[ NNSquad ] Re: [IP] Re: a wise word from a long time network person -- Merccurynews report on Stanford hearing

[Brett Glass <nnsquad@brettglass.com>]

At 02:52 PM 4/23/2008, Craig A. Finseth wrote:

> How long until someone patches the network driver to ignore RSTs?

This would be done within the TCP stack, not in the network driver.

What this would do is prevent purely passive network control 
devices (e.g. Sandvine and WebSense) from working, which would be a 
shame because these devices are very efficient. But it could not 
prevent firewalls which merely WARN of blocking via RST packets 
from working properly.

It would also be a very serious violation of the standards (unlike 
sending the RST packets in the first place, IMHO).

> Sure, the end user might run into a few problems if they do so and
> have to manually cancel some connections, but far fewer than they will
> have if they continue to respect the RSTs.

Actually, it would cause major problems -- and a great deal of 
congestion. It might also create security risks.

> If _any_ network management mechanism is perceived to be at the
> expense of the user('s desire to achieve a goal), it will eventually
> be bypassed.

This is one of the fundamental problems of the "end to endian" 
ideology. It trusts all of the "ends" not to be bad actors. On 
today's Internet, you simply cannot realistically do that. You must 
stop trusting the ends and put security and congestion control 
mechanisms in the middle. Which is what we, Comcast, and others are 
doing. You can PROVISIONALLY trust the ends, but must also watch 
for untrustworthy behavior and be prepared to react to it. For 
example, if you see your RST packets ignored, you may want to shut 
the user down cold. This is not an overreaction, because you have a 
rogue machine on your hands that may try anything at all to 
commandeer or harm the network.

--Brett Glass