Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: backbone transparent proxy / connection hijacking

  • From: Jeremy Porter
  • Date: Sat Jun 27 22:49:54 1998

Cisco policy routing can use source IP address for deciding to pass
traffic to the cache engine.  The cache engine, normaly can be
configured to exempt destination.  I believe that this fixes both
issues. Expecting the customer to be able to have a clue to
go to a www page is a bit much, tho.  Some customers have setup
IP based authentication on their NT server, but can't figure out how
to configure SLL which wouldn't be cached, and would be more secure.
The burden of making this work is on the cache operator.  Also it turns
out that the sites with the most problems with the cache are the ones
paying the least money for service.  Its hard to feel very sorry for
a $20/month dialup customer, who is connecting to his coporate site
with a broken NT server. 

If customers are using proxy's that break, its easy enough for them
to speak ICP, and still get the same operational conditions, as far
as the ISP side is concerned.

As far as the asmetric routing issue, the traffic INSIDE the ISP isn't
asmetric, and shouldn't need to be cached.  I don't really see the
problem here.  (But it could be me.)

In message <Pine.A41.3.96-heb-2.07.980627214536.55182A-100000@max.ibm.net.il>, 
Hank Nussbacher writes:

>On Fri, 26 Jun 1998, Paul Gauthier wrote:
>From what I have seen, the Alteon/Inktomi/Netcache/Cisco solutions do
>*not* allow for an unlimited bypass list - both based on destination or
>source IP address.  When that happens, the ISP, Digex in this case, can
>have a simple authenticated web page where a customer can add their CIDR
>block to a bypass list in the transparent proxy.  Till then, all the
>bashing will continue. 
>
>Add to the things that will break - simplex or asymetrric routing.  More
>and more customers are ordering simplex satellite lines.  Imagine a
>European company that buys a 512kb line from an ISP but also buys a T1
>simplex satellite line to augment b/w.  The http request goes out with the
>sat-link CIDR block as source.  The request hits the transparent proxy for
>a USA based page.  The proxy retrieves the page from the USA, using its
>expensive transAtlantic link.  Page hits the proxy.  Now the transparent
>proxy needs to deliver the page.  But the requestors IP address is located
>at some satellite provider in the USA (previously discussed here), so the
>transparent proxy routes the page back across the Atlantic for delivery
>via the satellite simplex line. 
>
>Same problems happen with assymetric routing.  I blv Vern has a study that
>shows that 60% of all routes on the Internet are assymetric.
>
>Bottom line: w/o bypass based on source or destination, the bashing will
>continue.

---
Jeremy Porter, Freeside Communications, Inc.      jerry@fc.net
PO BOX 80315 Austin, Tx 78708  | 512-458-9810
http://www.fc.net




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.