backbone transparent proxy / connection hijacking

Jeremy Porter wrote:

Cisco policy routing can use source IP address for deciding to pass
traffic to the cache engine. The cache engine, normaly can be
configured to exempt destination. I believe that this fixes both

Except that it's an extremely manual process to define these "exemption"
policies on an "it's broken, please fix" basis, and something that will likely
be duplicated hundreds or thousands of times. Perhaps a more friendly
deployment that allows customers to register for this "big incentive"
individually would make the most sense, rather than just throwing it out there
and seeing what breaks. With this model it's true that all the benefits of
caching wouldn't be immediately apparent, but the customer will likely be less
annoyed when something does break, and less inclined to select a new provider.

Of course, this thread wouldn't have started had caching vendors (or better,
their customers) agreed on what transparent actually means. I seem to recall
one of it's definitions to be "free of deceit. (that's period)", not "free of
deceit .. unless IP-based filtering, or the like (anything else that happens
to break), is deployed". Only one implementation seems to have got it right
at this point, which seems utterly amazing.

Expecting the customer to be able to have a clue to
go to a www page is a bit much, tho. Some customers have setup
IP based authentication on their NT server, but can't figure out how
to configure SLL which wouldn't be cached, and would be more secure.
The burden of making this work is on the cache operator. Also it turns
out that the sites with the most problems with the cache are the ones
paying the least money for service. Its hard to feel very sorry for
a $20/month dialup customer, who is connecting to his coporate site
with a broken NT server.

I'd think that a $20 dialup customer deserves the same level of service as any
other customer, else they're obviously in the wrong market. ...and I
certainly wouldn't say that a server, or entire corporation, is in the wrong
for deploying properly working IP based authentication as a first level of

  (speaking only for myself)