NNSquad - Network Neutrality Squad

NNSquad Home Page

NNSquad Mailing List Information

 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ NNSquad ] Re: How do I detect connection disruption by my IAP? 

Robb Topolski wrote:


It's more suspicious if you receive an RST in the middle of a
well-established connection where data is actively being exchanged.  In my
case (with Comcast), the RST abuse comes at a very specific moment during
either the handshake or after the remote client makes a data request.


The protocol specifically allows for a RST to be received in the middle of a well-established connection where data is actively being exchanged. It means "I crashed and lost this connection, please go away".

You ignore such packets at your peril; they're in the protocol for a reason. It would be FAR better to sign them cryptographically so that spoofed packets can be ignored while real resets (or FINs or any other packet) from the other end will be accepted.

Again, it is unnecessary to get angry, to accuse the ISPs of fraud or deception by forging packets, or to accuse them of copyright infringement, or any other tortured interpretations of law. These are all likely to fail given the political climate. And they are also completely unnecessary when you can "get even" with a highly effective technical countermeasure specifically designed to solve this exact problem.

Back during the "crypto wars" in the 1990s I felt that our primary adversary was the federal government. Obviously it still is.

But it may turn out that the most important contribution of cryptography to the Internet will be the preservation of the end-to-end model. IPSEC is an extraordinarily powerful countermeasure to port blocking, protocol spoofing, "deep packet inspection", transparent proxying and other offensive ISP behaviors. It should also be highly effective at thwarting any attempts to limit the use of IPv6 tunneled inside IPv4, e.g., to force a payment for each address.

And the ISPs won't be able to do a damn thing about it for once. They will only be able to observe the amount of traffic we generate and where the outer IP headers are addressed. TCP/IP was carefully designed so that routers only need to look at the IP header to do their job, and it's about time we put some teeth into that principle.