@Home bans VPNS

Chris Carlson carlsonmail at YAHOO.COM
Fri Aug 25 09:30:33 EDT 2000


While IPSec traffic is easy to spot (IP types 50, 51
and UDP port 500), vendor support of NAT transparency
masks this.

Most IPSec vendors NAT transparency implementation use
a UDP packet to transmit the IPSec packet.  Check
Point has registered some high port (UDP 2746) for
this use, and Isolation Systems (bought by Shiva) used
UDP 2233.

So, while broadband providers can easily block IPSec
and PPTP/L2TP tunnels at their edge or core routers,
they'll be hard-pressed to research, discover, and
continually update the NAT transparency UDP ports.

Not to mention other non-IPSec VPNs, like Michael
mentioned: SSH, SSL, SOCKS, or even SKIP.  Imagine
client sofware that behaves like a virtual IP adapter
but tunnels the connection in SSL over port 443.
There's NO WAY that broadband providers can filter
that.

Hmmm... any VPN vendors out there?  Why not make
SSL/443 one of the ports used by your IPSec NAT
transparency?  We can bypass this ridiculous service
agreement once and for all!

Regards,
Chris
--


--- "Michael H. Warfield" <mhw at WITTSEND.COM> wrote:
> On Thu, Aug 24, 2000 at 09:36:08AM -0700, Bob
> Hammond wrote:
> > In practice, how can they detect or prevent VPN
> users?  Doesn't it just look
> > like IP traffic?
>
> 	Depends upon the VPN.  IPSec is protocol 50 so
> that's REAL easy
> to spot.  PPTP is also real easy to spot.  If
> someone is doing SSL or
> SSH tunnel based VPN's, that could be extremely
> difficult, but they're
> not nearly as good for general purpose VPN's.
>
> > Bob
>
> > -----Original Message-----
> > From: Sandy Harris [mailto:sandy at STORM.CA]
> > Sent: Tuesday, August 15, 2000 6:39 PM
> > To: VPN at SECURITYFOCUS.COM
> > Subject: [Fwd: @Home bans VPNS]
> >
> >
> > -------- Original Message --------
> > Subject: @Home bans VPNS
> > Date: Tue, 15 Aug 2000 17:02:11 -0400 (EDT)
> > From: Matt Cramer <cramer at unix01.voicenet.com>
> > Reply-To: Matt Cramer
> <cramer at unix01.voicenet.com>,Matt Cramer
> > <cramer at unix01.voicenet.com>
> > To: dc-stuff at dis.org
> >
> >
> > @Home has banned VPNs or encrypted tunneling
> protocols from their network
> > (!).
> >
> > http://www.comcastonline.com/subscriber-v3-red.asp
>
> > Read 6.B.viii.  Use of tunneling crypto makes you
> a "business" customer
> > subject to the ~10x higher fees.
>
> 	Counter point, filtering based on protocol types or
> content means
> they no longer qualify for common carrier status.
> Threaten to complain
> to the FCC!
>
> > FOAD, Comcast.
>
> > Matt, ADSL and frame relay user
> >
> > --
> > Matt Cramer <cramer at voicenet.com>
> > http://www.voicenet.com/~cramer/
> > Thou art God and I am God and all that groks is
> God,
> > and I am all that I have ever been or seen or felt
> > or experienced.
> >      -Mike
>
> > VPN is sponsored by SecurityFocus.COM
>
> 	Mike
> --
>  Michael H. Warfield    |  (770) 985-6132   |
> mhw at WittsEnd.com
>   (The Mad Wizard)      |  (678) 463-0932   |
> http://www.wittsend.com/mhw/
>   NIC whois:  MHW9      |  An optimist believes we
> live in the best of all
>  PGP Key: 0xDF1DD471    |  possible worlds.  A
> pessimist is sure of it!
>
> VPN is sponsored by SecurityFocus.COM


__________________________________________________
Do You Yahoo!?
Yahoo! Mail - Free email you can access from anywhere!
http://mail.yahoo.com/

VPN is sponsored by SecurityFocus.COM




More information about the VPN mailing list