers are in use, especially if multiple platforms (Win95, WinXP, as simple test)
This is one of the better ones (assuming you only check platform & not browser - it's not uncommon to have more than one of IE/Netscape/Opera running). Even better might be sniffing windowsupdate requests as proxies and some browsers can easily spoof user-agents but there's no reason other than NAT or proxying to explain automatically downloading both the NT and XP patch lists.
More than ~4 simultaneous TCP connections open at once.
30 simultaneous connections (particularly with slow servers). Many
Really, really bad idea. Opening a page with images causes multiple HTTP requests in most browsers, particularly if someone's used one of the web accelerators - if you have a few windows open, this could easily cause programs poll for updates, chat software involves permanent connections (my opening Trillian opens 4 connections), most cable modem users keep their email clients running and it's pretty common to be streaming music or playing online games. I think that blocking based on known MAC address ranges or traits (e.g. HTTP banners) of NAT devices would be the only acceptable route. That'd probably get the majority of the NAT users but would avoid those who are capable of stealthing a system (this would become particularly interesting with some of the kernel patches floating around which mimic another TCP/IP stack) and these users are the most likely to be soaking bandwidth. Even this would have problems - there'd probably be a class action if they required users not to use firewalls and I doubt they'd want to deal with the support headache in convincing users to give up their wireless access points. The real lesson is that filtering on equipment is a bad way to control bandwidth usage. Of course, these are the same people who will complain about something listening on port 80 which transfers 5KB/month but won't say a thing if you spend 18 hours a day deathmatching and downloading crap. Chris
On Thu, 31 Jan 2002 22:55:06 PST, Chris Adams <chris@improbable.org> said:
proxies and some browsers can easily spoof user-agents but there's no reason other than NAT or proxying to explain automatically downloading both the NT and XP patch lists.
Hmm.. Odd.. I've seen machines that dual-boot NT and XP and not using either NAT or proxying - I'd assume they'd at one point or another try to download the NT and XP patch lists. Hell. I've got a machine that has been known to be simultaneously downloading both the AIX and RedHat patch lists. And it wasn't doing NAT or proxying. ;) -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
Chris Adams said:
proxies and some browsers can easily spoof user-agents but there's no reason other than NAT or proxying to explain automatically downloading both the NT and XP patch lists.
How about owning multiple computers, without attaching them all to the internet? If I download a MacOS update from my PC, burn a CD, walk it over to the Mac in the room, and install the update, I haven't violated any conceivable service terms. It's nothing short of hubris (on the part of both Microsoft and the ISPs) to assume that nobody ever uses a computer for more than web surfing. They then ride this ludicrous assumption into the insane conclusion that every computer in the world is either attached to the internet or is out of service. -- David
David Charlap <David.Charlap@marconi.com> writes:
It's nothing short of hubris (on the part of both Microsoft and the ISPs) to assume that nobody ever uses a computer for more than web surfing.
When TCI cable was first rolling out high-speed Internet access in the Bay Area, they at one point without notice throttled download speeds to 128 Kb/s per customer in Fremont. Customers hit the ceiling, and the matter boiled over into a community meeting, where TCI explained with a straight face that this step was necessary because customers were "abusing" the network -- they were using it to do things like *work from home*! The collective response from attendees might be paraphrased as "well, duh!" TCI had to relent on this issue; but the episode is telling as to the mindset, I think. This also brings to mind John Perry Barlow's comment that "when these people think interactive video means putting a 'buy this' button on your remote control". Jim Shankland
Uhuh, dont even get me started on DirecPC's FAP debacle. The satellite Broadband folks have a helluva time with controlling "abusers" while keeping the shared pipe unclogged, I should know, I am one. jm On Friday, February 1, 2002, at 08:59 AM, Jim Shankland wrote:
David Charlap <David.Charlap@marconi.com> writes:
It's nothing short of hubris (on the part of both Microsoft and the ISPs) to assume that nobody ever uses a computer for more than web surfing.
When TCI cable was first rolling out high-speed Internet access in the Bay Area, they at one point without notice throttled download speeds to 128 Kb/s per customer in Fremont. Customers hit the ceiling, and the matter boiled over into a community meeting, where TCI explained with a straight face that this step was necessary because customers were "abusing" the network -- they were using it to do things like *work from home*! The collective response from attendees might be paraphrased as "well, duh!" TCI had to relent on this issue; but the episode is telling as to the mindset, I think.
This also brings to mind John Perry Barlow's comment that "when these people think interactive video means putting a 'buy this' button on your remote control".
Jim Shankland
<snip>
Even this would have problems - there'd probably be a class action if they required users not to use firewalls and I doubt they'd want to deal with the support headache in convincing users to give up their wireless access points.
OK... I think the stuff gone with the <snip> was adequately addressed by others. According to the excerpts from the TOS, VMWARE, Firewalls (other than an in-box firewall like BlackIce, etc.), WAPs and the like are already prohibited. All of those represent termination of the connection on a non-comcast LAN. VMWARE connects the vmware systems via a LAN implemented as a driver in the host operating system kernel (at least in Linux, I don't know about Windows). Even if there's no physical equipment outside the computer involved, it's still arguably a LAN. That having been said, the real bottom line is that their policy is a bad idea, and one which would prevent me from subscribing to comcast. If you are subscribing to comcast, you have the following choices available to you: 1. Accept the policy and continue on. 2. Ignore the policy and accept the consequences. 3. Tell comcast that you feel they should reconsider their policy, and cancel your service if they do not. They aren't the only ISP available.
The real lesson is that filtering on equipment is a bad way to control bandwidth usage. Of course, these are the same people who will complain about something listening on port 80 which transfers 5KB/month but won't say a thing if you spend 18 hours a day deathmatching and downloading crap.
Here, I agree 100%. Any attempt at an automated enforcement of the above TOS is likely to be a DOS attack on their customers who are not violating the TOS. Owen
Owen DeLong wrote:
According to the excerpts from the TOS, VMWARE, Firewalls (other than an in-box firewall like BlackIce, etc.), WAPs and the like are already prohibited. All of those represent termination of the connection on a non-comcast LAN.
I think that's reading too much into it. Clearly they allow for the use of LOCAL networks. I mean, why would you need multiple IP addresses, "expertise setting up a network", and so forth, if they didn't allow for the use of user-side networks? The reference you mention seems to be explicitly in the context of a REMOTE network, as in connecting 24x7 to a pair of Exchange and Oracle servers, sucking up bandwidth all day long. Let's look at this in their own terms. They allow frat houses, but I would guess that not many of those only have 3 computers, yet they only provide 3 IP addresses, so NATs would almost certainly be required for most frat houses. Conversely, they allow dorm rooms, but they don't want the resident of that ROOM to resell or even provide connectivity to the rest of the DORM. In this context, I would say that if they are looking for NATs at all, they are looking to see if there are dozens of computers hooked up somewhere that shouldn't be, such as a dorm room reselling pipe, or a residential house providing connectivity to the entire neighborhood. My guess would be that they are only looking for this after they have noticed a utilization issue. I mean, if you are using 100x the bandwidth of other people in your neighborhood, they want to figure out which provision you are PROBABLY violating. Are you running a warez server (forbidden)? Are you providing connectivity to others in your neighborhood (forbidden) (presumably via NAT, since they only give you 3 IPs)? Are you running a small business out of your house (forbidden)? That seems to be the only context that has any significance in any of this. Keep your utilization at a point where they don't have to upgrade pipes AND don't have to listen to complaints from your neighbors, and they probably won't care what you do with it. -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Hmm, isn't this the same industry that charged us additional fees for each television in a house that was hooked up to the CableTV service? Why oh why is anyone surprised by this tactic? Especially from a monopoly. Let's face it, if the company wants to offer a service, they have the option to specify the terms of the service. If they say the residential cable access product is for one computer - that's the service. If they require a purchase of additional IP addresses to allow the user additional IP addresses - that's the service. If they want to offer a business class service with as many IP addresses as justifiable using ARIN guidelines - that's the service. You don't like it, don't buy it. They are under no obligation to give you what you want, although it usually does help sales. Greg U At 09:57 AM 1/31/2002, Martin J. Levy wrote:
I got this forwarded to me. I'm not impressed.
Based upon the general desire for providers to have NAT'ed users and to reduce IP-space usage where appropriate, does this make sense? I can understand the providers desire to increase revenue, but I don't believe this is a good way to do it.
Besides the technical difficulties of detecting a household that is running a NAT'ed router, why not win over the customer with a low-cost extra IP address vs: the customers one-time hardware cost for the router. There are people who would be willing to pay some amount monthly vs: (let's say) $100 for a NAT box.
Does anyone know what percentage of home broadband users run NAT? Does anyone have stats for IP-addresses saved by using NAT?
Martin
------ Forwarded Message From: Ward Clark <ward@joyofmacs.com> Date: Sat, 26 Jan 2002 15:00:32 -0500 To: "NetTalk" <nettalk@sustworks.com> Subject: SlashDot: "Comcast Gunning for NAT Users"
Today's MacInTouch links to a report that appeared in SlashDot on Thursday:
"A co-worker of mine resigned today. His new job at Comcast: Hunting down 'abusers' of the service. More specifically, anyone using NAT to connect more than one computer to their cable modem to get Internet access- whether or not you're running servers or violating any other Acceptable Use Policies. Comcast has an entire department dedicated to eradicating NAT users from their network. ... did anyone think they'd already be harassing people that are using nothing more than the bandwidth for which they are paying? ..." Earthlink and Comcast have both been advertising lately their single-household, multi-computer services (and additional fees) -- probably amusing to many thousands of broadband-router owners, at least until the cable companies really crack down.
There's a huge number of responses (691 at the moment), which I quickly scanned out of curiosity. I'm not a Comcast or Earthlink user.
You can start here:
http://slashdot.org/articles/02/01/24/1957236.shtml
-- ward
-------------------- To unsubscribe <mailto:requests@sustworks.com> with message body "unsubscribe nettalk"
------ End of Forwarded Message
participants (34)
-
Alexei Roudnev
-
Andy Walden
-
Bill Woodcock
-
Bob K
-
Chris Adams
-
Dan Hollis
-
Daniel Golding
-
Daniel Senie
-
David Charlap
-
David Lesher
-
E.B. Dreger
-
EA Louie
-
Eric A. Hall
-
Gregory Urban
-
Henry Yen
-
Jared Mauch
-
jerry scharf
-
Jim Shankland
-
Joel Jaeggli
-
Jon Mansey
-
Keith Woodworth
-
kevin graham
-
M. David Leonard
-
Marc Pierrat
-
Martin J. Levy
-
Matthew S. Hallacy
-
owen@dixon.delong.sj.ca.us
-
Paul Bradford
-
Simon Higgs
-
Steven J. Sobol
-
Todd Suiter
-
Ulf Zimmermann
-
Valdis.Kletnieks@vt.edu
-
William Allen Simpson