Re: interception proxies

Vijay Gill <wrath(_at_)cs(_dot_)umbc(_dot_)edu> writes:

Any specific ISP's that one could care to name?  Coming from an ISP, what
I've seen in general is that most routers have just enough cycles in the
forwarding path to keep up with the offered traffic, much less sit around
watching for SYN's in flight so as to mutate the MSS values.  In fact, I'd
think this would be more of an end system issue rather than a "core" or a
"backbone" issue, where the end system is the box prior to the ISP handoff
and not quite under the ISP's control and not the end system as in the
end2end tcp/ip sense of the word.


As the person who mentioned this to Ted in the first place, it's
BellAtlantic InfoSpeed DSL:

04:07:18.626618 ppp0 > badsl.1886 > home.finger: S 3981264130:3981264130(0) win 
31944 <mss 1452,sackOK,timestamp 57597532 0,nop,wscale 0> (DF)
04:07:18.720702 ppp0 < home.finger > badsl.1886: S 295466136:295466136(0) ack 
3981264131 win 16384 <mss 1412,nop,wscale 0,nop,nop,timestamp 7390358 57597532>
04:07:18.720725 ppp0 > badsl.1886 > home.finger: . 1:1(0) ack 1 win 31944 
<nop,nop,timestamp 57597542 7390358> (DF)

04:08:17.797647 badsl.1886 > home.79: S 3981264130:3981264130(0) win 31944 <mss 
1412,sackOK,timestamp 57597532 0,nop,wscale 0> (DF)
04:08:17.798118 home.79 > badsl.1886: S 295466136:295466136(0) ack 3981264131 
win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 7390358 57597532>
04:08:17.839552 badsl.1886 > home.79: . ack 1 win 31944 <nop,nop,timestamp 
57597542 7390358> (DF)

Of course, it's hard to tell exactly where this is happening.  I
suspect either the DSL modem or the DSLAM.

I've considered bringing up IPsec using AH on the two endpoints, but
I'm sure that will involve far more pain dealing with incompetent
technical "support" droids than I have time to deal with.

On the other side, I can name over a dozen major web sites which
create a black hole by setting DF on outgoing TCP segments, but block
ICMP fragmentation required messages going the other way.

If anybody at Cisco is listening (a rhetorical question to be sure), a
great feature for a future version of IOS would be one which causes
TCP to be blocked completely if ICMP fragmentation required packets
are blocked.  At least then the black hole would be easy to spot :-)

                Marc

<Prev in Thread]	Current Thread	[Next in Thread>
Re: interception proxies, (continued) Re: interception proxies, Keith Moore Re: interception proxies, John Martin Re: interception proxies, Salvador Vidal Re: interception proxies, Valdis . Kletnieks RE: interception proxies, BookIII, Robert Re: interception proxies, Joe Touch Re: interception proxies, Vernon Schryver Re: interception proxies, Keith Moore Re: interception proxies, Theodore Y. Ts'o Re: interception proxies, Vijay Gill Re: interception proxies, Marc Horowitz <= Re: interception proxies, Vijay Gill Re: interception proxies, John Martin Re: interception proxies, Vernon Schryver Re: interception proxies, Keith Moore Re: interception proxies, Joe Touch Re: interception proxies, Keith Moore Re: interception proxies, Joe Touch Re: interception proxies, Charles Lynn Re: interception proxies, J. Noel Chiappa Re: interception proxies, Vernon Schryver