Slashdot Mirror
@Home Stops Allowing VPNs
cwilson writes: "I just got a message from my cable modem provider, Comcast@Home (a member of the Excite@Home network) that the terms of service were being changed. The interesting bit: Section 6. Prohibited Uses of the Service. This section specifies that use of the Service in conjunction with a VPN (Virtual Private Network) or a VPN Tunneling Protocol is a prohibited use of the Service. See for yourself here in section 6." Apparently @Home is looking for the little bit of extra revenue they can get by selling additional IPs to people (like me) who have more than one computer. This might not be so bad if @Home provided
reliable e-mail and DNS servers and other "basic" services one expects from an ISP, which they don't. This is just another piece of woe for those of us whose only broadband choice is @Home. Bah! Update: 08/14 14:16 by michael : Yes, Robin confused NAT and VPN. TLA's are a PIA.
Cable companies are regulated differently from other communications (i.e. telco) companies. That'd be like complaining that you can't rebroadcast video from your normal cable service.
Wow, what if the phone company started the same thing. "Your home phone is for personal and entertainment use only" Then they would try to charge you more if you discuss "business" in any way. Imagine trying to sell a car or set up a wedding............
Dirty Pirate Hooker
Wow, that sucks. Even in your case though, they didn't suspend your service until you handed them the evidence of your server. They didn't actually go looking for it. Still a shitty thing for them to do, though.
Also, the fact that you haven't had your service suspended again even though you left the server operational seems to indicate that they aren't actively looking for violations. (assuming your current lack of telnet access doesn't indicate a service suspension.)
On a side note: You got cracked and you're STILL using telnet? Over a cable modem? Might as well post your passwords on a web page. Both cable-connected machines that I take care of get portscanned at least four times a day, and I'm sure there's a ton of sniffing going on on the cable network. I've had at least one incident where I got careless and telnetted to a cable-connected box and had another person log in to the same account within a minute.
Do yourself a favor and install OpenSSH first chance you get, and shut down that telnet port.
Ummm. No.
I can see where this would perhaps be true in a national business that outsources its support, but for "local" businesses (such as the local ISP I work for) it is not. Case in point, no one in our tech support area is hired unless they know vi. Period. We don't hire monkeys. Not everyone has such a dire tech support area.
--
This is actually standard for most ISPs. People using LANs are expected to pay for LAN accounts. This doesn't mean that they will track you down, or disconnect you, but they encourage you to pay for what you're getting. Dial up accounts don't pay for themselves, and are just used as leverage when marketing other services.
I work for a small company. I've worked for larger companies as well. I have NOT seen the above in a tech company. I DO get this when I call AT&T or Sprint, but they still tend to know thier system better than I do (internal system).
Currently, I'm suckered into support. But my company has 4 support ENGINEERS. We're it. We deal with, "Where are the drivers for this damn thing!", to "I'm trying to do this , and I get this wierd error. Any ideas?". The first guy didn't read the damn slip of paper that came in the interface card's box that said to download the latest drivers from the web. No reason to ship a disk. Out of date before they get it... Second guy is a Senior Progammer trying to eek every last processor tick while doing recursion in an 8-bit micro... Not much common sense, but a smart guy.
Not every place hires idiots for support. I wouldn't mind a trained monkey between me and the dumb calls, but someone well enough trained to send me the truly fucked ovwer, or the ones intelligent enough to be doing something intersting.
I personally feel that your rant is more flamebait than anything else. I'm sure a large number of people here actually work support, like the one whose post you replied to.
Yes, at my company, support is entry-level. But it requires a degree in engineering, and some experience in the real world. You don't take calls immediately, but after 2 weeks of training, you can handle 50% of the calls we get: "how do I download?", "why doesn't my card work?", etc., etc, etc. A little knowledge of resolving IRQ conflicts and your up to 75%. Those remaining 24% are usually programming intesive people using our communications layer, and not able to program "hello world". The 1% I left out, are interseting calls from people doing interesting things, and running into interesting problems... Not that it happens very often, but it does.
So why don't you lay off support people. Even if they are trained monkeys, it's better than being on hold...
Ivan, I'm using Mandrake 7.1 with the latest dhcpcd I only tried once, and reverted to the static config right away. I'll check it out tonight to see if I missed something or had a typo somewhere. coutch
@Home simply takes a certain set of services and says 'off limits' to non-business clients so they have something to sell to business clients.
I understand what you are saying - but the fact is that people are going to want to do VPN someday at home. One could argue at one time that no one would ever set up a home network, that was just a business thing - but people are now doing it.
I tend to wonder if many of these things are just business imposing artificial scarcity on a "resource". In other words, would home networking have happened faster if the cards were cheap(er) to begin with? Maybe, maybe not (of course, the counter argument would be that the computers weren't cheap enough to have multiple machines at home).
So now are we left with a business telling us that we can't do VPN, because it is a business thing only - when I have already outlined several personal uses of such technology for home use?
Like I said before, just give us the pipe, and leave us alone (home, business, who cares).
I support the EFF - do you?
Reason is the Path to God - Anon
Yeah, they could - or they could (in a Windows case), just turn on sharing, etc - and drag and drop.
However, none of these things is secure. Nor will an FTP server allow for easy access to that MP3 collection at the cabin.
A well set up VPN would be much more secure, and more flexible - because it would simply be an encrypted tunnel between two seperate private networks. I am sure right now people are doing exactly as you suggest, setting up multiple FTP servers and sharing files with family - and I am sure people are doing the Windows sharing thing as well (at least within a particular subnet - maybe with their neighbor or something). However, these people will be in for a rude "suprise" when someone "comes in" and takes a bunch of stuff not meant for them, or places something nasty on the machines, or for that matter, reformats the drive, etc (I am assuming Windows boxes).
Of course, if people are doing this, one could argue about how could we expect them to properly set up a VPN, when they don't even try to firewall their boxes - a good question indeed...
I support the EFF - do you?
Reason is the Path to God - Anon
If they are charging at the "break even point", why don't they allow @Home users the ability to get some of the services from @Work - in other words, instead of having a two-tier approach, with two radically different pricing levels (I know - I looked into getting @Work for my home), why don't they have more of an "a la carte" setup, where one could pick and choose bandwidth and services based on what they want or need, with the option to add or subtract bandwidth and services whenever they wish (or every 3 months, or whatever).
Give us more tiers, and charge accordingly! That way consumers get what they want, and businesses can get theirs. DSL works this way, telephone works this way - why can't cable (and don't get me started on cable TV - I hate sports channels, but I am forced to get them, even though I don't watch them, at all - why?)...
I support the EFF - do you?
Reason is the Path to God - Anon
Good point. I think ultimate issue here is network sharing. Comcast is clearly operating on the assumption that "business" users always consume more bandwidth than "consumer" users. And of course, this is more of a problem when the "last mile" link is a shared network rather than a point-to-point connection.
which operated under tight access regulations as defined in your state tarrifs for telephone service. Go to your local department of public utilities and look up phone company tarrifs, you'll see that they BY LAW cannot regulate what you do with your telephone (and by extension, your DSL connection) after the demark point in your house. Cable companies are NOT subject to these regulations.
I've often felt that NAT proxies can be detected if people abuse them enough. AFAIK, NAT proxies use the socket serial number to maintain a "proxy session" of sorts so that it can properly redirect incoming reply packets from the 'Net. If the ISP routers flag IP's with unusually high numbers of open sockets, then perhaps that could trip a "we think you're using a NAT proxy" letter. One machine with 5, 10 or 15 unrelated web sites coming up *simultaneously* is probably not just one machine. Think small office or frat house.
Sure I've had machines with 5 web browsers up, but I never surfed so much as to wait for all 5 to load their pages at once, I would rotate among them. Certainly never 10 browsers loading at once. But when I violate my AUP and use NAT proxy, I've had 10ish browsers running between five clients.
In the old days, I used to run over 30 simultaneous FTP's to bring down the latest Slackware from Walnut Creek. All the same site, however.
I think it can be done. Doesn't mean I think it's happening, tho.
--
Intelligent Life on Earth
That, and remember that the upstream bandwidth on a cable modem is much less than the downstream. If you are running any sort of service, you will use up everybody's shared upstream bandwidth on the cable segment. This would explain not wanting you to run FTP, web-hosting, or napster, etc.
This is also taken from the ToS - in the next paragraph, if you had cared to continue reading. Do you honestly think that they are going to prohibit one proxy program and allow Winproxy/NAT/etc.? That means they are all prohibited.
And when they say
it means that you are responsible for taking care of the network implied by buying extra IPs from them. You are allowed to hook 3 PCs up to one cablemodem, but only if you have purchased 2 additional IPs.
Sarge
I regularly download files at an average indicated speed of 35k
OK, this is gonna sound like I'm being a smartass, but I'm really not.
If I start to see speeds like that from servers that I know to be fast, I call @Home and report a network problem. I routinely see "indicated" speeds of 150K. Just this morning, I had one download reach 230K.
And this is for 2/3 the price that I was paying for DSL.
Of course, the YMMV and other standard disclaimers still apply.
Just share it anyway.. they aren't going to cancel a paying customer for doing it... All they can really do (or want to do) is cancel your account if you become a hell customer. Then they come back and say, "Hey, you're using a VPN. See ya," instead of supporting you.
-Effendi
-Effendi
Under several US laws and by precident (that Genie case), being a common carrier gives them protection from lawsuit over content on their network. If you start to moderate content you become liable for it.
;)
Solution? Sue em cause of what one of their users did and see how much they start to not care about their users' activities
does using microsoft internet connection sharing qualify as a vpn...because i'm planning on switching on over to att@home because i just can't stand the shoddy adsl service ameritech provides in my area.
So long, and thanks for all the fish.
This is what happens when you get a virtual monopoly in a certain region. @Home service sucks, and now I can't have my own network without shelling out an extra $40 a month for 4 IPs. I still don't see how they can detect VPNs, though.
Lemurific!
VPNs are supposed to be excrypted. So just changte the port numbers and they shouldn't be able to distinguish it from other encrypted transmissions. (Try the https port).. this provision sounds unenforcable.. so does it really matter?
Using your sig line to advertise for friends is lame.
If you can't (or don't feel like) building one yourself, go nuts and get one. Tim Higgins has some wonderful reviews and resources. I myself have a Linksys 4 port 10/100 router. The ONLY thing that sucks about it is that @home's DHCP server bites, so having the thing update itself sometimes takes a while. But it's worth it. (I'm using rogers@home in Toronto area)
Vintage computer games and RPG books available. Email me if you're interested.
Founder's Camp
Founder's Camp
News for non-Nerds. Stuff that matters.
I think that it's pretty tricky conducting your dealings with any utility in this fashion. You can talk to anyone from the company at any time and they will tell you a lot of interesting things - but they will never admit to any of them later. They will not send you an affirmation of the same in writing and will flatly deny informing you that your actions were allowable by company policy.
The rule for ISP online support (as far as I have seen to this point) seems to be 'play it by the book' if you haven't been involved with a particular client before. And if the client gets a different person for support the next time they phone, then they will get nailed by someone using the 'number one rule' by default.
Sarge
I've been an @home customer for over 3 years - in fact I live in Fremont CA which was one of TCI's test cities. We've seen probably every problem you can run into with cable modem service here first. We made nation wide news when the user-base revolted when they mis-configured the up-stream caps ( something about each neighborhood concentrator getting set to 128kbs upstream too! Note - we used to have 10Mbs upstream!!!!!)
We also made news when then TCI sent out what was then considered new draconian TOS ( which sounds about what you folks ar now just getting...)
The practical point - They are concerned about their network performance, and in the early days people were running major business sites from their homes. The initial TOS allowed this! They cracked down on these "net hogs" and applied the up-stream cap to everyone else. At this point, they seem to only go after people that are actually causing problems on net segments. I've had http, and sshd up for quite awihle with no gripes from them. So if you don't abuse the service you won't hear from them.
Have you compiled your kernel today??
Two things to do that will apply the hurt to a cable company that tries this.
1) It's anti-telecommuting, so write a nice letter to your county gov't official that is most sensitive to growth and road paving issues. Might be your district official, might be a transportation committee chair. Let them know that your cable company (granted it's monopoly by the county) opposes telecommuting by its AUP.
2) It's abuse of monopoly, so write another nice letter to your county official that periodically reviews the cable company's franchise. Every few years, 3-7 or so, depending on where you live, the franchise has to be renewed. Most counties have staff to forward complaints from county residents to the cable company, and track the cable company's performance on fixing them. Use this channel, it's powerful!
I have checked the @home AUP (http://www.home.com/support/aup/) and it says nothing about VPN's... this looks to be more like comcasts doing than @home's....
I did that with my Mediaone service. It's a bad idea, and it makes the cable guys very mad. It'll also start working funky when cable assigns the IP you've set statically is assigned to someone else when your computer is shut off. They switch IPs around every once in a while, and you will get caught, especially when people start getting messages like: Could not activate ethernet interface because the device at 65:4C:12:FF:4E:A1 is using the IP address . Since your cable modem is installed locked to one MAX address, cable will be able to figure out fairly quickly who you are.
-Splat
Ah, so I'm fine reading mail on my workplace from home using SSL, but only if I don't use a VPN?
These guys are nuts. If they want to protect themselves from lawsuits, let them say so. If they want to get rid of all the users that know the hot end of a power plug from the cold one, let them say so.
They are asking you to change your subscription to their alternative offering, which comes with no guarantees whatsoever on top of the guaranteed amount of money you're out of just by subscribing to the "non-business" service. Basically, they're missing out on what constitutes the Internet I used to know and love.
Bert Driehuis -- All I asked was a friggin' rotatin' chair. Throw me a bone here, people.
This is kind of funny because just about two weeks ago I saw a LinkSys advertised on my AT&T Home page.... Hmmmmm.
The section is quite clear to me and is part of the reason I was quite pleased with the changes.
;-).
They have relaxed the rules outlawing free use of the service tremendously.
Basically you can do what you please as long as it doesn't disrupt the service of another member or is related to a commercial enterprise. Of course illegal use i.e. batch scanning subnets etc. is disallowed as well.
The old policy was no servers at all.
Unfortunately in NY/NJ area there is a whole class of people determined to get the last penny out of anything they can manage with the assistance of their attorneys. These people will do things like VPN commercial mail services over a residential subscriber line rather than pay like every other company. It is this mentality in general that necessitates these absurd semantics for simple issues. It's killing the country...but that's another topic/forum entirely
Incidentally on this subnet of @home they've capped each connection to a pretty low 10k/s upstream.....max total seems to be about 80-100k upstream. Not sure if that is intended or just another misconfiguration on their end. Downstream typical ftp's are 200kB/s during off-peak to short routes.
Most VPN software packages aren't running over TCP/IP. From what I've seen, everything from Cisco-Cisco router tunnelling all the way to MS VPN software uses IP Protocol 47. (GRE/IP) In the case of MS's they also use a TCP/IP port (17xx something) to provide authentication.
Disallowing most VPNs would be as simple as blocking IP protocol 47 at their gateway router. Trivial. "gre deny any any" in Cisco's IOS parlance.
[....]
IPsec is also used, but I'm not as familiar with the details of that.
GRE is mostly a router-to-router tunneling protocol in my experience - IPSec and PPTP are much more common for VPN software and "appliances" - and also now implemented on most Cisco routers, for example.
In any of these cases, @Home could scan for the port numbers or protocol numbers/headers associated with the particular protocol, if they wanted to block this type of traffic. However, as another post points out, they haven't done much to date to pursue folks violating other Terms of Service - no HTTP servers, no Quake servers, etc. Mostly they care about exceptional use of bandwidth - which will bring them down on you regardless of the application.
I would be suprised if this were a response to Carnivore and the FBI - @Home's responsibility should end with helping to monitor email sent through their servers. Carnivore doesn't monitor telnet sessions (or Slashdot postings), and if the FBI wants to see the email you send from a work account (or another ISP) then they should deal with whomever owns that mail server, not your IP access provider.
Could this be a Free Speech issue, or Right to Privacy? @Home should not be able to enforce a contract that limits my freedom of expression, and they have no right to interfere with my (legal) communications to another party (e.g. my employer and the mail server there). Or, to take it further, maybe @Home should control what I can read, as well as say, and limit access to Yahoo in favor of Excite !?!?
I just got off the phone with Comcast in my area. They told me that they updated the user agreement because of people using the service as a home business and these people relying a little too much for the basic home service. I asked if I were still allowed to connect to my employer over VPN for email and file transfers. They said "no problem". The way I see it, they don't mind the casual stuff, but if you start to depend on the service being there for primary income, then they have a problem with the use. "Comcast@Work is a little more robust than that of the standard @Home service." I think we all can agree with that knowing how slow @Home can be from time to time.
As far as NAT and personal networks...I have no comment (hehe Are you kidding?!? They're wonderful! I use them all the time!)
dynoman7
You can pick your friends.
You can pick your nose.
But never ever pick your friend's nose in an election year.
Blarf.
Sure you can. But who else (except a few Linux users) cares?
@Home customers who use any of the dozens of other operating systems capable of performing this feat.
Or did you think SSH and PPP were Linux things?
--
actually... this is a clause in rogers@home as well. However, all they are saying is that they will not support proxys and NAT. Not that they will refuse your money as customers.
I have a proxy. Its ok by them. They just won't answer support questions about it.
Well, I personally find DSL is a heck of a lot faster in practice. I suppose if I went online during the day, it might be a different story, but I do that from work, where we have a T1.
On the other hand, @Home is a heck of a lot cheaper. If you're just doing mail and surfing, it's probably way better considering the cost and availability - most people can get @Home, but only some can get DSL. Something like 90% for cable modem and 25% for DSL availability.
Will in Seattle
For IPSEC, all they need to do to shut off traffic is block off certain ports off their routers. The traffic gets dropped in the network. This really hurts telecommuters who have no choice now, (due to their company's security policy) but to drive back to work.
You can run a server on Bell's HSE. The only thing is they don't offer support for it.
43. If I have a domain name, is it possible to get the IP address associated with that name?
The Bell Sympatico High Speed Edition service does not allow for the hosting of domain names other than the sympatico.ca domain.
That was from their FAQ. I suspect their problem with users hosting their own domains is the following:
41. Can I have a static IP address with the Bell Sympatico High Speed Edition service?
The Bell Sympatico High Speed Edition service uses dynamic IP address allocation only. In the Internet environment where demand is growing at a fast pace, dynamic IP addressing allows for optimum usage of IP addresses.
Funny. dsl.ca lets me rent a static IP for an extra $5/mo.
Now, Bell's service agreement has softened up about servers, because when I did initially look into HSE as an alternative to @Home, they did specifically indicate that you were not allowed to use servers at all. Currently, this is the situation:
Without limiting the foregoing, you agree not to use the Service or any equipment provided in connection with the Service, for operation of an Internet Service Provider's business nor for any other non-residential purpose.
Their Agreement.
That's a lot better than it was when I looked, but one could argue that webserving at home is a non-residential use. (The same way that I like working on cars, but actually working on them at your residence is actually technically illegal in Toronto's zoning laws.) dsl.ca specifically covers "home office" options, perhaps allowing the use of their high speed connection for tasks associated with their small business or self-employment, without having to pay for expensive business-grade DSL.
Again, dsl.ca isn't perfect. But they're a lot more geek-friendly than the other two (three, if you count look.ca's unidirectional service) broadband options.
Fire and Meat. Yummy.
Read your new license agreement. It states in there that running http or ftp services on your computer can have an impact on your transfer rates while browsing or performing other operations. Also, it says something in there that basically says "If you run a chat server, we won't support it, either." This is the part that mentions what services are available...
"It compiles, SHIP IT!" -Overheard at Microsoft's development lab
"Usually I've found that the few times I've been unable to use an SMTP host outside of my ISP, it's been because that host is doing the smart thing and not allowing relaying." Relaying isn't always what ppl are trying to do when connecting to other SMTP servers. They may be running SMTP themselves, and trying to deliver their mail direct to the recipients (using the MX records in DNS). This is of course what your ISP's SMTP server does. However, due to the ease of spamming via this method, either the receiving SMTP blacklists incoming connections from IP addys in known DHCP/RADIUS pools, and/or your ISP forces you to use their SMTP server by blocking your use of port 25 out of their network.
Spock! Do the thing!
If you want the pipe, and to be left alone, call up your local fibre supplier and pay the $500/mo for it. They won't care what you do with it. Ditto for ISDN or several other 'mainstream' subscriber systems. Sure, cable is excessively fast, but the only reason you're getting it at the price point its at is because they limit your use of it (especially upstream).
Note: I E-mailed @Home at one point and pointed out that I ran Linux and had SSHD2 running on my machine to transfer files from home to work and to access my home Email while at work. They told me that was fine, and put a flag on my account.
If you have a problem with a company's policies, ask them about it politely, don't make a big case out of it.
- Michael T. Babcock (Yes, I blog)
Apparently most outgoing activity through a NAT server is done above port 60000. That's how they can detect it.
Sarge
As of 8:30 this morning, my VPN to my office is being blocked!! My dial up ISP works fine on the same machine, but my @home connection bonks. "CAnnot pass security packets - possible firewall configuration issue".
This REALLY bites.
VPN is a cryptographic means to protect privacy. I find it offensive that Comcast is telling me that I can't use their system unless I stop using certain privacy tools. There is something wrong about an ISP, given their superior bargaining position, telling consumers what tools they can or can't use to protect their privacy. As far as I know, this is the first time an ISP has restricted a subcriber's ability to protect their privacy. This is a BIG step in the wrong direction.
According to section 6 of the Comcast Online Subscriber Agreement,
I would be inclined to consider your home LAN would be a non-Comcast LAN.
I just got off the phone with a Comcast rep that said any VPN connection for work purposes is forbidden. When I enquired about peer to peer VPN connections, he said that would not be allowed either. They want to charge me 2-3 times more for something which by definition is a part of "full internet access".
Hello World! I have a telephone service provider because I have a need to be connected, connected to the rest of the world, connected to work. For the same reason, I have an internet connection. Let them sell us the @WORK package based on service level agreements and such. Let them not dictate which internet standard protocals I can use on an internet connection.
where are you located and who is the DSL provider?
Good point, but using AOL a.k.a. "the internet for Dummies" ove a broadband connection seems like an oxymoron.
I can't see how they would know you're doing maquerading.
I plan on using a VPN, however, to provide a small number of real, routable addresses to my home machines while using the single random DHCP address I get from the cable modem providers.
-M
---- ----
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
The extra ip's are 6.95/month each.. I have 3 total.. what I'm wondering is if my cable line now has a max bandwith limit of 1.5 gigs per day upstream instead of just 500 megs a day. Anyone know about this?
--
|-_-| . o O ( bEef!)
I have to say that I was totally confused for a moment as to why diallowing VPNs would affect your ability to setup more than one computer on the Net. If anyone is interested, Wingate is pretty good proxy software for MS Windows, and Tucows has a nuber of other. *nix of course has internal support for this knid of stuff.
I don't need a million points of light, just two points of multi-mode fiber and a 10 Gig-E router.
Although the /. headline reads "@Home Stops Allowing VPNs", this is misleading.
While Comcast's new AUP explicitely forbids VPNs, there's nothing in the @Home AUP that does so. See
home.com/support/aup/
ATT@Home tried to implement a new AUP with a similar VPN restriction in the Bay Area over a year ago, but the massive outcry quickly resulted in @Home withdrawing the new AUP, replacing it with the old one, which didn't have the VPN restriction.
When I got my Cable Modem, on @Home in San Diego in 1998, there was NO substitute. They absolutely rocked the house. Then, as they expanded to quickly, didn't think about how they were growing their network, didn't secure open mail relays, harrased customers (even threatening to send one to jail - search the archives, it was covered here) and just plain started to suck. The upload rate cap was the beginning of the end - this is another telling sign. I used to ask people "Who would even WANT DSL when cable is available?" and now I know. People like me.
Fawking Trolls!
"Going to war without France is like going deer hunting without your accordion." - Jed Babbin
resell the service or otherwise charge others to use the service, in whole or in part, directly or indirectly, or on a bundled or ununbundled basis. the service is to be used solely in a private residence; living quarters in a hotel, hospital, dorm, sorority or fraternity house, or boarding house; or the residential portion of a premises which is used for both business and residential purposes. without limiting the generality of the foregoing, the service is for personal and non-commercial use only and customer agrees not to use the service for operation as an internet service provider, a server site for ftp, telnet, rlogin, e-mail hosting, "web hosting" or other similar applications, for any business enterprise including, but not limited to, those in competition with the service, or as an end-point on a non-comcast local area network or wide area network, or in conjunction with a vpn (virtual private network) or a vpn tunneling protocol; or
Must have been a real slimy lawyer who wrote this one up! LOL!
The also disallow home LANs elsewhere in the paragraph.
-Tupper
I suspect that @Home will now start monitoring connections for encryption (think SSL and TLS), then look at traffic patterns to determine whether it's a secure Web browser or "something else". That means that you might be shut off for using SSL-encapsulated FTP or SSL-encapsulated SMTP (for secure mail transfer). Indeed, I can see where people regularly using PGP encryption on mail content may get a little note from the company.
Hmmm...there is very little difference between a VPN and SSL encrypted services. Could it be that we are seeing something caused by the FBI demands to snoop on mail? A VPN is one way to block Carnivore and ISP monitoring from capturing e-mail traffic. Another way is to use STARTTLS-enabled mail clients to talk directly to STARTTLS-enabled mail transfer agents.
Perhaps it isn't just a bid for money...but then again, I admit I'm paranoid.
without limiting the generality of the foregoing, the service is for personal and non-commercial use only and [the] customer agrees not to use the service for operation as an internet service provider, a server site for ftp, telnet, rlogin, e-mail hosting, "web hosting" or other similar applications, for any business enterprise including, but not limited to, those in competition with the service, or as an end-point on a non-comcast local area network or wide area network, or in conjunction with a vpn (virtual private network) or a vpn tunneling protocol;
That said, it's probably wise to just ignore the policy. I would suspect fully 100% of @home subscribers are breaking at least two of the rules mentioned there; if they're not, they're wasting their money. It seems that @home (at least in my part of the world) only gets annoyed when you start using up obscene amounts of bandwidth (e.g. around 1GB/day regularly/constantly).
-----
Klactovedestene!
It would seem that way to me, as it could be defined that VPN's make you an end-point of a non-comcast LAN or WAN. If that's the case, then Comcast is really behind the times on their service provisioning. I would avoid using services with contracts like this if at all possible (and affordable).
Most residential broadband ISPs do not allow VPN communication. I know mine doesn't. VPN is used primarily to bridge existing networks. In other words, you would be using a residential service to bridge a (probably) commercial WAN. If you need commercial service, pay for it.
The masqueradiong/NAT prohibiting clauses are mostly intended to ensure that the service provider can't be liable for running your network. If you do something in trying to set up a IPMasq/NAT LAN behind the cable modem, and find out that you can't get it to work, they don't want to be in the position to have to support your setup. To do so would be unreasonable. This way, when you set up masq/NAT and can't get it to work, crying to @Home will only get you a big "See? It's prohibited by the TOS."
I'm sure there is also a motivation to try and get people to pay for extra IPs, but I suspect that support issues are the main motivation.
If they aren't selling bandwidth, what the heck are they selling???
Got a URL or a phone number or something for RCN?
The whole idea of having a VPN is to have a secure way to have machines on a WAN network without worriing about being tapped. VPN and security goes hand and hand. Why would comcast not want people to have VPN?
Let's say I setup a VPN. What I would do is set a ssh link from my firewall to my friends firewall or a machine I control. I would then forward everything through one port over a ppp link. What is inside of the tunnel, no one but me and the other person knows about. Comcast doesn't know if I'm transfering porn, email, mp3's, or text file on how to make bombs. And guess who else doesn't know? The FBI.
MarNuke
MarNuke
He probably is ...
But apart from this, how does Comcast think to actually enforce this ? I mean, come on, everybody with some knowledge of ipchains, squid, and maybe a generic ip proxy will be able to masquerade that he/shes masquerading his/her traffic. Out of the box masquerading is easily detectable (who seriously uses ports upwards of 60000 ?), but with some precaution you can make it seem to be one computer, running MSIE if you want.
Oh, and how the heck would they tell a VPN protocol from http, provided one uses a sufficiently encrypted connection (ssh will do, so will any ssl-based app). Everybody who runs VPNs without encryption should be shot on the spot anyway. Or take out the P from VPN.
Can you believe the "Deutsche Telekom" (the phone company in Germany holding the monopoly to local lines and thus flatrates) actually prohibits this exact same behavior on even analog connections ? As if that would make any difference at all (they dont sell you IPs, theyre dynamic anyway), but what do you expect from monopolies.
Ok, so they already ban IP-masqueraded networks. Is this really enforceable? I mean, how is @home ever going to know if one of their customers is using NAT? It was my understanding that the only way they could find out would be if you were to invite an @home employee over to your place and show them your cool 5-machine home network.
At least you HAVE some sort of high speed access. Where I live, I can't get @home. I can't get any sort of cable-modem access. I can't get any sort of DSL. For christ's sake, I can't even get goddamned Sprint Local Services to get me an ISDN!!! So I know that it must suck for ya'll to have to quietly break your AUP, but just remember what it was like with 56k and remember that there are LOTS of people who can't get anything better.
Apparently @Home is looking for the little bit of extra revenue they can get by selling additional IPs to people (like me) who have more than one computer.
The TOS seem to say that they prohibit traffic through PPTP and IPSec, and both of those types of traffic are easy enough to detect. I just dont understand why they would do that... I suppose that they don't want people copying huge chunks of stuff though smb or anything.... but even still it is a weird provision
VPN is a system by which a remote computer can log into a lan as though it were in the same subnet. the main methods of doing this are PPTP (windows VPN) and IPSec (other vpn's).
A private network is completely different from a VPN. Whereas a VPN allows one computer to be connected to another network, a private network is just a network that uses the private IP networks. These are 10.0.0.0/8 for large installations and 192.168.0.0/16 for smaller ones. You can set up a private network any way you like, and by its very nature, it is undetectable. Now, if you want to connect your private network to the internet or some other network, you just have to put in a new interface and set up that machine as a gateway using ipchains or whatever. Private networks are completely undetectable to someone who is not actually logged in to your gateway machine. You only need one IP....
I've been running a private network from behind one pacbel dsl IP since last july.... it works just fine
AOHell was a fun little program. While it is the definition of script kiddie, it is what got me into computers
Looks like they'll be losing anybody who uses it to telecommute, if this actually goes into force. Wonderful example of tripping over a dollar bill to pick up the shiny nickel on the ground.
From personal experience of two cities in Canada, in Oakville and Kingston, both in Ontario, it changes every once in a while. It's a big pain for me each time because I have setup a NAT server at a friend's house, and used to need to go thru it to get to another server via ssh to get my mail while I am at work. So everytime the IP changed, i would have to call up my friend's house to tell someone there to send me an e-mail and then call up the place with my mail to let the new IP connect via ssh. :( But I have gotten my workplace
:)
I am about to put in a cron to scp the output of the ipconfig or something to another place. But my friend's family has gone on vacation so I don't know the new IP
to allow outgoing port 22 connections now so my pain has been reduced
I think the purposefully don't want to guarantee a static IP just to deter web and ftp servers though.
-Andy
IANAL, but: As I understand it, a contract can only be modified if both parties agree. Check everything you signed - They most likely have a clause that allows them to do this. That, or they'll just cancel you if you don't agree.
Fawking Trolls!
"Going to war without France is like going deer hunting without your accordion." - Jed Babbin
I sent them a question asking for clarification about the VPN paragraph. This is their reply:
It is not the intent of this text to prohibit customers from establishing a connection for residential purposes. Activities such as online banking, online trading and making purchases online are not considered in violation of the Subscriber Agreement.
The Comcast Online residential service is not intended for those that attempt to host a VPN connection or for those persons attempting to establish a VPN connection with their workplace.
Thank you for choosing Comcast@Home!
-- Error: Cannot find file REALITY.SYS - Universe halted, please reboot!
I use Cox@Home and they also have this provision.
From the Cox@Home User Agreement:
8. Prohibited Uses of the Service; Indemnity.
Customer shall not use the Equipment or the Service directly or indirectly to:
m. use a VPN (virtual private network) or VPN tunneling protocol;
Here's the link to it.
However; I looked at the @Home Acceptable Use Policy and they didn't have anything specific about VPNs.
I've liked my service so far, but if they try and enforce this, I'll have to switch to DSL (Man I HATE Southwestern Bell) because I have to be able to VPN into work. I really think they are shooting themselves in the foot with this, although it may end up being something they never enforce. I'm not going to start worrying about it untill they do. And if/when they do enforce it, then that will be $40/mo less revenue for them from me.
First, as other people have stated VPN != NAT.
If @Home is disallowing any kind of VPN access through their network, then they are preventing people from using AOL over their network since the AOL client creates an IP tunnel (VPN), complete with seperate IP addresses and DNS servers, into the AOL network.
This could present a good case for AOL to file a complaint with the courts and the Justice Deptartment about monopolistic practices by @Home.
I forgot to bold face the part about "for any business enterprise including". So as far as VPN goes, you can use it for non-commercial purposes.
Jeez, "only broadband choice is @Home"? I'd be happy to GET @Home... the only internet access I can get is from Mid-Atlantic Communications, it's a 500 Kb/s one-way cable modem for $50 a month... still have to use a phone line for the uplink...
And they were having "technical difficulties" from Sunday until Friday last week... I think "technical difficulties" means one of the techies (if they even have any, which is doubtful) spilled beer on the server, and they were all too drunk to fix it. Comcast was supposed to start wiring our area in late 1999... they just bought our cable company, and they say they'll have all their lines run in a year or two.
Heh... reliable e-mail... they don't even give me e-mail... they have one DNS, which is usually down...
I can't get @Home, I can't get DSL, and I can't move out yet. In conclusion - you think your ISP is bad? Move out here for a week, and quit your whining.
"Let me open these blinds so the snipers can see in." - Kevin Giffhorn
If you notice the sentence regarding reselling ends on the second line. It continues on saying it is for non-commercial use blah, blah, blah, and that you can't run servers, etc, or use the service as a VPN.
I took it to mean reselling and VPNs were two different restrictions, not one restriction on reselling VPNs
For more information about just about every kind of router available (including linux routers), check out the access routers report at macintouch.com
I think they have a bandwidth problem, and don't want people using it for business. Here is a clarification I received from them:
It is not the intent of this text to prohibit customers from establishing a connection for residential purposes. Activities such as online banking, online trading and making purchases online are not considered in violation of the Subscriber Agreement.
The Comcast Online residential service is not intended for those that attempt to host a VPN connection or for those persons attempting to establish a VPN connection with their workplace.
Thank you for choosing Comcast@Home!
-- Error: Cannot find file REALITY.SYS - Universe halted, please reboot!
Freesco.org is a rocking router too. I like the nice setup features and flexibility. Just my opinion.
Whateva floats your boat...
My bolognie has a first name, its L_I_N_U_X.
Sig it.
I got a certified letter from RoadRunner (broadband on TimeWarners cable network) complaining that i had port 25 open, but they didnt ask me to take down my mail server, just to make it more secure. They just wanted to let me know i had failed a mail relay test and my box my be possible abused. I guess some cable companies are just better.
My ISP also seems to 'prohibit' NAT on the network. HOWEVER they don't have a problem with my installing a FIREWALL between the DSL modem and my computer. (Other than to point out that my dsl modem can act as a firewall and router...it has 3 10baseT ports). My FIREWALL is an old P100 running Coyote linux. It IS doing NAT between my DSL and my local network. The firewall is a filter firewall, not a proxy type. Do to the way it is set up I don't think anyone COULD tell that NAT is going on, besides I am NOT generating enough traffic for anyone to tell if there are one, two, or even three computers on the lan. I think their real concern is that they don't want me running a server, or re-selling my bandwidth. They would LOVE to sell me more IP's, but won't press the issue.
I don't know, but I run a Linux Router courtesy of the Linux Router Project, and I have noticed that prior to a couple days ago I could use Gnutella fine. Then it stopped working.
This isn't sig. it's banner for advertising.
...it probably should be passed in front of a tech-savvy legal expert.
There are two possible interpretations of Section 6(b)(vii):
Comcast needs to clarify this quickly. If they are banning VPNs of any kind, well, that kills their telecommuter business immediately, which I can't see them doing (telecommuters are good for the service - they use the network at an otherwise low-use period and are not any more of a strain on the network than an ordinary user). I suspect that the intent was to prevent businesses from using @home as a channel to set up remote office VPNs and/or to prevent people from setting up clandestine Internet servers (i.e. ones that don't serve out from the @home IP, but do on another IP, and are undetectible by @home).
I'd call Comcast and make this point. I suspect that they aren't going after the telecommuter, but instead have a badly-worded AUP addition, and should change that.
-Erik
There are always four sides to every story: your side, their side, the truth, and what really happened.
If they see excessive usage on a specific IP address, they may then monitor, and if they determine you are violating their agreement, they could then cancel it.
-- Error: Cannot find file REALITY.SYS - Universe halted, please reboot!
It is not the intent of this text to prohibit customers from establishing a connection for residential purposes. Activities such as online banking, online trading and making purchases online are not considered in violation of the Subscriber Agreement. The Comcast Online residential service is not intended for those that attempt to host a VPN connection or for those persons attempting to establish a VPN connection with their workplace.
And how, I wonder, are they going to be able to tell the difference? Sure, they'll probably look for the default port numbers, but not going to stop anybody for more that a couple of seconds, will it?
Kaa
Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.
I'd say go with whoever gives you better service. If you're on a system that says you can't run servers, either switch or block the service scanner with an ipchains rule. Personally the one I'd go with is the one you never have to call :) My system has an uptime of forever simply because a) I never reboot and b) my provider doesn't blow up my connection ever, so I don't have to worry about my connection going down.
*Shameless Plug*
For quick and easy VPN/ipmasq setup maybe check out my companies product called Gateway Guardian. Similar to the LRP in that it's a single disk system, but that's about it. All the set up is done in a java application and there is no linux knowledge needed for setting up the firwall or VPN. Oh, and the personal edition is free.
*end shameless plug*
They'll pay twice as much for @Work.
--
Uhhh. That is retarded. I have a DSL and my friend has @Home. We have setup a VPN using SSH and PPP. If @Home looked at his traffic, all they would see is a SSH connection. So what? They could never prove what he was doing with that connection. Lamers....
If they see encrypted data, they might get paranoid and assume you are transferring illegal or dangerous shit, therefore shutting off the line.
Given the amount of stupid ISP's out there, I wouldn't put it past any of them.
DrQu+xum: Proof that the lameness filter doesn't work.
Mikpos's reading is correct. However, there does appear to be some wiggle room in the language: [Tthe] customer agrees not to use the service . . . in conjunction with a vpn (virtual private network) or a vpn tunneling protocol[.] The problem is the language "in conjunction with." I suspect that what's going on here is that Comcast@home is trying to avoid people using VPN to avoid the general prohibition on servers. For example, I could set up several VPN tunnels from my cable account and allow people to grab mp3 or whatever off my harddrive, as opposed to setting up an ftp server. However, that doesn't help people who are trying to use their Comcast@home accounts to connect to other VPN's --say, the office network for example. Arguably, the "in conjunction with" language forbids them as well. I doubt that this was the intention of the Comcast@home attorneys--this is a great example what we used to call "bad contract drafting" when I was in law school. J
I'd be a Libertarian, if they weren't all a bunch of tax-dodging professional whiners. - Berke Breathed
In my service area, the dynamic IPs are solely for the purpose to make life easier for the @Home network admins to reconfigure their subnets. They keep mapping tables to translate the horrendous host name they give you into the IP address for it. This means that you get the same IP address every time you reconnect, with few exceptions when a major reconfiguration may have taken place in your region, and they have updated their mapping tables. In my case, since I had some problems with their DHCP, they just gave me a static IP address, and I've had it for an year now.
I think that capitialists do ultimately want as much money as they can get, but the process of getting there sometimes doesn't look like it. A company may sacrifice current income in return for increasing market share. This is done in order to later maximize income by being the dominant player in that market. When taken to an extreme, you get what's called 'predatory pricing' - selling below market rates in order to drive your competitors out of business. When they're gone, you can then squeeze the customers as much as you please. Acting like this is when the government starts getting attentive and you run the danger of getting slapped down by some regulatory agency.
"If I have seen further than other men, it is by stepping on their glasses." - Michael Swaine
Most VPN software packages aren't running over TCP/IP. From what I've seen, everything from Cisco-Cisco router tunnelling all the way to MS VPN software uses IP Protocol 47. (GRE/IP) In the case of MS's they also use a TCP/IP port (17xx something) to provide authentication.
Disallowing most VPNs would be as simple as blocking IP protocol 47 at their gateway router. Trivial. "gre deny any any" in Cisco's IOS parlance.
As a reminder (and not really related to the post I'm replying to), VPN != Masquerading, although many sites could "detect" masqueraded traffic simply by watching for a higher-than-normal use of ports over 60,000. Most network providers - even companies and schools - have network monitoring hardware. I've learned how to configure Netscout probes and software to show me information very similar to this.
IPsec is also used, but I'm not as familiar with the details of that.
-Jeff
...you would see that it disallows any of these services for use as a business. This means you can't:
Any of these services, for your own use to show to the public, as far as I read it, are completely valid uses. Just rip down your banner ads et al and you're fine.
This space for rent. Call 1-800-STEAK4U
Either that or they want to be able to charge 'business rates' just like the phone company does ....
Personally I think it should be none of their business what's in your packets - after all it's YOU who are paying THEM to move the packets for YOU...
Yes, you are. Here is a clarification I received from them about this:
It is not the intent of this text to prohibit customers from establishing a connection for residential purposes. Activities such as online banking, online trading and making purchases online are not considered in violation of the Subscriber Agreement.
The Comcast Online residential service is not intended for those that attempt to host a VPN connection or for those persons attempting to establish a VPN connection with their workplace.
Thank you for choosing Comcast@Home!
-- Error: Cannot find file REALITY.SYS - Universe halted, please reboot!
True true. I'm a prime example with my DSL.
=1000101
VPNs have nothing to do with NAT or multiple users sharing a connection. VPN provides a secure end-to-end connection over the internet. The only reason they would prohibit this is so they can monitor what you're doing!
--- Speaking only for myself,
This is a terrible precident because long term it prevents the use of ubiquitous point-point Transport Mode IPSec, which is the whole point behind the IPSec standard. Sure, it's neat to make tunnels to work, but in the long term the IPSec community wants to create a mechanism to secure ALL IP traffic. This blows that goal right out of the water.
Also, are they going to start limiting SSH service to my employer? Can I telnet to my employer? Where do they draw the line between "personal use" and "business use"? If my cable modem provider pulls these tricks they'll lose a customer.
Am I interpretting this correctly?
If so, this does not sound like it relates to sellings additional IPs, but more to just making a useful broadband connection much less useful to working professionals. :(
I would have to interpret it this way as well, BUT, you are missing a key point of this. That point is that the @Home Network also includes the @Work Network, which is the companion business-oriented cable modem system (actually, it's the same network, but they charge a lot more for the pipe).
If I had to take a stab at what's really going on here, I would say that someone at @Home realized that a lot of people were getting cable modem service, then using VPNs to link back in to work. What @Home wants is to push all of those people over to the @Work side of the shop, letting them charge more for what is essentially the same service. So far, they've done it more-or-less voluntarily. By changing the underlying TOS, they can now force the issue, pushing _anyone_ who VPNs across to @Work.
Look at the commas. ;^) The OR's in the second statement still belong with the clause that says, "customer agrees not to use the service for operation ... "
resell the service or otherwise charge others to use the service, in whole or in part, directly or indirectly, or on a bundled or ununbundled basis. the service is to be used solely in a private residence; living quarters in a hotel, hospital, dorm, sorority or fraternity house, or boarding house; or the residential portion of a premises which is used for both business and residential purposes. without limiting the generality of the foregoing, the service is for personal and non-commercial use only and customer agrees not to use the service for operation as an internet service provider, a server site for ftp, telnet, rlogin, e-mail hosting, "web hosting" or other similar applications, for any business enterprise including, but not limited to, those in competition with the service , OR as an end-point on a non-comcast local area network or wide area network , OR in conjunction with a vpn (virtual private network) or a vpn tunneling protocol; or
So basically you can't use the service for operation as an ISP, FTP Server etc.... and you can't use it for a business enterprise. And you can't use it for a end-point for a WAN. AND you can't use it in conjunction with a VPN.
Must have been a real slimy lawyer who wrote this one up! LOL!
Well... I'd still rather get my legal advice from a real slimy lawyer then from a slashdot poster.
From a little birdy, @Home and the Univeristy of Kentucky are in talks about installing a link between @Home and UK for university students who live off campus.
Many students complained during the past semester about the lack of quality when they where tring to use the univesity machines from home.
-If at first you don't succeed, call it version 1.0.
At least you can get broadband service!!! Don't complain!!!!
Have a Happy.
Can any Comcast customers tell me if they perform regular portscans for servers? If so what address do the scans come from?
I'm getting hooked up this week (after waiting 2 months in vain for Bell Altantic to hook up my DSL) and fully intend to run ftp, http and email servers for personal use.
The difference between Canada and the USA is that in Canada healthcare is a right and gun ownership is a privilege.
At work so I am officially anonymous... I switched FROM DSL for just this reason. PacHell was inflexible. I wanted 1 extra IP and was told 'the next plan up' was best for me. It was twice the price of my current service, no faster, and gave me 5 IP addresses. I told them I only needed 1 more IP address and was told I could not do that. I cancelled the following week and went with Cox. no way am I going to pay an 90 bucks a month for a plan i don't need. So while DSL worked for you, mileage may vary. Cox has not been perfect and lag spikes occur for a few seconds every couple of hours, but I only pay 5 bucks a month extra for that second IP address. In my opinion, there's little difference and I pay less. I'd say its a wash in terms of performance (one thing's for sure, the cable modem is more stable). I'm not a network stud, but my best friend is. I consulted him on a variety of issues regarding cable/DSL service in the So Cal/Irvine area. DSL right now appears to blow cable out of the water (actually my cable download speeds are about three times faster, but the lag spikes occur more frequently--not quite as often as PacHell would like you to believe). However, DSL will eventually hit the same lag spike problems that cable has. Its inevitable as DSL gains (which it is in So Cal) more users. All those connections converge somewhere. Even network segmentation (for DSL or Cable) requires those segmented networks to converge at various POPs around So Cal. Regulating upload speeds is the norm in So Cal, and it helps quite a bit. The VPN issue...Cox has not allowed VPNs for some time. Mostly this is because of the way broadband has to route traffic around residential areas. In a nutshell, its pretty hokey and fragile. VPN packets are not TCP/UDP--how that affects the routing capabilties is beyond me, but apparantly it can. I think that its a maintenence issue as much as anything for the cable crew. /me shrugs. Then again, if i wanted to work at home I prolly would just use another option. They are the Man, and you are using the Man's network.
My "dynamic" IP did not change until I moved. (This was about a year after installation.) I have never had a problem with the IP address lease expiring.
Get your facts straight. VPN is NOT IP Masquarading. VPN is a Virtual Private Network, used to connect securely with another computer network over the public internet; ie: connecting to your office network.
-- Error: Cannot find file REALITY.SYS - Universe halted, please reboot!
This could be another way to combat bandwidth. I'd guess that someone decided porn sites were using vpn's as a way to store porn on @home connections and serve them elsewhere.
:P
This is probably all tied into the porn scandal in the white house.
Not everyone runs Linux, you know. Those are implementation quirks, nothing more.
--
Ben "You have your mind on computers, it seems."
And, @Home sucks. Is ADSL any better?
In my experience, no.
I'm currently using AT&T@Home (Des Moines, IA) for one reasons, and one reason only: ADSL from US West blows. I was paying for a 256Kbps link, and was seeing roughly 30Kbps throughput. I won't even talk about the latency.
With AT&T@Home, I'm getting between 1.5 & 2Mbps and very low latency (compared to all other previous ISP's I've used). So, in general, I'm happy with them.
The only complaint I have is that their DNS servers are about as unreliable as can be. Really, how often should you not be able to resolve URLs like yahoo.com, netscape.com, slashdot.org, etc... This was happening to me at least once a week. I've now eliminated the problem by setting up my own caching DNS server which doesn't rely on @Home's servers for anything.
(Oh, one other complaint. My upstream bandwidth appears to be capped at about 16Kbps.)
You are absolutely correct. Here is a clarification I received from them about this:
It is not the intent of this text to prohibit customers from establishing a connection for residential purposes. Activities such as online banking, online trading and making purchases online are not considered in violation of the Subscriber Agreement.
The Comcast Online residential service is not intended for those that attempt to host a VPN connection or for those persons attempting to establish a VPN connection with their workplace.
Thank you for choosing Comcast@Home!
-- Error: Cannot find file REALITY.SYS - Universe halted, please reboot!
The INS didn't put that question on entry documents with the intention of catching Nazis trying to enter the country. They added it to make it easier to get rid of them should they be found out (read the fine print on the form... false information is a federal offence). The gvmt now has an easy case for granting extradition (if it was requested)... he committed a federal crime by lying on his entry form.
Chances are this is the same logic @Home are using. For instance, one party accuses another, @Home using party of doing something illegal, or against contract, whatever, or @Home feels that the user is violating their service agreement somehow and they were using encryption in the process. @Home now can cancel their account for simply using the encryption instead of having to go through the process of trying to determine if what the user was sending was indeed illegal, in violation of contract, whatever.
If you don't have anything nice to say, say it often.
- Ed the Sock
Hey! Haven't talked to you for awhile!
Anyway, my typical bandwidth was around 30 Kbps, not 30KBps (i.e. slower than dialup).
I think a big part of the issue is that the part of town you live in has an older infrastructure, which means heavier copper, fewer loading coils, etc... The ISP issue may also have something to do with it.
As far as AT&T@Home goes, I know they have problems in some parts of town. At the last house I lived in, I'd lose my connection every night at midnight for a duration of one hour. They never did figure out why.
I think what it boils down to is that consumer-grade high-speed access is still in the early stages, and all you can do is experiment with the available options until you find the one that works best for your location.
I just got @home service 2 weeks ago (I'm too far for DSL). Here's some info for anyone that currently deals with them or is considering it:
- Their DHCP and DNS suck bigtime, don't use it. DHCP is down enough that they will immediately tell you your "static" IP if you have problems. DNS was down on the day my service was installed and I can just imagine what would have happened if I tried to let the installation guy figure it out.
- You will get a probe on port 119 (NNTP) a couple times per day from 24.0.94.130 which has a DNS entry of authorized-scan.security.home.net. Sorry but nobody is authorized to scan my IP. ARIN says their netblock is 24.0.0.0-24.23.255.255. I have ipchains set to deny 24.0.0.0/16 and log everything else from the netblock, except for DNS and POP3. Here's a snippet from my ipchains script:
# @home admin scanner catcher
# Incriminating evidence: DENY eth1 PROTO=6 24.0.94.130:44826 $NETIP:119
# $ nslookup 24.0.94.130
# Name: authorized-scan.security.home.net
# allow expected DNS and POP3
# deny and log all other 24.0.0.0/16 (@home admin) traffic
# log the remainder and filter through net-in chain
ipchains -N ahnet
ipchains -A ahnet -p udp -s 24.0.0.27 53 -j ACCEPT
ipchains -A ahnet -p udp -s 24.2.0.27 53 -j ACCEPT
ipchains -A ahnet -p tcp -s 24.0.95.81 110 -j ACCEPT
ipchains -A ahnet -p tcp -s 24.0.95.82 110 -j ACCEPT
ipchains -A ahnet -p tcp -s 24.0.95.83 110 -j ACCEPT
ipchains -A ahnet -p tcp -s 24.0.95.84 110 -j ACCEPT
ipchains -A ahnet -s 24.0.0.0/16 -j DENY -l
ipchains -A ahnet -j net-in -l
ipchains -A input -i $NETDEV -s 24.0.0.0/11 -d $NETIP -j ahnet
- You will get quite a few skr1pt k1dd13z knocking, most of them looking for an ICQ hack called SubSeven. I've also gotten probes for tons of other things (remember this is just two weeks!) I like to run an intrusion detection system in combination with packet logging and occasionally I'll nmap someone back to see what I can see.
I was paying for a 256Kbps link, and was seeing roughly 30Kbps throughput.
I use 256Kbps ADSL from US Qwest in the same market, and I typically see 32KBps on the upstream side and between 32 and 60KBps on the downstream side. 32KBps is approximately 256Kbps. I haven't noticed problems with latency.
One possible difference is that while I use US Qwest for the wire part of the service, I use a different ISP for the Internet part.
I know of some other AT&T @Home subscribers in the area that aren't quite so happy either. One guy in particular was complaining that at certain times of the day he was getting bandwidth about like a 14.4 modem. He probably has some warez kiddies in his neighborhood or something.
Under capitalism man exploits man. Under communism it's the other way around.
T1s are hideously overpriced in most areas. Modern technology has made them much cheaper to provision but the rates have not dropped to reflect the lower costs. We will never have cheap bandwidth while the telephone companies control the market for high speed data lines.
Mea navis aericumbens anguillis abundat
If their policy dictates the content of your data stream to this degree, should they enjoy protection as a common carrier any longer?
Yes, customers with home networks may order additional network addresses in order to connect several computers to the service through one cable modem.
You must first subscribe to the basic Comcast @Home service.
Once you become a subscriber, you can sign up for the second and third addresses through the @Home member services section.
You will need to have access to network expertise because Comcast @Home neither installs nor supports networks.
The cost is $6.95 per month for each additional outlet. Customer can have two additional addresses, for a total of three.
Comcast @Home will install the network card and software on the second and third computer for a charge of $49 for each computer.
Yeah, but you're using Cox @Home. My brother works for them, he's the manager for @Home installs in Santa Barbara. They have very different terms of service, plus they overbuild their networks.
Up here in Seattle we have AT&T @Home, which is really the old TCI. They underbuild their network, and they have more restrictive terms.
Personally, I'm getting sick and tired of the increased restrictions, so I may cancel my AT&T @ Home and just use my DSL connections.
[I own shares in both Cox and AT&T - caveat emptor]
Will in Seattle
This story reminds me of a rare victory over the increasingly restrictive Cox@Home. Shortly after I installed my firewall, I got a very snotty letter from them, accusing me of running Napster, which is a 'server' under their definition. I wasn't, and asked them just WTF they had that indicated that I was. A little later in the day, I got a groveling letter addressed to a large group. It seems that someone on their staff had made a coding mistake, and any customer computer that didn't respond to his probe (i.e. anyone running a firewall) got labeled a Napster user. After the flames of Hades descended on their emailbox due to these automaticlly-emailed accusations, they issued this apology. I had to laugh out loud when I read that letter.
"If I have seen further than other men, it is by stepping on their glasses." - Michael Swaine
You've got the wrong definition there, Rob.
:)
A VPN is a virtual LAN - allowing your computer to tunnel traffic to another point on the internet and exchange traffic as if you were on the same local network.
What you describe could be termed as NAT or PAT, or IP masquerade.
Although I agree that it's stupid to forbid VPN no matter which definition you apply.
Just like a lot of you, I went through the whole DSL vs. Cable debate. Cable lost out just as soon as I discovered it was unavailable. I then did the research on the various ISPs.
I was able to find one that offers unlimited traffic, static IPS @ $5 a month, & they are not concerned what types of software you on you computers. (Within reason, of course) I currently have a web, mp3, & e-mail server running from inside my house.
It is incredibility stable, I have around 99.5% uptime. So far, I have lost connection while I was at work twice, both times were due to issues at my job's ISP.
If you can find a good DSL ISP, you can avoid all the @HOME BS. I recommend it without reservation.
Its also a traffic issue. Cable modem lines are shared between houses on the same street, using a CSMA/CD system like ethernet. I you're running slashdot on your cable modem box, you're reducing the quality of service for your neighbours.
I'm not sure whether similar constraints apply to ADSL.
I'm A Rogers@home user, (Ottawa Ontario Canada) and i have both DNS & Mail via Rogers (with Excite @home) even have a search domain (works beautifuly with linux) however I figure if you have the brains to configure your own network then you would know that creating a VLan for your hose is a great waste of time, Linksys has a dumbed down version of a firewall in thier cable/DSL router that works beautifully for networking your home (that is if you don't know how to use W2K, Linux, BSD or any other server os) And besides if you do telecomute you should stipulate any incurred costs in your contract with your client. But hey what do i know right?
The diffrence between a madman and a genuis is; A madman uses his genius destructively A genus uses his madness constr
My reading of this however did not make it clear that VPN was tied to this "Business Use". So I called up their tech support folks. Who didn't really understand what I was even asking, so they went to their boss. What I wanted to know is if it was ok for me to do VPN to work because that's how I access my systems remotely.
Their response, NO! If I was to do so I would recieve a warning and if I continued I would be kicked off the sytem.
This really, really bugs me! It also makes me wonder exactly what they mean by VPN, does connecting with any encrypted method count (SSL web pages)? What about remote access with SSH? What about port forwarding with SSH?
It's time to make some noise about this.
I can understand any ISP not wanting you to be the VPN server using residential service, but it is quite unreasonable for them to preclude VPN client use.
Also, prohibiting the connection of LANs to the residential service is bogus. Most people I know doing this (including me) are not doing it to have multiple concurrent access to the broadband connection, but to avoid having to move ethernet cables between systems. This is only outgoing connections from a "LAN", not incoming connections.
If they are concerned about bandwidth being eaten up, maybe they should stop people from downloading pr0n, which eats up far more bandwidth than your average telecommuter connection!
These people should be more concerned with customer service and less concerned with limiting peoples access to the 'net.
[end outrage]
They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.
Online banking, online trading, and online purchasing are typically made via SSL connections, not VPNs. Sounds like they're trying to milk money from Joe Whitecollar who needs to connect to his VPN to access files at work.
I see that others (including Roblimo himself) are parsing the exact meaning of the Service Agreement. Rather than get into that, I'd like to recommend that, if the goal is just to share the cable modem (oops, I mean "Comcast Equipment"), you ought to just buy an inexpensive Linksys router and hook it between the Comcast Equipment and other computers (perhaps using a 10/100 hub to hook the machines themselves together, since I don't think the Linksys router provides 100 MBps Ethernet). They'll be unable to tell, short of physical inspection, how many machines you have on the line. Nor should it be any of their business anyway, IMO, no matter what their Service Agreement document says. You also get the additional benefit of a hardware firewall between you and the hordes who seem to be constantly trying to find an open port on my @Home machine.
"If I have seen further than other men, it is by stepping on their glasses." - Michael Swaine
Same here in Toronto with Rogers@Home. In fact, I run NAT, Apache, BIND, sendmail, SSH, CVS, and more external services, and @Home has never bugged me. Fairly fast connection - no real complaints.
Here here!
Although I do have broadband (Cox@home), I do remember not having access to broadband, and it sucked. People whine about @home, RoadRunner, or DSL, but try a 56K modem then go back to broadband and they won't complain anymore.
I am one @home customer that is greatful to be able to download at 100K/sec+ and have 40ms Quake3 ping times.
Linux O Muerte!
And, @Home sucks. Is ADSL any better?
Since I can *only* get ADSL in my hood in Toronto, I'll give you my perspective:
downloads are fine, speed is consistent, uploads are slow (which isn't that big a deal to me), and more importantly to me: the USENET servers have been upgraded a couple of times in the past year, so News if really great. From what I've heard, the @Home News servers really bite and @Home couldn't care less.
Downside: the PPPoE servers occasionally go down,so you can't get a connection. Sometimes, my speed drops from 70K/s to 30K/s for a few hours.
Personally, I'm happy with the service because it's way better than a modem. I don't expect 100% on time, full-speed connections because I know better: judging by the amount of bitching I hear about all the different broadband options, it appears that most people have forgotten that nothing is 100% perfect EVER, especially when it comes to computers!
Pope
Freedom is Slavery! Ignorance is Strength! Monopolies offer Choice!
It doesn't mean much now, it's built for the future.
LOL
Sad thing is that AOHell is/will be a cable ISP monopoly after the acquisition of Time Warner - If you can't beat 'em, buy 'em out, I guess. I'm just waiting for my RR speeds to go down the toilet.
At that point I'll try to find a decent DSL provider. Anyone have good luck with one? Concentric seems to be running a $50/month DSL bit with no equipment or setup charges - which sounds REALLY good, but I'd like to hear from someone who has it first, before I ditch my cable connection.
I subscribe to ATT@Home, and it's not bad. The speed could be more consistant, but I haven't experienced any downtime so far and overall I'm happy. After looking at the Comcast@Home Subscriber Agreement, I certainly hope that AT&T doesn't start making policy changes using Comcast as a model.
AT&T's policy is that you cannot run any servers, i.e. FTP, Telnet, News, etc. including VPN servers. They could care less whether or not I connect to work or elsewhere through VPN. The Terms of Service also say nothing about hosting a personal web site. It goes along with the upstream bandwidth limits, they want you to subscribe to their business services (which just happen to be significantly more expensive).
As far as sharing the internet connection goes (this is what I was told by the installation guy), the policy "we don't support home networks" really means "we're not going to set one up for you." I personally use a 2000 server configured as an internet router to share my connection. But he said he'd seen quite a few people with linux boxes or hardware routers. The companies just want you to buy more IP addresses from them (at $4-5 a month per IP address, it adds up).
That's tight, if you don't have windows 95 or 98 or an Imac, you are refused installation
Very simple.
Get a Win95 machine with the ethernetcard you want to use in your Linuxmachine.
Let them install it, and when they are away get your Linux machine get the networkcard out of the Win95 machine and put it in the Linuxmachine and everything should be working.
No problem.
This worked for me.
I work for Microsoft and I frequently work from home over DSL via a VPN connection. Does this mean that @Home users who want to connect via VPN to their offices to do work will now be prohibited from doing so? I can't imagine this will help the @Home business, since most people I know who have broadband are only willing to fork out the money because they have some business-related need for it.
- "It's just a matter of opinion!" - PRIMUS
the part of the agreement I find bothersome is the "no server" clause? what do they care? I can understand not being responsible for business class performance metrics on a residential connection, but hey! what if i (god forbid) wanted to run my personal web site off of it?
bs sig
VPN has nothing to do with NAT & local networks. They are not saying 'you must get additional IPs from us', they don't care. the IPs are there if you want; firewall off your own privat network if you want.
What they are trying to prevent is people using @home to VPN in to their office networks, and this should REALLY DISTURB PEOPLE.
It should *NOT* be @HOME's place to tell us what kind of traffic is acceptable, other than network abuse itself. If they want to up bandwidth fees, that's fine.
Hmm. I wonder why @home is so insistant on forcing people to web surf and email only... could it be they are tracking statistics?
If you look at @home's site ( http://www.home.com/support/aup/ )
I has no mention of VPN's
I use USQwest's 256k DSL service -- which in my case is 256k up and 384k-512k down. I was getting 640k down at my old place which was much closer to the CO, but my new place is right at the end of the line when it comes to DSL, and on rare occasion the line quality will really deteriorate (extreme packet loss) but 99% of the time its just fine. I'm really happy with the service overall.
sounds like you were too far from the CO, didn't they test that before-hand?
a great source of DSL knowledge can be found at http://www.dslreports.com/
1) VPN != Private network. These changes have nothing whatsoever to do with 'multiple IP addresses' or 'running a private firewalled network' at home. They don't care one iota about this. A VPN is when a secure tunneling protocol is used to create virtual network connections to remote private networks, ie: your office network.
2) This is not an @home change, only a comcast@home change.. specific, it appears, to comcast, as it doesn't appear in any other cable provider's network. I believe individual providers are allowed to add their own restrictions if they wish.
er, yes but...they were talking specifically about ip_masq (which ive yet to see out of the context of linux)...and i always thought ip_masq was somehow functionally different from NAT. though now it seems as i start looking for an explanation of the differences, that there are implimentations of NAT that function similarly (so called "1:many NAT").
so...yeah...or something
--Siva
Keyboard not found.
Keyboard not found.
Press F1 to continue.
Sorry, you're wrong.
Here is a clarification I received from Comcast about this:
It is not the intent of this text to prohibit customers from establishing a connection for residential purposes. Activities such as online banking, online trading and making purchases online are not considered in violation of the Subscriber Agreement.
The Comcast Online residential service is not intended for those that attempt to host a VPN connection or for those persons attempting to establish a VPN connection with their workplace.
Thank you for choosing Comcast@Home!
-- Error: Cannot find file REALITY.SYS - Universe halted, please reboot!
If you start providing access to the Internet to others and making money, this is wrong.
If you are providing dial-up service to all your friends, this is also wrong.
If you are using it to provide service for your in-home LAN, this is still within your residence, and is not a breach of contract.
Why is this so hard for people on here to understand!!!??? I think every ISP has had this provision since day 1.
First, with the upstream bandwidth caps they now have, your ability to impact your neighbors quality of service is minimal.
Contrary to popular opinion, ADSL also has the "shared-bandwidth" problem, it's just that the bottleneck lies in a different place.
That was exactly my reaction.
:(
I live in Ontario (Canada, not California!) working remotely for the Colorado office of a San Jose based company. I wouldn't be able to do this without a VPN.
My DSL internet access from Sympatico (Bell) costs Cdn$40/month (including $10 modem rental). The equivalent business service (identical in all forms) from Bell itself costs about $80. Faster services start at $150 quickly rising to $450/month, but they are all business only. The only alternative is Rogers@Home (some alternative, eh?). Banning VPN would force me to switch to a corporate plan, which would mean paying through the nose
@Home is just trying to get people using their service for "buisiness" to pay buisiness (read higher) rate. Traffic over a VPN isn't necessarily any more than your home user reading web pages or playing streaming audio, but it is just @Home's way of milking more money out of the companies, which they think have the money.
This totally hightlights the importance of competition. In my area I can get @home, and use the isp that comes with it, or I get get DSL and use any of the myriad local and national isps that can give me access.
I chose to go with a small local isp and have always gotten great service. With no hassle.
And this is totally what you would expect. The little local isp is just providing a service, not trying to leverage his customers into spending more money. There is far too much competition for that.
Besides, ping times are much better on a star (dsl) than a loop (cable), which is most important for working from home of ssh and realtime gaming.
On side note, you can just keep on using whatever you are using for vpn software, as there is no way for @home to find out. All packets from behind your nat box look like they came from the nat box, so there is nothing that @home could use to figure out if you are doing this or not.
This is ridiculous!!!
Many people in my workplace have @Home (I'm using DSL though) to connect to the office via IPSec VPN. Now this is going to be disallowed??? WHY?
Obviously, we'll be switching everyone to xDSL, but that's a major pain for us in IT.
Doesn't @Home realize they are going to lose customers?
Can anyone think of a reason to not allow VPN (I can see why they don't want to allow IP-Masq/NAT)...
-Hunter
RateVegas.com - Vegas Reviews
Second, whilst the "stated" aim is to prevent the customer from using @Home as a means to compete -with- @Home, the effect is to essentially make @Home largely pointless. There is no purpose in being connected 100% of the time, if you can't make -some- use of the unused bandwidth that you (after all) -ARE- paying for.
IMHO, if they had said -commercial- web server, or -commercial- VPN, then @Home would have a point. It would also make some kind of "legal" sense, due to US zoning laws.
On the other hand, blanket bans, where what is being banned is not clearly stated or described, sounds more like a means to sue anyone they happen to feel like, on some kind of ill-defined pretext.
I thought King John had ended this kind of practice. Obviously not. Maybe we need another uprising, to remind people that "authority" is NOT about power but responsibility.
OTOH, if some Grey Hats could, umm, find a few billion to rewire the US with 3 terrabit Optic Fibre running to everyone's house, then @Home's TOS would be quite redundant.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I suppose it's Verizon now, but when they started offering DSL service they would tie their service directly to your MAC address (they provided the modems etc...). After a few months, and the numerous crashes this authentication caused on their end, they stopped. However, the explanation they gave me for this when I called and asked was to try to stop me from using their service from more than one computer; I was told that I would have to purchase another DSL if I wanted to have another hookup in my house. While this was easy to work around, I was still surprised that they would try this.
network address translation is not a VPN. It falls under their proxy server policy. Not that the proxy server policy isn't equally foolish, mind you, but its not the same thing. A VPN as an encrypted tunnel, usually run over the public internet, although there are applications of such tehcnology on private networks as well. My @Home provider, Cox Communications, has a policy directly prohibiting VPN connections of any sort. I willfully violate this provision of my often modified description of service and I hereby dare Cox to do something about it. Don't let the fact that I am a member of Clan Anonymous Coward deter you from tracking me down :-)
In this particular case I think we're having much ado about nothing - the text as I read it indicates that you can't run a web/ftp/game server via a public IP they provide you, nor can you *TUNNEL* from somewhere else to run said service. IE you can't use some sort of encrypted port forward from another ISP to serve something using a machine on @home's network.
Common VPN protocols would include PPTP which uses GRE - IP protocol # 47 - which would be readily identifiable to someone examining network traffic.
IPsec uses an encrypted payload in a standard IP packet. This would be a lot harder to detect ... it would require a fairly complex filter to catch.
There are tunneling schemes that use SSL and this would be the devil to try and track - looks like just an encrypted web connection.
All in all I think @home is utterly clueless - they don't have a good grip on the sort of person who buys their service and what they might be able to upsell (hell yeah, I'd pay $100/mo for @work type bandwidth to my house ... but not with a stupid $1000 Cisco 1605 I don't need attached to the deal) and they also have no clue about the business market.
For three years now I've watched @home insist that they can charge on a per PC basis for business service and every large account that would have loved to have their service has sent them packing ... it is a foolish television executive decision to try and do things that way and it will continue to sting them until they get some leadership that understands what the internet is all about.
What happens if the USPS starts deciding that they want to open and read all the mail?
Nothing. I mean, how would we know if they started doing that. They could easily steam it open and reseal it.
Finkployd
That's correct. In fact my windows partition has DHCP enabled, while I configured my Linux partition statically. For some reason, their DHCP server did not answer DHCP requests when I booted Linux. They tried to make me believe that not using DHCP was the cause of very frequent interruptions I was experiencing, it turned out it was a problem on their side. It still took a month, 3 service calls, and 2 modems to figure it out. But now, the service rocks... until all the neighbours figure it out ...
Now, what is happening in the broadband industry is that the cable modems now all support the "DOCSIS" standard and most cable companies are forcing customeres to upgrade.
What this means is that you can usually no longer get as many DHCP assigned addresses as you used to - my provider, Cablevision - did the same thing. They want to sell you another cable modem (at $300 or $19.95/mo!) instead.
I say screw them. Use something like ip-filter, ip-chains or even hardware to get around this.
I highly recommend the Netgear RT311 gateway router, which is what I picked up. It's a buck and change and does a nice job of NAT (not VPN, sheesh) and serves as a firewall as well. Setup is through telnet, serial port or Web. Within ten minutes you can be up and running again. Linksys makes a nice one too.
Use software or hardware, your choice...
Yeah. Most of the people I know in Toronto and Ottawa who are on either Shaw@Home or Rogers@Home are very happy with their service. Friends in Niagara Falls NY on Adelphia's unidirectional cable system love that, too, even piped into their LAN. It's worth noting that one of those friends actually works as a sales rep for Bell Atlantic DSL.
And, @Home sucks. Is ADSL any better?Okay. Well, I've never had cable internet service.
My decision went as follows:
dsl.ca is a division of Velocet. They offer their DSL service only in Toronto at the moment. $34.95/mo + $5/mo modem rental (okay, no cheaper than Sympatico). But for an extra $5/mo, they'll rent a static IP. Installation went like a million bucks. PPPoE is the only downside, but even so, Roaring Penguin's PPPoE solution is great.
Many people complain about the stability of DSL connections. I have no concerns:
2:37pm up 20 days, 14:21, 1 user, load average: 0.13, 0.03, 0.0155 processes: 54 sleeping, 1 running, 0 zombie, 0 stopped
CPU states: 0.7% user, 1.3% system, 0.0% nice, 97.8% idle
My PPPoE-based DSL connection is started up when my computer starts up. Most of that CPU load is actually top, then there's a bit from the PPPoE client. Even with all 5 computers on my home LAN streaming Real Video from the Big Brother website, the PPPoE client never gets about 2.5% or so CPU useage. (Pentium 133 with 32 megs RAM.)
If you're in Toronto, look into dsl.ca if you want a cable/Sympatico alternative. I love these guys.
Fire and Meat. Yummy.
I just sent this message to comments@comcastpc.com. Let's see what they say.
...
... CUSTOMER AGREES NOT TO
... IN CONJUNCTION WITH A VPN
Subject: PLEASE CLARIFY TERMS OF SERVICE: @home and VPN
I have been informed of the following item of concern in the Terms of Service of "@home" Internet cable modem.
6.Prohibited Uses of the Service.
b.In addition, Customer agrees not to:
viii.
USE THE SERVICE
(VIRTUAL PRIVATE NETWORK) OR A VPN TUNNELING
PROTOCOL
Many of our employees use the Internet at thier homes for their personal use, and Cable Modem and DSL have become very popular. Naturally, when our employees want to connect into the office from home, they want to use their high-speed connection rather than the traditional dialup.
Our company has installed VPN hardware and software in order to make it possible for our employees to do so without compromising our network security.
The plain language of this item in your Terms of Service seems to tell me that our employees can not use @home in this manner.
Please clarify this, and let me know if this is correct. If our employees can not use VPN from @home, I need inform our 8,000 employees that, when they're making decisions about what broadband services to install at their homes for their personal use, that if they want to use that broadband connection to access their work account, they had better choose some other provider than @home.
ip-masq: They would restrict this if they wanted to sell you more IP numbers.
VPN: They would restrict this if they wanted to charge you BUSINESS rates for telecommuting.
I can't speak about comcast, but I've been using AT&T@Home (formerly TCI) for a couple years now, and have been running pretty much all of the "forbidden" services on my box. Granted, the daemons don't account for a great deal of traffic, but certainly enough to be detectable if they were looking.
My gut feeling is that running these services is "forbidden" simply to relieve their tech support staff from having to answer questions, and from complaints like "my users are getting horrible download speeds from my ftp site." Other than that, they really have no reason to care what you run on your machines, especially with the upstream bandwidth caps they've recently put in place.
As much hype as there has been about these restrictions, I don't think I've heard of even one case of somebody getting their service terminated for running an ftp or http server.
Quick. Lets get out our conspiracy hats. Its either money or power. Corporate greed or government subversion of our privacy. Which could it be?
rc-flyer was nice enough to call up the Comcast folks and get clarification. Encryption for consumer use such as shopping and banking? OK. Telecommuters? No way.
Aha. While it might be more exciting to strain for the sounds of black helicopters and carnivorous black boxes, greed wins out. A look at the @Work site gushus:
It would seem that telecommuters are finding it easy to do their own "@Work" solution and aren't interested in the undoubtfully higher price tag of @Work over @Home service.It clearly states "THE SERVICE IS FOR PERSONAL AND NON-COMMERCIAL USE ONLY". The ban on VPN traffic would seem to back up this notion of non-commercial use only. It plainly targets telecommuters that need secure communications with the work LAN. It seems to me that this targeting of the telecommuter may be a "friendly fire" matter as opposed to being their true intent.
Chances are that they're really wanting to eliminate the use of the service by corporate VPNs (for satellite offices and such) which would make heavier use of the service. I can't imagine they'd want to kill their appeal to all the single-cpu telecommuters, as that should be a large part of their market...
How they plan to enforce this policy is also questionable. Sure they can block IPSec traffic, but not all VPN solutions are based on IPSec. Some prominent VPN solutions (in use at some major corporations no less) are based on SSL or proprietary systems. I can't see how they would intelligently block SSL without rasing a big stink...
And while I didn't read the agreement very closely (not being an @Home customer), I didn't see a provision against having a Masqueraded LAN at home. It seems primarily concerned with people running externally-used services and such...
Who the hell would want a Jaguar instead of a Porsche? Especially when we're talking about speed (which we are) (the XJ-200 is no longer in production)!
Someone that spells it Porche, maybe?
Refrag
I have a website. It's about Macs.
[song]Do you know the way OUT of San Jose[/song]
--
Does narcissism count as a hobby? --Shawn Latimer
And, @Home sucks. Is ADSL any better?
Running PPPoE on Sympatico HSE ADSL, I see pings to the most local Q3 demo servers in the range 30-50ms. Download speeds up to 102Kbytes/second, particularly to the Helixcode Akamai server, so I'm pretty happy with it. Performance under Linux is good and gets connected faster than on Windows when using the RP PPPoE client so I'm happy. Especially as the reason for getting the ADSL in the first place was VPN connectivity.
Cheers,
Toby Haynes
Anything I post is strictly my own thoughts and doesn't necessarily have anything to do with the opinions of IBM.
There is no 'standard' VPN protocol. All you would see is an encrypted datastream.
One of my friends is fond of saying, that despite the fact that all the optimization math works so beautifuly, capitalism is still ineficient, because, basically, people dont want your money.
Really, they want control, or they want 'market share', or they want 'guaranteed revenue', but very few just want money, in big bundles, as often as they can get it.
And so we get companies doing things like this that just BEG to get people to jump ship to wireless broadband just as SOON as it is ready, all so they can fell a little more secure.
BTW, this type of TOS probably wouldn't hold up in court, as there are all kinds of fun and complex precedents in the telephone industry about your usage rights inside your house. But I'll leave that topic for the online-lawer types.
-- Crutcher --
#include <disclaimer.h>
-- Crutcher --
#include <disclaimer.h>
Except for the financial situation mentioned earlier (@Work), I can't think of any. Technically, what's the difference between running an SSL client and running VPN client, except that under VPN, all of my traffic is bound for my office. The bandwidth usage will be the same either way.
My thought is that the VPN makes it almost impossible for them to track your network usage (ie. what you're doing online - WWW filtering/logging??), since for example, your URL destination is encrypted inside of the VPN packet, and not available until after decryption by the VPN termination.
Ahhh, here's the issue. Remember, its all about money/revenue stream (remember the @Work situation). What if @Home network is using a URL logging system, and recording your www browsing activity and selling such information to on-line marketers and marketing database companies (ie. the Database Marketing Association). If you're using a VPN, that Marketing information can't be captured. So much for that revenue stream. Check @Home's financial statements and see how much of their revenue is coming from on-line advertising and other marketing type sources. If its significant, then...
I'll have to drop a line to junkbusters and see what they have to say about these ISP's.
As for the NAT/IPMasque, I can't see why they'd object - I'm using the same bandwidth either way. Except again, its a question of revenue stream - ya get more cash if ya can charg'em for mulitple IP addresses. Personally, if my provider wants, they can make all the noise they want about NAT, etc. but I don't see how they can tell I'm using such a technology unless they do a real detailed study of my network traffic, and that'd be like "looking for a needle in a haystack".
And now, we see the problem that occurs when Marketing/Sales get involved in technology.
They can't possibly detect ip-masq.
/proc/net/ip_masquerade, all with ports above 60000 (of course most are just waiting to be expired, but anyway). it wouldnt be 100% proof, but i can see @home watching customer traffic to see if anyone has mostly local ports >60k, and then bitching at them in the same way they bitch when they find an open service port (21, 25, 80, etc). i wonder how long itll be until they start monitoring the actual content of traffic to figure out who is running irc bots and whatnot...
eh, not completely true. almost all outgoing IP connections on any platform will use a local port between 1024 and 65535. an ip_masq box typically will use local ports in the 60000 range for masq'd outgoing connections. i have two machines behind a masq box and there are currently 40 entries in
--Siva
Keyboard not found.
Keyboard not found.
Press F1 to continue.
Apparently Chello is looking for the little bit of extra revenue they can get by selling additional IPs to people (like me) who have more than one computer. This might not be so bad if Chello provided reliable e-mail and DNS servers and other "basic" services one expects from an ISP, which they don't. This is just another piece of woe for those of us whose only broadband choice is Chello. Bah!
He, this seems to go for every cable ISP!
Exactly! Here is a reply they made to my request for clarification:
It is not the intent of this text to prohibit customers from establishing a connection for residential purposes. Activities such as online banking, online trading and making purchases online are not considered in violation of the Subscriber Agreement.
The Comcast Online residential service is not intended for those that attempt to host a VPN connection or for those persons attempting to establish a VPN connection with their workplace.
Thank you for choosing Comcast@Home!
-- Error: Cannot find file REALITY.SYS - Universe halted, please reboot!
Apparently the thing being blocked here is VPN, encrypted network traffic between 2 hosts/networks. This does not appear to be blocking Masquerading hosts, just VPN. So the people with 5 boxes in their house going through one Linux box are still fine. (I think)
Most people probably aren't doing VPN... yet.
CJK
It's not draft. They highlighted the new/changed sections for people to see easier.
Here is a clarification of their policy which they sent me:
It is not the intent of this text to prohibit customers from establishing a connection for residential purposes. Activities such as online banking, online trading and making purchases online are not considered in violation of the Subscriber Agreement.
The Comcast Online residential service is not intended for those that attempt to host a VPN connection or for those persons attempting to establish a VPN connection with their workplace.
Thank you for choosing Comcast@Home!
-- Error: Cannot find file REALITY.SYS - Universe halted, please reboot!
Um, just to put things into perspective, why not go shopping for a T1, which would be the closest alternative on the market in terms of the bandwidth you're buying.
A dedicated T1 certainly has advantages over a cable modem, but for home use, cable modems are EXTREMELY reasonably priced.
Some person or people mentioned in here that @Home is too much money. I have a sad fact for them, Excite@Home only takes $20 at the most from your bill (leaving the rest for the cable service). From what I understand from this new Terms of Service from COMCAST and not any other cable provider (@Home sets a set of rules, and then each cable company has the ability to make there own set of rules as well, your best bet is to goto your cable provider's web page and look at the AUP/Terms of Service). When I worked for @Home, people would VPN into work and use there own DSN Servers for work, we would have to encourage the @Work service, because the @Home service does not encourage that kind of usage, it was ment for the home, and not working from the home. Using NAT/Proxy would be a viloation of AUP from @Home, but what they don't know, doesn't hurt them in any such way, thats what I would tell customers. All you have to do is setup a good firewall and block out anything from home.net, which is the corp domain for @Home, even the NOC, they used to have an hostname by the name of ops-scan.home.net doing port scans on customers to see if they are running something they shouldn't be, SMTP, POP3, IMAP4, HTTP, etc. Have a good day =-)
Former @Home Employee at 425 Broadway, Redwood City, CA
have a good one!
Much earlier in the "agreement" was an interesting change related to only using Comcast-approved equipment and software. I'd think that that little provision would generate more discussion as it could be used to keep Linux machines from being used on their service.
James
That's tight, if you don't have windows 95 or 98 or an Imac, you are refused installation. Because unless they are allowed to "configure your computer" that will refuse to hook you up. Linux is banned because it is a "hacking tool" and VPNs are called "stealing service".
gettings cable and cablemodem services up at school, + the equipment rental costs about half as much as my RENT for my APPARTMENT with ALL OF THE UTILITIES INCLUDED.
I would kill someone for a place whose rent + utilities was twice my cable modem bill!! However, I would be afraid that someone would kill me in such a neighborhood!!!
This whole thing is just another symptom of the problem--no real competition. The whole DSL vs Cable holy war is another. Some people have had a great experience with cable/DSL some have had an awful one. The problem is, for most people there is only once choice, and whichever one that happens to be will treat the customer like crap because they can. It's a very frustrating time to be a home user and double that if you're in a small market. I hate government intervention but...no I can't believe I said that, there has to be a better solution?
Vote Quimby.
Not to get overly off-topic..but I wanted to share how I do my @home connection..
l routers</A> that are <$200, and they do NAT/PAT & DHCP. They work WONDERFUL, and I didn't have to setup a Linux box. Also, you can telnet to it to configure it, and it does some nifty things..like default private network hosts, based on port. So, if you *DO* have a Linux box on the private network, you can point SMTP (25) to a particular host on the inside network (i.e. 192.168.0.10, or whatever).
;)
NetGear has <A HREF=http://www.netgear.com/products/rt311ds.shtm
I've had this configuration up and running for over 4 months, and it's been flawless... Nice little wiring closet, with cable modem, router, server, switched 10/100 hub and a kickass cable distribution...
Now..what I want..is a Linux box on the public side of the router, that pings the cable modem/default gateway..if it goes down..it reroutes via the xDSL connection I have on another network card..if that dies, *AND* the @home connection is down, it fires up a modem.. That's my next project...and it should be doable.
BTW, GNUella works great through the Netgear box..
doesn't the outgoing packet from a masq'd connection have to have the mac address of the nic it is supposed to return to? If so, they could easily look for that.
-- Thrakkerzog
@Home charges too much for what they offer already! The prices are OUTRAGEOUS and now they want this too? I am so sick of cable/cablemodem monopolies.
Eh...
The only thing different is Linuxites who started it called it IP Masq.. its just NAT unless something new has been done that I am not aware of
If you think education is expensive, try ignornace
ISPs can get away with outrageous bullshit if they like...most usage agreements, no matter how innocuous, contain a clause allowing them to modify the terms of service at any time, for any reason. Business users get a bit more slack, but they pay through the nose for it. Personally, I'm sick of it, but there's no public, open alternative to the ISP oligopolies.
Even the samurai
have teddy bears,
and even the teddy bears
Even the samurai
have teddy bears,
and even the teddy bears
get drunk
As a subscriber I saw the email that Comcast sent out yesterday and my initial reaction was - wtf?
There is no indication in the wording of the new agreement that 'residential' us of VPNs are allowed. In fact, it would seem to me that all VPNs are outright banned based on the wording of the clause (ie. we're after the "FOR ANY BUSINESS ENTERPRISE" part).
So, a rep has said if I connect to my schools VPN to do some distance courses online (http://telecom.njit.edu/) its ok. If it is, why isn't the agreement worded as such.
I want to see it in writing!
[place
...to varying degrees. Some of the cable co's seem to take rather draconian measures in portscanning/enforcing their AUPs.
Rogers@home isn't overly anal (at the moment anyhow) about this sort of thing although the one thing they will portscan and hunt you down for is an open newsfeed. This is in response to the whole usenet @home blackhole fiasco of some time ago. I've noticed that they don't even mind if you have an ftp server up so long as it's not anon access and you don't cause trouble (you would never get an @home rep to say this on record tho so take it for what it's worth).
- Toby
gettings cable and cablemodem services up at school, + the equipment rental costs about half as much as my RENT for my APPARTMENT with ALL OF THE UTILITIES INCLUDED. This is OBSCENE.
Eh...
>The most likely the reason why they are banning VPN's from @home is to sell their @work remote access service [LINK].
I like the fact that they have a typo in their graphic on that page... 'Corporat' and 'Corporate' both appear... you think they could at least be consistent...
--
"It's tough to be bilingual when you get hit in the head."
I just set up a second box at home by using
one of their unused addresses on my subnet.
easy enough (until someone reads a traffic log
or tries to use the hijacked IP)
A year spent in artificial intelligence is enough to make one believe in God.
This, I believe, is _THE REASON_ for the clause. They want you to purchase @WORK for that.
Before I part with'em: two pennies weigh ~4.996+/-0.014g, have a zinc core, and the face of Lincoln. You can keep 'em.
@Home frequently runs portscans on their domains to "Make sure their client's aren't running any services they where not aware of." If the scanner finds one it will auto-mail you. This is more political then anything. All my services run above port 40000 and you have to connect to a triger port 500 ms before (which is in the low 1000's) and that fundamentally kills @Home's portscans (as well as the other million portscans I get and failed ftp login attemps with user/pass:warez). If they do find a way to block you, try setting up an SSH tunnel to that port. Use the Linux VPN howto as a template on how to pull this off. Not rocket science.
This is exactly what happens when the bandwidth provider (cable co.) is the monopoly ISP, also. While I am not a fan of AOHell by about 180 degrees, they were right about AT&T and cable ISP monopolies.
Live to be Moderated
That's funny, here in Kitchener-Waterloo, people on @Home with Rogers have reported regular port scans (21,23,80) from security.home.com or some such hostname.
Of course, apparently they're not consistent in their [performance|service|responsiveness] either, so why should they be consistent in this, right?
There is a spellbook here; eat it? [ynq]
I haven't read their service agreement lately (they seem to change once a month), but the last time I checked the Cox@Home one, you could do things like run servers, VPNs, upload scads of data, etc. by becoming an @Work user. Same hardware hookup, but they remove those restrictions, plus they don't cap the data rates. So, while it might be true that you're stuck with your provider, it's not technically true that you're without recourse for obtaining these services. You just have to be willing to pay the additional money, a question best left up to you as to whether it's worth it.
"If I have seen further than other men, it is by stepping on their glasses." - Michael Swaine
Do they not allow VPN or Proxy Servers? I don't see how they can do either? VPN traffic is just as legit as any other, and I don't see how they can detect proxy servers.
Free Mac Mini
How could they tell? Doesn't a VPN just look like one computer doing a whole lot of network activity?
They just have to listen on the known VPN ports. The initial handshake will give you away.
My impression is that they are trying to prevent VPN connections. Although how that impacts their Services, I dont know. I think this is seperate from, say, running a router at home and splitting the signal to the rest of your PC's. Again, something that should not impact their service at all, yet my DSL service wants to charge me more meerly to have a router in my house!
Dirty Pirate Hooker
If I pay for XYZbps bandwidth, why shouldn't I be able to use that XYZbps as I see fit? All of it for one PC, half for each of two PC's, etc. so long as it all adds up to that XYZbps that I pay for each month, why do they care how I use it? [aside from resale, which is a different debate]
-={(Astynax)}=-
-={(Astynax)}=-
"Darkness beyond Twilight"
My reading of this however did not make it clear that VPN was tied to this "Business Use". So I called up their tech support folks. Who didn't really understand what I was even asking, so they went to their boss. What I wanted to know is if it was ok for me to do VPN to work because that's how I access my systems remotely.
Their response,....
NO!
If I was to do so I would recieve a warning and if I continued I would be kicked off the sytem.
This really, really bugs me! It also makes me wonder exactly what they mean by VPN, does connecting with any encrypted method count (SSL web pages)? What about remote access with SSH? What about port forwarding with SSH? From what I'm hearing from them, I'm not allowed to access anything in a secure manner.
It looks like they want to totally kill of the work from home user.
It's time to make some noise about this.
I think they mean that they are not allowing you to make your home network part of another network such as your office by using things like encrypted PPP or possibly IPsec (though there are also non-VPN uses of IPsec at Linux FreeS/WAN. Buying extra IPs would have no effect on this policy.
:( (when/if they do, that's when my cable modem goes bye-bye).
IP masquerading is still not prohibited, meaning that you can run an Internet gateway using Linux or some other system and have an internal network use it as a gateway to the Internet. @Home only allows two extra IPs, as far as I know, and I think they would prefer to use those IPs on more customers, though I could be wrong.
Masquerading is still not prohibited! It's just VPNs, though they'll probably forbid masquerading in the future too
Now, I can see where you object to this as possibly making using an IP-Masq server a violation.
:(
My concern is on a different interpretation. This seems to state that running a VPN client from home, to securely connect to your work LAN, is now a violation of the @Home TOS.
Am I interpretting this correctly?
If so, this does not sound like it relates to sellings additional IPs, but more to just making a useful broadband connection much less useful to working professionals.
Tim
This is my sig. There are many like it but this one is... Oops. Frank, I've got your sig again! Where's mine?
I thought a VPN was a simulated private network across the internet, which I supposed you could use to connect two of your computers, but only if they were physically far apart, using a VPN to connect two computers in the same room sounds insane.
Perhaps you meant to mention the previous clause in the contract, where they prohibit you from being an endpoint for a lan, which is what you need to do if your sharing an internet connection with IP masquerading.
Well, you can forget talking about drug use or legalization, DeCSS and techniques to defeat region coding or Macrovision, trade files on Napster, or even do anything that someone might sue you for. If you made a web page that criticizes @Home they'd probably nail you with this clause. Ah, welcome to the corporate republic!
VPN data packets just look like random data inside the IP packet. But maybe the firewall/router/anticompetitive device can look for the setup messages, or detect use of certain ports? This is sad. It used to be that worst case firewall's came from big company network security engineers. This is a whole new class of annoying. Now the world will need an undetectable vpn setup protocol.
Big whoop. The @Home AUP already prohibits connecting any servers to their network, and they go to considerable pain to make it clear that they're not just talking web, ftp, etc. If any of your computers are listening to any TCP ports you're in violation.
Since they don't (can't?) enforce this most people aren't bothered by it in the least. A few of us have hangups about making agreements with the intent to violate the terms, so we avoid @Home. Not that there aren't plenty of reasons to avoid them without ethical excuses...
Lacking <sarcasm> tags,
I don't think ISP's should restrict you at all, other than capping your bandwidth. Once they give you the pipe, anything else is unenforcible if the user has enough time on their hands.
--
As a spanish user, cable is not very common here; but the local dumb telco is giving DSL on more territory than I could hope, including my home :)
Though there seem to be loads of problems of performance and reliability, I have a constant flow of info (28'5k/s downstream and 16+ k/s upstream, really good for a 256-128 Kbps setup). I think I've been for three or four months without noticing ANY problem with my connexion.
The only problem is that the modem they gave me is a 3Com Homeconnect PCI modem, still unsupported in Linux (hey! if any of you knows otherwise, mail me at koali@mailandnews.com!); but it seems now they are offering a choice of internal/external modems (still, they are not willing to change mine).
If I have to talk strictly from personal experience, I would recommend ADSL anytime. But the lucky ones with cable over there seem to be ok, too...
Minor nit ... I seriously doubt that any service agreement provides them the right to "Enter your home". That's just plain illegal (unless, of course, they OWN the residence or have a court order and law officers along with).
Cutting off the service, however, is perfectly legit.
MediaOne in Chicago land used to portscan me every month or so. They never found anything (thank you tcpwrappers) but it was fun to watch.
Ever since they threw up this new Excite @Home, I've been getting hits on my firewall on port 119 from authorized-scan.security.home.net. Not that I particularly care - an entry or two every few hours in my syslog from the SYNs... but what would they be looking for on the news port??
I was interested in hearing about this since I use AT&T/@Home. It appears that this is only the Comcast user agreement and not the @Home agreement.
Remember, Comcast (and AT&T) use @Home services and can set their own user agreements seperate from @Home.
Looks like Comcast sucks, but not all @Home providers are quite this bad.
how exactly would they know if someone had a VPN going on or not?
all traffic that is masqed looks as if it's coming from the connected machine, so how are they going to know if the traffic i'm generating is coming from my "legit" machine, or from my laptop that is on my private network?
-Jae
Comcast, being a cable provider, usually operates in accordance with local, county, city, or municipality governments. They have a licensed monopoly from the local government. Comcast MAY have presented @Home as a service in many ways, including offering an easy way for consumers to telecomute. This is of interest to the government because telecomuting appears to be a cheap way to lighten trafic loads.
So what I am saying is that you could try to contact your local government. They would take a deep interest in this sort of thing. Since comcasts billing of cable customers has to be approved by the county, the county has leverage over them.
Also, another question is how would they know? The only way to know is by checking the contents of a packet. Doesn't this violate wire-tapping laws in your state?
Oh, IANAL, but just some things to consider.
W
Ok, compiling things on my firewall sucks, but I don't do that often :/
Bill - aka taniwha
--
Bill - aka taniwha
--
Leave others their otherness. -- Aratak
At first I had no idea what you were talking about "more than one computer". Then I realized, you have a computer in the living room and one in the bedroom and you are networking them together, over the Internet, by hooking them both to the cable. Dumb dumb dumb. Inefficient, insecure, a maintainence nightmare...
Why not setup a server for the LAN which hooks to @Home and shares the connection to your clients? Undetectable at the ISP level, easier to maintain, far more secure and not hard to setup. The only disadvantage is having to lay some cabling in your house--but that's simple if the computers are anywhere near each other or you can cut holes in drywall. This is what I've done (although I only have modem access right now).
Here's the real question: What are businesses going to say if their @Home-connected employees can't VPN to work anymore?
--
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
Apparently @Home is looking for the little bit of extra revenue they can get by selling additional IPs to people (like me) who have more than one computer. (1)If you're computers were at different location, you'd need multiple connections (and multipe ip's anyway), which is what VPN's are used for, securing communication between remote points. (2) If you have more than one computer at your home -- i'm assuming you can still get a netopia router that will dynamically assign all your computers with local (non-routable) ip addresses and then act as a kind of IP-masq, so you can still have more than one computer on you're local area network _or_ (3) if you have a persistant connection, you should probably configure a box a a firewall anyway, using something like ip-chains (*NIX) or Proxy Server (NT) [if you use ip-chains you'll need to use a separerate applications proxy - i recommend squit. Anyways -- the point is, this will have no effect on having more than one coputer at the same location.
VPN usually means creating an encrypted IP in IP tunnel, for example between home and office, to allow secure connections. So, we have a difference of interpretation here that hard to understand. cwilson assumes it means creating a home network, probably with ipmasquerading. But I've never seen "VPN" used in that context. On the other hand, what does it mean for @home to forbid encrypted tunnels. Do they mean you can't encrypt? What about SSL? Do they mean you can't create a site that allows others to VPN in from the internet? Mysterious.
Does anyone with @home service actually adhere to the TOS? And for people that do not - have you ever received a notice from @home explaining that what you're doing is in violation of their TOS.
Personally, I know I'm in violation of probably their entire TOS - including blocking all attempts by their "authorized-scan.security.home.net" machines to scan any of my machines.
At anyrate, I'm just curious about who actually cares what their TOS says. Because - if you actually followed the agreement to the letter - about the only thing you could do with your @home service is browse the web (if that).
Who needs @home for that? I could browse the web just fine via my dialup + squid + junkbuster + etc.
I ordered @home for the speed, the static IP addresses, and the "stability" of a constant "always on" internet connection.
And you know what - I'll be damned if I'm going to obey the TOS. I don't serve out 'warez' or cause a great bandwidth strain on their network. But damnit - I want flexability.So, in the great words of the "Butcher boy" - "fish! fuck off!"
"This is just another piece of woe for those of us whose only broadband choice is @Home. Bah!"
Waaa waaa. Try having NO choices for broadband.
Grr..
l8r
Sean
Hexy - a strategy game for iPhone/iPod Touch
What do you expect from a cable company?
They are used to a world where they control the content and everyone has to pay rates based on perceived value, not cost. You are just another set of eyeballs, a passive consumer of product.
Mea navis aericumbens anguillis abundat
The only "good" reason I can think of for them to bring in this change is that they don't like not being able to sniff all the information on your/their connections. :-)
The only bad reason I can think of for them to bring in this change is that they don't like people using their service because that means they need more real bandwidth, so instead they are just banning anything you could possibly want to use it for other than surfing and email (and even email they are not generous about) because if they banned these they wouldn't be able to convince anyone that it was a good deal
Never underestimate the dark side of the Source
I don't think that's the same thing as me sharing my cable modem among my 8 computers in my house, using Linux IP Masquerading.
I can understand how they might get greedy and want extra money for additional machines. I think many of us also violate various TOS agreements by actually doing work over the link, but not paying their 'business customer' rates.
I just hope they never get around to traffic quantity based charges. Imagine how pissed we'll be about spam then.
----------------------------------------------
The war on drugs may be over soon.
On my first day in office I will pardon everyone who has been convicted of a non-violent federal drug offense - Harry Browne - Libertarian presidential candidate
First of all, the poster's interpretation of what this clause means is incorrect and what the term "VPN" means is incorrect. VPN is a way of securely connecting two networks over an insecure network and doesn't necessarily have anything to do with IP Masquerading / NAT.
Still the interesting question is, what would they have against VPN tunnels... I use them all the time to create encrypted links to the servers I administer... hmm... what would a huge ISP have against encrypted VPN links.. encrypted...
Could it be that encrypted tunnels would prevent them fromm sniffing your packets and thus participating in echelon or court ordered wiretaps? Nahh.....
It's always better to go with a local isp, name one good national isp, then name all of the great local ones.
You don't really even need the LRP. You can just use any old Linux box with two ethernet cards and ipchains. As long as your load isn't too high that should be fine. (it's what I used when I hooked up the network for my family, 6 PCs, 1 100Mhz Linux box as a router and a nice DSL connection :))
Grades, Social Life, Sleep....Pick Two.
--Justin Mitchell
"2nd Place is a fancy word for losing" --Bender (Futurama)
A VPN connection has nothing to do with what you are talking about.. You are talking about NAT. The 'rules' talk about VPN wich is an encapsulation normally with encryption to transfer IP packages encapsuled in another IP package.
As far as I can see the NAT is permitted as long as your not a buissness.
Thing is, telecommuters sometimes pay their own connection. Or, companies will not want telecommuters if the prices are too high.
- sigs are for wimps.
Read the AUP linked from the original article -- they do indeed reserve the right to enter your home, with prior notice, to check, modify, or remove the equipment. It's not illegal if you sign a contract (or agree to an AUP) giving them that right.
Network ICE's BlackICE Defender works wonders for this in terms of simplicity and ease of tracking. It's amazing how often my box (W2K Server) gets hit from them. I've recorded as many as about 200 hits in one day from their systems checking for NNTP services on my system. They're more common than all of the ping, Trojan, OS fingerprint, and modified packet touches put together. BTW, I was one of those who was supposed to get an IP address, only to find that it had been hijacked by someone else. They gave me another one, but started tracking the hijacker at that point. Doesn't take long to figure out just about where he is. The traceability of a cable company's copper is amazing sometimes.
You can never go home again... but I guess you can shop there.
After all, they have to hack through my proxy before they can see my other machines, and that makes them guilty of computer crimes....
Is such a policy enforcable by any practical means?
And the TOS at that time already prohibited using the cablemodem to provide access to a LAN. There wasn't much they could do about it, but if you were known to be in violation, they could definitely terminate your service. They won't provide (or allow) routing to a domain on their network, either, since that implies that you are running your own servers. That was the prohibition, iirc: 'you may not run a server [...on your IP]' or language to that effect.
That's the reason I'm still on DSL; @home is not an option (legally), and for what @work would cost, I could upgrade the DSL bandwidth. Any way you slice it, @home is a poor value...
Maybe one of these days one of the broadband providors will figure out that overpriced, functionally limited connections is not the future of the internet, and start providing something we can actually use for something besides surfing, chatting, and napstering....
How about that broadband satellite uplink service, eh?
"The Internet is made of cats."
Are most readers missing out on the V in VPN, or am I just out of touch. I think @Home isn't saying you can't have private networks at home, using more than one computer with the service. I think what they are not allowing is Virtual Private Networking which allows you to connect to a private network over the Net and act as a member of that network.
Am I confused or is everyone overreacting?
Refrag
I have a website. It's about Macs.
If you read all of section six, the only mention of VPN restrictions is in conjunction with Reselling ISP services. This also includes the old list of Http, ftp, mail, blah blah. @home has always been against the use of it's cable modems for various kinds of servers, but as long as you keep a limit on the amount of bandwidth you use up doing these kinds of things, they won't care. If you use VPN for _personal_ machine administration today, you'll still be able to use it tomorrow, again, as long as you limit yourself to a reasonable level of bandwidth. My 2 cents
A VPN (Virtual Private Network) is a network set up through encrypted connections that can run over other networks (The internet).
You seem to be talking about aliasing all your PCs on to a single IP address through a proxy--a completely different matter.
Although I have a meeting NOW, a quick glance at section 6 didn't tell me which they were talking about (I couldn't find it in 30 seconds or less, sorry)
i don't have a cable modem but know some people who do. their modems all have a cap pre-set into the modem. without using "illegal" tools they can't upload or download faster than this cap permits anyway.
abcdefghijklmnopqrstuvwxyz
I'm not sure I'm clear on this. People tend to
bandy about the term "VPN" a lot, referring both
to NAT, and to any flavor of encrypted
I can see the logic in @home outlawing NATs. More
IP sales == more revenue for them. IP's are one
of an ISPs major assets, and for a long time have
been a crucial part of the business model.
But VPN's? What do they have to gain from this?
It's not going to help them sell more IP's.
Having a NAT'ed network is the quickest way to
turn a fairly simple pptp connection into a
routing nightmare.
I'm a current @home user, and I telecommute at
least once a week. I do this through a conventional
VPN, as well as a public tunnel to the 6bone.
Which brings up another question: This connection
is not a "VPN" per se, but it _is_ an encrypted
tunnel to another network. Are they planning on
prohibiting this, as well?
Ah well, @home seemed to actually have their
act together lately, guess I was mistaken.
(Off to reread the "roll your own dsl" articles)
-judas
How is the "market" going to fix it if all of the consumers "bend over and take it" as you suggest?
The problem with your statement is the fact that the consumers are the market. They aren't going to fix anything if they're busy bending over and applying lubrication.
Refrag
I have a website. It's about Macs.
With DSL, you have a direct connection to the first hop, so none of the bandwidth is shared. If there are 100 users with 256k links, each of them gets 256k of bandwidth. DSL is consistent, but it does not offer maximum performance.
Many people say either cable or DSL is better, but it is not at all clear cut. A big variable is the amount of upstream bandwidth that your ISP has. The cold, hard truth is that YMMV...
--
--
Uhhh. That is retarded. I have a DSL and my friend has @Home. We have setup a VPN using SSH and PPP. If @Home looked at his traffic, all they would see is a SSH connection. So what? They could never prove what he was doing with that connection. Lamers....
The agreement does not say that you cannot use VPN at all. It refers to a vpn endpoint. Which would suggest that you cannot run a vpn server. VPN clients would be allowed since it would not be an endpoint but a start point. see below "OR AS AN END-POINT ON A NON-COMCAST LOCAL AREA NETWORK OR WIDE AREA NETWORK, OR IN CONJUNCTION WITH A VPN (VIRTUAL PRIVATE NETWORK) OR A VPN TUNNELING PROTOCOL"
If you're going to extend this argument this far up the stream, then it should be noted that ALL network connections share bandwidth with other users at some point. With any decent ISP, by the time you reach the sharing point with xDSL, the capacity is usually significantly higher than where the sharing point occurs with Cable modems. Cable customers also have to share again with each other at the same point xDSL customers share the first time.
-BI pulled this from the @Home AUP at http://www.home.com/aup/:
You may not run a server in connection with the @Home residential service, nor may you provide network services to others via the @Home residential service. The @Home residential service includes personal Webspace accounts for publishing personal Web pages. Examples of prohibited uses include, but are not limited to, running servers for mail, http, ftp, irc, and dhcp, and multi-user interactive forums. For information about @Work products for commercial or network services purposes, including commercial-grade remote LAN access, please see http://work.home.net.
There's nothing here that prohibits VPNs...
1. This is only Comcast@HOME, not @home in general.
2. A VPN is a different beasty than what the poster seems to think. Private LAN's with a masq or NAT box are not VPN's and are not affected by this.
3. They probably will ignore it just like they do the other things in that section unless you use gobs of bandwidth.
If you are modding me down because you disagree with me, use the "Flamebait" category, not the "Troll" one.
You're post indicates that you're concerned about losing the ability to run an IP-masqueraded network on their service, not a VPN. According to their agreement, they already ban this:
"OR AS AN END-POINT ON A NON-COMCAST LOCAL AREA NETWORK OR WIDE AREA NETWORK"
the new regulation only refers to VPNs and VPN-related traffic, not IP masquerading. VPNs are not necessarily IP-masqueraded. A VPN is often used to connect geographically separated networks into a single, larger, network through the use of encrypted protocols and Internet bandwidth.
The crypto world invented steganography in order to hide the use of crypto (It buries the data bits in a large audio or image file). It sounds like the IPsec people would find users if they provided a variant on freeswan that hid the setup and data packets.
A virtual private network is a way to simulate a private network over a public network, such as the Internet. It is called "virtual" because it depends on the use of virtual connections-that is, temporary connections that have no real physical presence, but consist of packets routed over various machines on the Internet on an ad hoc basis. Secure virtual connections are created between two machines, a machine and a network, or two networks.
(I use Microsoft's words because Comcast will agree
So this new license restriction only prevents you from using your @Home service as an endpoint for tunneling between two larger networks. This is probably so that small residential-based businesses don't use two @Home subscriptions as a dirt cheap way to connect their networks.
No biggie.
As with you, I've only ever seen them scanning nntp, though I've had several attempted connections for smb/nmb (probably windows types trying to see what's out there). I'm actually a bit worried because I haven't seen anything in my logs since the beginning of the month.
Bill - aka taniwha
--
Bill - aka taniwha
--
Leave others their otherness. -- Aratak
sounds like you were too far from the CO, didn't they test that before-hand?
Yep, they sure did. I was less than half the maximum distance from the CO. I also ran new phone wire in my house in an attempt to improve things, with no result.
On paper, I should have had a good connection. But something with their infrastructure in my part of town was turning the DSL connection to crap. I stopped trying to figure out what the problem was once @home rolled out in my neighborhood since it gives me a faster, more reliable connection for less money anyway.
Exactly right.
The problem is that in areas where they designed their network to use load coils, then they sometimes have to play little "tricks" to remove them. Frequently, while they are able to get a DSL connection working once they remove the coils, the compromises they make in order to remove them prevent it from being a *good* DSL connection.
What's next, Seti@Home? ;-) :-O
Yup, it is here
---
Free ?! Does that mean I can't get a Discount ?!
This message was
here in Kitchener-Waterloo, people on @Home with Rogers have reported regular port scans (21,23,80) from security.home.com or some such hostname.
Why not ban the IP? is that against the TOS??
Michael
...another insightless comment from Michael Tandy.
"Goodness me, how unlike the FBI to abuse the trust of the American public." -- The Onion
They do, in fact, enforce the ban on NNTP services, to which my firewall logs will attest. After the Usenet Death Threat a year or so ago, they take this one, at least, pretty seriously.
I just block everyone from accessing my services unless they are from a specific IP or set of IPs, which include no @Home computers save for two of my friends. Simple enough.
You can never go home again... but I guess you can shop there.
From the: I'll-do-whatever-the-hell-I-want-with-my-connectio n-thank-you! dept.
An interesting note: The guy who came to install my cable connection (AT&T@Home) was a really nice guy, we got to talk a bit. I asked him about running services and his reply was: "Yeah, it says not to, but we don't really care. We only care if you're hogging all of the bandwidth on the network. One kid did that at 3am, had all 4 T1s humming at 85% capacity. We gave him what-for. "
So apparently they have it in the agreement (at least in my area) just for the legality of it and emergency situations, but not for any sort of regular enforcement.
Blog,Twitter
No no, If you wish for a business connection (even ifit's just to connect to wrok from home at speed, you must use their @WORK service, which costs more, etc etc. m.
CIA Industries - Running the world for fun and profit
Not every area has both @Home and @Work. My area (Boulder, Colo) just got a few weeks ago, and we only have @Home with "casual, residential use" guarantees. Reading between the line: I can't complain if I can't telecommute because the system is down for hours while they continue rebuilding the system.
As for the telecommuting issue - I read my @Home AUP, and I actually kicked out the US Worst DSL for non-preformance, and I understand that both organizations strongly downplay the telecommuting aspect because they don't want to catch the flak when people can't work. Worse, a particularly clueless drone once suggested that I "just go into the office" those days when the connection is flaky, not comprehending that as an independent consultant my home *is* my office on some projects.
The fastest way to change this attitude, in my experience, is to ask them if they think the sole reason people order this service is so they can download porn faster. (Esp. since the TV ads always show someone downloading images on a web browser, not downloading source tarballs.) This always seems to force them to reevaluate what's left after they make life unbearable for independent workers and telecommuters.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
AT&T had most of us move from dedicated ISDN to DSL/@Home via VPN.
Which is fine by me, My X traffic needs all the bandwidth I can give it...
So, I went with DSL. I will never use an ISP that has bandwidth charges, or insane rule policies.
My 70 bux can goto an ISP that allows unlimited bandwidth, Servers, Static IPs and is Domain friendly.
Brook Harty
-IronWolve-
Its all about the money..
ESP by itself encapsulates the entire payload (thus the acronym.), encrypts it, and sends it along.
AH by itself [I think. Fuzzier on AH moreso than ESP] just adds a checksum or hash to the packet headed by which you can verify that the contents of the packet haven't been manipulated.
The two can be used together, or separately. AH doesn't work very well, for example, through NAT boxes.
There's also PPTP, but nobody uses/relies on it (if they do, they probably shouldn't.)
I hope Roadrunner, my cable modem provider, doesn't pull this same stuff.
It really is a shame. These so-called service providers need to wise up and realize that Internet service isn't one-way any more, and that a being able to log onto the office securely from home and being able to VPN into my home network are vital, essential, acceptable uses for their service. As it is, they're saying that I don't have the right to protect my property or information over their service, and neither does my employer. That's crap.
Ed R.Zahurak
You know, oblivion keeps looking better every day.
The @Home "network staff" doesn't even know what SubSeven, Back Orifice, or NetBus are - if they don't understand the fundamentals of network security, what makes anyone think that they'll be able to tell the difference between an SSL-encrypted web connection and a VPN connection?
If you're *that* worried about it, just set your VPN up on 8000 or 8080. They'll *never* notice the difference.
Specialization is for insects. - R.A.H.
It depends entirely on the area you're in. For example, as I understand it, @Home in New England blows bald goats. However, in my neck of the woods (Comcast@Home in SoCal), I have an uplink of 480Kb, and a downlink that I can routinely test at 1.5Mb, and which has on several occasions touched 5Mb, and on one occasion, even reached the 6Mb mark. (Mmmmmm..... 760K/sec... ) (This was early morning and I can only ascribe it to lucking my way in during a performance test or something like that.) I don't use the proxy, which would have been useless in these cases, anyway, since they were from private FTP sites.
Most people I know of are rather locked in at lower speeds, rarely seeing 1Mb down and never seeing higher than 128Kb up. I count myself as very, very lucky.
You can never go home again... but I guess you can shop there.
they want you to believe that you must use
DHCP, but their tech let me know that each
and every box gets a static IP that is hard
coded in the DNS (yes I confirmed).
it is simple enough to set up a router/dns
box to use this single IP address and run NAT
for all private addresses inside. there is no way
they could ever know this is happening since
all traffic will come from the single assigned
IP address.
just my two cents
A year spent in artificial intelligence is enough to make one believe in God.
You should be ashamed. This has nothing to do with multiple-IP users and doesn't mean a thing to people who have more than one machine and only have one IP that they masquerade through. A "private network" is _not_ the same as a "virtual private network".
/. often go off half-cocked, but I suppose this just shows that those posting the stories aren't immune.
People claim that the people who post responses to
I don't get Roblimo's comment. What do VPNs have to do with NAT or IP Masquerading?
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
The cited portion of the @home contract is not preventing users from running a masquerading (aka NAT in the non-Linux world) firewalls. VPN's are a way of tunneling network traffic over a non-secure network in a secure fashion (using encrypted connections/packets) and provide the illusion that many, spatially distant computers are communicating over a common LAN, rather than over the open internet.
There may well be a section of the @home contract that forbids masquerading/NAT firewalls, I know that such clauses were popular a year or so back (mostly specifying that only a single computer could be hooked up to the service, which pretty much forbids masquerading/NAT firewalls) but the cited section is dealing with something else entirely.
What cable service do you guys have? I used comcast@home and it is a free for all for bandwidth. The caps are (supposedly) 1.5 Mb down and 128Kb up. I haven't gotten to the 1.5 on the down, but I have hit 800 kb on the up (less usage of that channel). The nature of cable modem architecture uses a "head unit" that all the lines on a node plug into. They (cable ISP) sets usage levels on the fly at that point (which also can make settings/firmware changes in the modems).
I don't get charged for traffic usage, only a monthly flat fee. Now the commercial line (same bandwidth as a T1 w/QoS agreement) does charge by usage.
[RIAA] says its concern is artists. That's true, in just the sense that a cattle rancher is concerned about its cattle.
Couldn't it be construed that packet encapsulation all together is a VPN and HEAT and MPlayer will be fuct? If that is allowed then can they stop IPv6? And... drum roll please... IPv6 features encryption, even user defined encryption. So in thoery you could do IPv6 under the same principals that HEAT and MPlayer are allowed.
I've written (email) the following letter to @home to see if they have a clue:
------------------------------------
I am a current @Home subscriber. The future of you providing my service
rests on the following questions:
Pertaining to section 6 d:
'OR IN CONJUNCTION WITH A VPN (VIRTUAL PRIVATE NETWORK) OR A VPN TUNNELING PROTOCOL'
I wish to clarify that you do indeed mean VPN and not NAT.
Question 1a) Do you really mean VPN?
1b) How does @home define a VPN?
A VPN may be implemented over HTTP or other already allowed protocols.
Question 1c) Does this also deny such a VPN?
Question 2) Do you really mean NAT?
While a NAT (Network Address Translation) computer would cut into the $6.95 it costs for additional IP address, it us unclear why you would ban use of a Virtual Private Network (VPN), because it would not cut into profits. These two items are not related, but may be used in conjunction (but usually are not.) A VPN provides secure networking between computers over the Internet.
Question 3) Why would @home ban VPN? Note: 'Because' is not sufficient. Please explain in detail why this restriction was chosen to
be amended to the agreement. Please include any examples or relevant material.
Section 9 A: You cover eavesdropping and how it is a risk. A VPN is the solution to such risk.
Question 4) Do you still wish to ban VPN?
My friends an I (All @home subscribers (for now)) wish to run a VPN. Provided that the VPN is in accordance with US and local authorities:
Question 5a) Is this permitted by @home?
5b) If so, are there any restrictions? 5c) what are those restrictions?
Question 6) What measures will @home take to prevent/and/or detect VPNs?
Question 7) If a VPN is discovered, through legal means, what measures
will @home take?
Question 8a) Is packet encapsulation considered VPN? If so it will dis-allow services like heat.net and mplayer.com to not function, since
these services encapsulate IPX over IP. What about for IPv6? Also, AOL ould be affected.
Question 8b) Are you aware of these ramifications?
Please note that an answer such as 'whatever is deemed necessary' is vague. Please elaborate as much as possible. Answers will be taken with consideration as to the notion of 'progress' and 'advancement' of the service. Also please place the answer to each question below that
question. Please answer each question. If answer is 'unknown', then please state 'unknown' and refer me to the appropriate person inside @home who would know.
Thank You for your time,
A current subscriber.
Aren't you glad they made a change to the customer agreement without asking for your approval first?
Technically, I think they're trying to cash in on the companies and people who are working at home and use a VPN into their corporate office. If you want to use a VPN then you need to go with their corporate broadband services. No one needs to *USE* a vpn unless they were working for a corporation anyway, right?
I basically agree with you, but in reality you are also paying for their maintenance of an IP address space. Now, it would be nice if they would resell, say, a /28 or larger to their customers, and let their customers manage their own bandwidth on that. That said, there is really no requirement for @home to sell IP blocks, and they have chosen not to do so. They do not want to be just a pipe, even if every single customer of theirs whom I know (including myself) wants them to be just a pipe.
-- Two men say they're Jesus. One of them must be wrong. - Dire Straits
I looked all over and I couldn't find any reference that this was anything other than a comcast specific TOS agreement. I dug around the actual @home site and this is what I've found.
http://www.home.com/support/aup/
Have we become so hungry for controversy that we atack @home for something that with a little research is so obviously not their problem. Though they lend their name to the product I'm sure that a majority of what goes on with the services is left up to the cable provider.
I use @home so I read through the user agreement and guess what. I found it to be very lenient and common sence oriented. Also after reading between the lines I'm a lot less scared of being kicked off the service for doing what I do every day than when I started reading this thread listening to all the people who have failed to educate themselves on the topic.
P.S. I know the spelling sucks it's a discusion not my doctorial thesis.
Sure. All they would need to do is block IP traffic type 47 - GRE traffic. They could block pptp traffic as well but once the pptp initial connection is made, it switches over to GRE anyway so it would fail.
"Fighting the underpants gnomes since 1998!" "Bruce Schneier knows the state of schroedinger's cat"
All DSL/cable providers should be this good...
Say hello to zMac.
In any case, a more general question concerns @Home's generally restrictive AUP. This is not the first time that @Home has saddled its users with restrictions to fairly common uses of a home network connection. Here in Connecticut, our CT @Home users group has had an active discussion regarding this restrictions. In point of fact, our AUP has prohibited VPNS, NATing, and host of other activities for a long time. Other "disallowed" activities include running a server at home, for instance. While I can accept the validity of not allowing an "@Home" user (as opposed to an "@Work" user from running a commercial server, prohibiting me from running an FTP server at home so I can retrieve files I need while at work seems to me to be unreasonable. Further, the last AUP I read (about a year ago) proported to make all content transmitted via the network connection the property of @Home (good thing I'm writing this at work!). Also, anything posted on the web site provided to each @Home subscriber would belong to @Home. So this means that if I write an email, @Home owns it...and if I write that Great American Novel and email the document to my publisher, actually @Home owns it because I emailed it...Say, I wonder if I send some illegal content the the police should actually arrest someone at @Home, because the simply act of transmitting it over my @Home connection makes it @Home's property...
As an argument for limiting actions such as running a web server, @Home has offered the negative impact that this has on network performance because the cable modem connection is shared by everyone on the same piece of coax. That's great, but I wonder a) how that makes it legitimate for @Home to claim to own the content of my transmissions, b) how my retrieving a 100K file once a day from work should be enough to kill their network, c) why they cannot just monitor the network for high-bandwidth abusers and deal with them directly without restricting users such as myself, or d) why they don't just install enough hardware to meet the demand they have created with their excessive and misleading advertising.
As everyone using @Home knows, they have already capped both upload and download transmission rates in most of their coverage areas. With a download cap of 128 or 256K, advertising speeds of up to 10MBs doesn't seem quite accurate, does it?
In the interest of fairness, I'll conclude that I am actually very happy with my @Home service. While the customer service phone line takes forever to get through, I have been fortunate to have had relatively rare service outages, and the ones that have happened have been brief (unlike others I know, but I've been very lucky). The service is "fast enough" for me (I'm not a gamer, so I don't know if I could "Quake" or not), although it is noticibly slower than the lightning fast speed it had when I first got it a few years ago). Overall, I'm actually quite happy with the service, but it would be better if I didn't have to worry that the cable police would be cutting off my service because I VPN'd in to work one night.
@Home sucks. Is ADSL any better?
.5 up. I get these speeds more often that not. When I was on @home I was usually only getting .7 down on average - most of the time it was .5 down. My latency on ADSL has been very good as well.
In my humble experience yes. A lot depends on who is supplying your ADSL. My ISP is Telus (Alberta, Canada) and their service rocks compared to Shaw@home (Shaw Cable).
The ADSL line was tested to 1.55 down and
Additionally @Home's USENET servers suck. The retension is about 1 day, or less, on the binary groups.
One drawback. My ADSL line will never exceed 1.55 down. Sometimes (at 4:30 am, with a full moon) I did manage to get 4.7 down over cable (downloading the latest Mandrake ISOs). But that sure did not happen very often.
-- Spammers: My E-mail server is in California. Consider yourself warned.
IANAL, but I don't believe you have to accept changes to Terms of Service that occur within a contract's time period. I remember reading this in regards to credit cards, but I don't see why it wouldn't apply to this. Any lawyers out there who could verify this?
-----
"I always try to avoid the term 'language', but it is certainly a complex communication system."
-Vincent Janik
The "Private" context of a VPN is much more important than the virtualized network presence of a transferred network link.
Privacy and cryptography are intimately linked in Virtual Private Networks; it's the cryptography that makes people willing to use the link at all.
So, from that I have to ask a simple question: Does @Home plan to monitor my traffic for information they can't decrypt? Is @Home saying that if I would use an unencrypted link to my work email, they'd have no problem with my working from home?
Can you imagine if a *telephone* company tried to specify who you were and weren't allowed to call, and what you were allowed to say, and that they needed to be able to understand every word you spoke?
What part of "Common Carrier" doesn't @Home understand?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
ROBLIMO!!! Please read the links of the articles before posting them.
resell the service or otherwise charge others to use the service, in whole or in part, directly or indirectly, or on a bundled or ununbundled basis. the service is to be used solely in a private residence; living quarters in a hotel, hospital, dorm, sorority or fraternity house, or boarding house; or the residential portion of a premises which is used for both business and residential purposes. without limiting the generality of the foregoing, the service is for personal and non-commercial use only and customer agrees not to use the service for operation as an internet service provider, a server site for ftp, telnet, rlogin, e-mail hosting, "web hosting" or other similar applications, for any business enterprise including, but not limited to, those in competition with the service, or as an end-point on a non-comcast local area network or wide area network, or in conjunction with a vpn (virtual private network) or a vpn tunneling protocol; or
Note: I had to use Lotus Wordpro to switch this to lower case, because /.'s unintelligent bastardized lameness filter stopped me. *smile*
All it is saying, is that you cannot resell @HOME services. What is wrong with that? I think it's perfectly fine. If you want to use it commercially, you pay for such access.
But seriously. Can Slashdot posters PLEASE read links, it might reduce the amount of FUD which gets passed through.
I doubt this will happen, since they do not appear to scan for any other services that violate their AUP (e.g. HTTP, FTP, SMTP, news). You aren't allowed to run any 'services' on a machine connected to the @Home network (at least with Comcast's agreement). Why would they start now, with VPNs?
I think its just a customer service issue: "I can't connect to my company's fileserver" calls coming from a subscriber at 9pm, when they should really be contacting their company's IT department (who all went home at 5).
Carnivore isn't a "product", i.e. something that gets installed on a host, it's a box that gets attached to a network segment and listens for whatever it wants to capture.
To cover the bleeding obvious basics first (for our journalist friends): on a network segment, such as a group of PCs connected by a hub, with the hub up-linked to a router, every PC sees all network traffic on the segment, but (normally) chooses to only receive the network traffic addressed to it, directly or via broadcast. However, any PC can "eavesdrop" on the traffic on the segment, receive any or all packets for any or all hosts and do whatever. Carnivore either sucks all traffic and looks for mail, or is configured to suck in all mail protocol traffic sent to/from the IPs of mail hosts.
Many ISPs (such as Earthlink) require that all outgoing e-mail from a dial-up customer go out through their e-mail host and enforce this at the protocol level on their network. While a user can read any POP mailbox they have access rights to, they can't SMTP out except through the ISP's e-mail host(s), which is(are) potentially monitored by Carnivore. However, if the SMTP is encapsulated in a VPN, you could connect to any SMTP accessible at the other end of the tunnel, potentially anywhere on the internet (such as your company's mail server). This doesn't mean that THAT SMTP isn't vulnerable to Carnivore, but at a tiny company you're probably going to hear about it if the FBI walks in the door, and I can't imagine a Fortune 500 giving the government the ability to read all the company mail without a fight either...
I think a big part of the issue is that the part of town you live in has an older infrastructure, which means heavier copper, fewer loading coils, etc... The ISP issue may also have something to do with
Er... I would think you wouldn't want any load coils at all on your DSL pair. Right?
--- Where's my X.400 protocol decoder?
Perhaps they like to, or let others, spy on you. I believe a VPN would make this considerably harder, so why not, from their point of view, ban it?
--Drew Vogel
Ok, so sometimes it doesn't seem as fast as I would like it to be (is anything that fast, though, really?), but man, these other cable companies seem to enjoy making it difficult! RR gives you the self-install option, which means not only is it faster for them, but it's much easier for me to hook up a router and connect my internal LAN to it. Since there's no login or anything, it literally works right out of the box.
-------
-------
"It was people! People soiled our green!"
For one I personally do not think Telephone or Cable companies should be in the internet business as they can't provide reliable service for their primary business let alone a secondary... Some may wish to argue this but if you think about it long enuf you can find the rationale behind this...
Next I always try to find a local or regional provider before I look at any large company... This thread in and of itself is a good case in point... My ADSL service provider is a local company... I've gotten to know the company employees and have openly discuss'd with them my actual usage of the line... They know I run Linux (In fact they even offer tech support) and that I also have host'd web sites and a co-located box or two online as well... All of which I am paid for hosting... I've also got a complete subnet of valid IPs and could have another block in a short period of time should I need it... The point is if you find a smaller local company you generally can get on better terms with them... I'll add that the relationship I have with my provider has also been great when I've had hack attempts made on my equipment as they are as responsive as if it were their own equipment... Honestly I feel you get better quality service in the long run... My only outages have been the result of the Telco who carries the "last mile" of copper performing unscheduled maintaince on the DSLAM that they fail to inform the customer or the ISP offerin ADSL service...
On the topic of the VPN... It's relatively easy for them to block IPSec VPN traffic as it uses standard ports and protocols... All you actually need to do is block the ESP (50) and AH (51) protocols along with the IKE (500) port on UDP (17).
Curious.. would this also prohibit the old RedHat box masqing IPs for the Windows box?
Glad I have Mediaone Roadrunner.. at least, for now..
jack's bicycle is music to my ears
or does this mean that comcast @home customers can't use a vpn to get into their corporate networks anymore. bye-bye telecommuting.
----------------------------
> They refuse to install the modem if you have anything other than Win 95/98/ME or a Mac.
.. are they going to cut you off? With ASDL just becoming avail in Mass., the answer should be no.
Not true. At least in Massachusetts, they recognize NT4 and NT5.
Last year in Jan when I got my cable modem, I told the guys I was running Linux. They said they didn't support Linux. I asked them if they would install the cable modem on a NT box, and then let me handle the setup for Linux. After they said yes, I asked if their would be any problems running a Linux firewall. They said as long as it doesn't cause any problems. Since I didn't allow the tech guy to tough my computer, I asked him for the usual net config info, such as domain name, dns servers, and whether they were using DHCP.
Currently, I'm running Win2k as my main internet machine (due to me not having time to learn all the new ipchains stuff in 2.2) If the @Home guys make a hassle about non-windoze OS's, like BSD, or BeOS, just setup a windows partition, let the tech guys do their stuff, then switch over to the OS you want to use.
If you are a paying customer, but don't use a "supported OS"
In either case it is relatively unenforcable. It's all data coming out of one box as far as they're concerned, they only way they can tell is if they break into your house. I suppose they could do traffic analysis for masquerading, or just watch for packets with encrypted data conforming to the VPN protocols. But my, that would be awfully Orwellian of them, wouldn't it?
Don't worry. The market will fix it... someday. Just bend over and take it like a good consumer in the meantime.
Who cares what @Home dictates in their policies? Most of the crap in there is totally unenforcable. For instance, I have several friends with cable modems who use a certain Windows program to uncap their bandwidth, so they have the equivelent of a fiber optic line running into their house.
Number of things @Home can do about it?: Jack squat
I do admit, though, that things like IPSec ARE filterable, so I think that this move is just a way for @Home to squeeze a little more money out of it's users by charging them "business" rates to telecommute.
Friends don't let friends use multiple inheritance.
I know others have said it but I hope this will clear it up a bit:
The additional (or changed) verbage to the @home aggreement is specific to VPN's NOT NAT, however I think that it is a fiar assesment in saying that NAT will probably be the next item to specifically get the ax in their user agreement - the motivation seems to squeeze evey nickle out of users they can. In @homes way of thinking apparently the limitations seem to be an attempt to limit UPLOAD traffic and to eliminate ANY type of service from being made avaliable from a PC conntected to their service to the outside a.k.a. the big bad Internet.
I strongly suspect it is an attempt to stem the tide of any site that might get a lot of attention (i.e. Slashdoted) that has say an Apache webserver running and literally crush the already fragile bandwidth they supply you with. Another reason for the "no services" rule is to prevent someone relaying gawd awful gigs of email through a poorly setup mail server.
I have already done battle with a local representative of another cable ISP over NAT, they adamently publicly refuse to allow it - for the bandwidth reasons above - although in a meeting mano-a-mano he said to the side something like Look we basically don't care what you do as long as you use only ONE IP and DO NOT have any services running that can be accessed from the outside.
I can't see how they could detect a small VPN or NAT system running as long as it was locked down behind a firewall and not open on porst for these services.
Just trick them? Use one of the other less well known vpn solutions, like VPND. I've been using vpnd for well over a year now, and it works wonderfully. Just pick a non-standard port, and they'll never even know to look for it.
I'm a leaf on the wind. Watch how I soar.
I think that servers do *slightly* hurt the cable modem network more than surfers, because the limited amount of upload bandwith that you share with your neighbors will be saturated by you (hence the "web-hog" commercials that we saw here in California)
If I recall correctly, the download bandwith on the cable modems are like 10x greater than the upload bandwith...
Doh!
From reading section 6b viii
Having multiple IPs have nothing to do with VPNs. Thats NAT or IPMASQ not VPNs.
This would seem to prohibit attaching from your home machine to a corp VPN connection or perhaps to your real hosting provider. In addition, the same passage seems to prevent using for any business purpose. So using my cable modem to connect via ssh into an office would seem to violate the policy.
This seems shortsighted and bad. How can I telecommute using the service? This is a serious issue here. How about using the web to do reasearch for my job?
Is this a plow to make you buy a more expensive line?
matt
It really does sound like they are prohibiting
the connection to work VPN's.
If this is truly the case then:
1) they are very stupid
2) they are begging people to switch to other
providers and/or xDSL
A year spent in artificial intelligence is enough to make one believe in God.
They can't possibly detect ip-masq.
Unless you patch your kernel, Linux uses ports 61000 and up as the source port for masqueraded connections. A lot of traffic originating from that port range makes it at least suspicious that masquerading is used, but indeed they can never be 100% certain.
--
bgphints - internet routing news, hints and ti
I've subscribed to @home for a bout a year now......and up until recently, I've actually purchased the second IP address just for simplicity's sake. Then, I bought a wireless networking kit for another computer, and that whole plan went straight to hell. @home needs to figure out that realistically, no one is going to want to pay an extra $10 (or whatever it is in your area) for an IP address, especially after flip-flopping back and forth. I remember before @home was available here, cable modem service (known as "the wave") would not allow any kind of connection sharing. Then, the service becomes @home, no networking or sharing allowed, but wait, three months down the road, our policy has to change. Honestly, this is really going to turn people off cable...this also disturbs me as I'm moving in a week, and have to get the service set up again (look ma, another $80 installation)
"Life ain't interesting till you blow something up" --Anonymous
If you're going to extend this argument this far up the stream, then it should be noted that ALL network connections share bandwidth with other users at some point
I almost did note that. Not sure why I decided against it.
I think the point I was trying to make was that while the architecture of an ADSL based ISP looks better than that of a cable modem provider on paper, that technical advantage doesn't necessarily translate to a higher quality of service in the real world. There seem to be two debates going on regarding cable vs. DSL.
#1. Which solution technologically superior. (clearly DSL)
#2. Which solution provides a better connection. (in many cases, cable)
I've personally used cable modems in about 12 separate locations, and shared bandwidth or not, they ALL provided better throughput than similarly priced DSL options.
Of course, my personal experience is not a statistically valid sample, YMMV, all that jazz...
So IPmasq really works on a lower level than NAT.
-----------------
Kevin Mitchell
I've written a little program that will use the Linux ethernet tap device to take ethernet frames, optionally encrypt them using blowfish, and encapsulate them in UDP datagrams that are sent to a certain list of peers (either fixed or dynamically updated). So, in effect, it performs the task of a VPN; the advantage, though is that the datagrams are standard UDP datagrams, which are not distinguished by their protocol number (only their port number, but that can be changed at run time), thus essentially impossible to filter from "legit" packets (there isn't even a recognizable application level header, because all is encrypted using blowfish and transmited "as is"; changing the blowfish key could produce just about any content in the datagram). This could be useful in getting around any kind of filtering mechanism of this sort (unless they decide to completely disallow UDP, but that would be a bit fascist even for most ISPs).
I use it, together with a UDP bouncer program, to get around a fascist firewall. I used to do it on TCP, but I had all sorts of nasty resonance problems between the two TCP windows, so I dropped that (the advantage of TCP, though, is that it never lost any frames as UDP does).
Program is GPL'd. Your mileage may vary. Use at your own risk. Standard disclaimers apply.
Don't forget that cable modem hanging off that copper is a full-fledged router/monitoring device. The hardware in a DOCSIS (the standard) cable modem is truly impressive. It contains the logic to function as a router with plenty of monitoring tools built-in. A proxy or NAT style router/firewall is still the safest (and highest performing) method of placing multiple computers on a cable or DSL connection. There is (almost) no way of detecting multiple machines behind a NAT router or something similar.
[RIAA] says its concern is artists. That's true, in just the sense that a cattle rancher is concerned about its cattle.
You know, you're right. I don't agree with everything that they do, but I do agree, the service is reasonable.
Eh...
Well, this has nothing to do with the technology (DSL vs Cable modem) but with the company.
I use Road Runner, and I *am* going to Telecommute. I see nothing in their agreement about that.
A DSL provider could come up with a similar non sense agreement too.
- sigs are for wimps.
I've been watching tcpdumps of the network traffic, and @Home has been using arp and ping to cycle through all of the IPs within their subnet. So not only are they monitoring how many IPs are in use, but they're monitoring which ones are active and by who. I've had the service for a week, and I've seen them cycle through all of their IP addresses several times. At first I thought it was sort of an "on-demand" thing -- so they could ping the network to see which IPs were available. But the arp requests come in at about 1/sec and have been continuously for the past week.
Of course, my FreeBSD firewall blocks the incoming UDP arp packets, and blocks pings anyway, so they won't get anything from me.
Thus, I come to the conclusion that DSL is a better deal, provided you can find a good ISP (I strongly recommend speakeasy, they even fully support linux).
isomerica.net | Foonetic IRC
Personally, I'd just ignore this little change, like many people ignore the "don't run servers" rule. Why? @Home doesn't care.
How do I know this? Well, I was at a conference in DC last spring called Spam Summit. Basically, everyone involved with blocking spam, or opt-in (real opt-in, like MyPoints) advertising systems got together and talked about the technology. @Home did a big presentation on anti-spam things which happened to include some talking about their policies on people running servers.
The fact of the matter is that @Home just doesn't enforce the policy. The exec from @Home giving the presentation said very clearly that they don't routinely check for servers (excepting NNTP proxies, since they had that little problem with the UDP this past winter), and they really don't care if people run them as long as they are not causing problems. He defined problems as taking up too much bandwidth, or causing a security problem for @Home itself.
So I really don't think this is a cause for concern. I doubt they're gonna bother checking for these things (they'd have to sniff the network constantly... VPNs operate on arbitrary ports, and it's not like they can check for a server, since @Home users are gonna be VPN clients (for the most part).
-Todd
---
"The details of my life are quite inconsequential..."
Don't blame the original poster for confusing VPN and ip masq, blame Roblimo.
The op-ed stuff at the end of the story is clearly Roblimo's opinion, not cwilson's opinion.
---
Interested in the Colorado Lottery?
Interested in the Colorado Lottery or Powerball games?
check out http://colotto.com
NATs are not VPNs.
NATs are used to connect more than one computer to the internet using something like Windows Connection Sharing or IPMasq or Netfilter. A VPN is connection of two computer using authentication and encryption. Each of the computers has its own IP numbers, but all traffic is encrypted. FreeSWAN and Compaq Tunnel are examples of this as well as IPSec. VPNs are really useful in talking to a private network at work. Tunnel into the network and you can work on you stuff without a reasonable fear that it is being sniffed. Whay they would want to prevent this I do not know? Maybe they don't like people working from home and think everyone should just work from work. Probably they'd want to raise prices for people to work at home and make them sign up for @work. Or they could just be confused. It happens.
I've no problem with companies trying to make a buck but this is ridiculous. They are providing no additional benefit but think they are entitled to additional money? Not from me. I'm paying for a pipe, not the right to use my own computers.
Besides, this is really not enforcable as far as I can tell. If you set things up right, I'm not sure how they could tell if you had such a network or not.
VPN is a secure encrypted connection over an insecure connection to a remote network. Work from home, have your machine pretend to be right on the network at work.
The writer seems to be bitching that he can't NAT his home network on anymore, and he seems to still be able to do that (atleast section 6. doesn't outlaw it) as long as he's not hosting servers for a business enterprise.
BUT...
Why would they disallow VPN? This just prevents people from working from home.
Can https or SSL be considered a VPN? A whole bunch of etraders will be grumpy!
A VPN is a concept where you can encrypt all the data between two computers on an insecure line and create the illusion that the two machines are on the same private network. Generally, VPN's are used for businesses who want to let their employees work from home and have connectivity inside their firewall. This can be detected by the ISP because of the ports you need to have open on your host.
Whereas, it seems from Roblimo's response that he wants to be able to Masquerade IP's. This, first of all is impossible for your ISPto detect even if you were doing it. Secondly, this does not constitute a VPN.
The original poster was indeed confused.
The reasons for restricting VPN traffic and restricting ip-masq are completely different.
ip-masq: They would restrict this if they wanted to sell you more IP numbers.
VPN: They would restrict this if they wanted to charge you BUSINESS rates for telecommuting.
They can't possibly detect ip-masq. They could only detect VPN with a lot of effort.
So don't even sweat it, just ignore this policy.
-- Mojo Tooth : exploring our world as only an idiot can.
I have AT&T@HOME in the Chicago burbs. I know the TOS forbids such things as FTP and Web servers but I've had both up on my connection since day one (over a year now). They never seem to check.
But my firewall does stop two probes a day looking for an open news port.
I wouldn't worry too much. I think they just don't want to support VPN's between you and work. They don't want to get involved with trouble shooting for your company. It doesn't seem like they are really out to shut anyone down (IMHO).
Viv
-----------
Viv
Gmail invites for ip
I don't think that they are banning proxy servers / IP Masquerade. They are trying to get folks who connect to work using VPN to use their more expensive @Work service.
You people are confusing VPN's with NAT!
;) ]
Using, say, masquerading for many machines inside your home or buisness to seem to be coming from the one IP your ISP gives you is NAT (network address translation[I prefer masquerading, it is more descriptive, more obvious to the novice])
VPN, or (virtual private networking), is when you tunnel IP over something else, so it's sort of like you have a PPP link [across the net] to some other host... and it is usually encrypted so that you can have the effect of a WAN or a dedicated private leased line, but using the public internet infrastructure instead. [Except for cpu lost in crypt [Still much cheaper
--sanemind
man signature
---
the pen is mightier then the sword. the sword is mightier then the court. the court is mightier then the pen.
Any ports though? Like... the open ports that ICQ uses so that all messages don't have to go through the server? Or open windows filesharing ports that everyone accidentally leaves open? Do they ever check?
--
DSL.chant(infiniteloop) Umm... so according to this no telecommuting for me. Our office set up VPN so I can connect from home when I got my @home service (the competition sucks in my neighborhood). Now even though what I was planning to do (logging into my remote site for admin purposes) is no longer possible? Down with this crap. DSL forever, baby!!!
"You'll die up there son, just like I did!" - Abe Simpson
There is no reasonable defense against an idiot with an agenda
:wq
I don't see how a VPN can be "hard on the routers in between". A packet is a packet is a packet. It doesn't matter what is in the packet, it doesn't matter that the payload is encrypted; all that matters is that the proper headers are on the front of the packet.
When I was with them (in the early days of cable modem service), I had the modem set up and shared the connection between our two similar home PCs and that way we could all sit down and access the internet at one time. I called techsup and had a question about the gateway software screwing with the ports on the host computer and he got all mad at me and told me I was not allowed to share the connection... I think the rule is there so you can't sell the connection or something... Maybe to your neighbor or get it in an apartment and share it with the whole building... That's how he explained it to me anyway.
El Karma: excelente(principalmente la suma de moderación hecha a los comentarios de los usuarios)
Bill - aka taniwha
--
Bill - aka taniwha
--
Leave others their otherness. -- Aratak
SSL creates an encrypted tunnel between your machine and a web server - a VPN. So youre not allowed to but books from Amazon.com on the @Home network? SETI@Home? Does that constitute a violation - how about FreeNet?
My Cable ISP here in NZ has a similar policy - they say you may only connect the cable to a single computer, presumably they mean they don't want me plugging it into a hub..
I have it plugged into my linux machine running NAT - i have another windows machine i want to have net connected as well. But theres no way i will pay twice to connect both these machines up, considering the lousy bandwidth they provide. Its still just me using one of the machines at a time anyway, and i consider that they have absolutely no right to tell me how i can connect my computers in my own home. They also have no right to tell me what software i can and cannot run - if they decide they want to pull the plug on me if i'm using too much of their resources, thats fine, but these service agreements are basically a violation of my right to use the equipment that i own in any way i choose.
Would you accept a phone connection if the telco said 'you can't connect an answering machine or a fax to this line' or a car that you were forbidden to drive on certain roads?
The definitions of 'computer' and 'network' are now getting so broad as to be pointless - is my intelligent switch a computer or a piece of network equipment? How about my router? it runs an OS, can run various userland programs in addition to routing packets. What about my Palm Pilot - thats a computer isn't it? I can't sync my Pilot with my main computer while attached to the cable network??
I gots ta ding a ding dang my dang a long ling long
Go ahead and use a VPN to connect whereever you like. Or use a SSH tunnel, as I routinely do.
All the ISP is going to see is packets with encrypted payloads going back and forth. Tough. Bandwidth is what you are paying for, they can't really complain if you use it.
If they have the nerve to actually call you on it, ask nastily why they are trying to intercept a private electronic communication without a warrant. Mention the FBI, the FCC and the local cops if necessary.
Stand your ground. Make the bastards bleed.
"...they may harpoon us, but they ain't gonna pick us up on no radar screen!"
Yes, placing more machines on the network than your agreement states breaks the agreement. The cable companies want to make more money by selling each IP. They also don't want the bandwidth distributed to multiple entities without paying for it (which I can sympathise with). There was a case in Illinois where one guy was reselling his connection to his neighbors (he had over 40 people in his apartment complex wired up to his switch and router). This guy was making over $600 a month and the cable company got $40. The only way he got caught was that they finally capped his usage at a normal single user level and one of his "customers" complained to the cable company. That reasoning out of the way, here is why they don't want VPN's. Virtual Private Networking is a method for extending a LAN across a WAN or the Internet safely and keeping the network cohesiveness. For instance, say you have an office LAN and you want to give a telecommuting employee access to all the info on that LAN. By setting up a VPN connection between the two, the telecommuter would have all the funtionality that he would if he was physically at the LAN site. VPN and IP tunneling put a heavy strain on routers in between the connections (and can be a pain to implement across the heterogenous mix that is the Internet). PPPoE is another type that is actually used by some DSL and (I thought) road runner cable to hook up customers. Really, this is not a big deal to people unless you are a business trying to do something along the lines of what I discussed. I would LOVE to see what happens if a customer sues over this (there are grounds, IMO...IANAL!!!)
[RIAA] says its concern is artists. That's true, in just the sense that a cattle rancher is concerned about its cattle.
I dont know if this applies to everyone with @home service but I received my service a couple months after a friend of mine and in that time, our documentation changed from:
His: "No servers allowed."
to Mine: "If you should run a server, we are not responsible for any damage caused by doing so."
That alone should be enough support if they ever decided to question me about my small server. I just hope they don't migrate to something like AOL where you have to go through all of their servers to get to the internet. I know I am not the only one who doesn't use THEIR proxy but if they found a way to enforce its use, it could mean the end of any privacy we might have now.
In common with other posters on this topic, I run a few services (mail and web) but they don't put half the strain on the system as my windows/proxy using friends with napster running 24/7.
Just some thoughts...
What is to stop you from setting up a VPN by running PPP over SSH (read the VPN-HOWTO). To the ISP, it would look just like a SSH session.
IPSeq (service 50) are not the only way to establish a VPN. For instance, you can use IP inside IP (Using either the kernel-based 'ipip.o' module, or a user-space ipip driver), or do as I do, create a PPP tunnel inside an SSH connection.
Here is how:From your machine inside a firewalled LAN (e.g. work), use the following `pppd' options file (under Debian, create it in /etc/ppp/peers, e.g. /etc/ppp/peers/my-home):
/usr/sbin/pppd noauth ipparam 172.16.0.0/16"
# This link is over a SSH network connection
pty "ssh -t -enone -C yourhost.home.net
# IP Addresses to use for this link
192.168.0.1:192.168.0.2
# Let the remote host start the conversation
silent
# We trust each other
noauth
# Keep modem up even if connection fails
persist
Here, replace 172.16.0.0/16 with your company network. This will be used as argument for the PPP 'if-up' script on your home computer.
Make sure the root user on your work machine can SSH to your home machine (as root) without being prompted for password. If neccessary, run 'ssh-keygen', and copy the '/root/.ssh/identity.pub' file from work to '/root/.ssh/authorized_keys' at home.
At home, create an if-up script, as follows:
The script should contain:
#!/bin/bash
#################################################
### FILE:
### PURPOSE: Add routes after bringing up PPP link
#################################################
### The following two lines are only needed with RedHat;
### Debian supplies these from the master ip-up script.
### $6 contains remote network/netmask (e.g. 172.16.0.0/16)
[ "$PPP_IFACE" ] || PPP_IFACE=$1
[ "$PPP_IPPARAM" ] || PPP_IPPARAM=$6
### Configure the route
if [ "$PPP_IPPARAM" ]
then
fi
Edit root's crontab on your work machine (crontab -e), to start this PPP link. Under Debian, it will look as follows:
/etc/ppp/peers).
*/20 * * * * netstat -rn | grep -qs ^192.168.0.2 || pon my-home
(replace 'my-home' with the name of the PPP options file in
Using this, you now have a PPP over SSH tunnel to/from your home. If it breaks, it is immediately brought back up (hence "persist" above); and if too many retries have passes and PPP gives up, a new connection is retried every 20 minutes (or whatever you set the crontab line to).
Undetectable. :-)
The Comcast subscriber agreement already banned connecting a home LAN to the cable modem. A VPN allows your home system to appear to be part of private WAN across the public Internet. In reality, this change doesn't take anything away, as connecting to a non-Comcast WAN was already prohibited, but this makes it an explicit statement for people like Roblimbo who don't know what makes a LAN, a WAN, and a VPN different.
What are you talking about? Comcast does not ban home LANs and they have not ever done so to my knowledge. Indeed, they let customers buy additional IP addresses, which wouldn't make any sense if they ban LANs.
Anyway, I figured fuck them and I'm running it regardless.
I'm running a home LAN here with a couple systems on the same IP using ipmasq on my main system. Is this going to be a problem?
________
Agreed, however traditionally all the DSL providers do precisely not what @home has done.
AT&T doesn't support Linux, either. I let them install it on my Win 98 machine, and they had to uninstall my Norton Antivirus because their install program does not work if you have Norton. Anyway, I told they guy doing the install I was planning on hooking it up to a linux box, which he had no problem with, except for the comment "I wouldn't worry about a firewall." AT&T will let you have a home network hooked to the internet connection. However, according to their website, the first step is to "click here to configure a Dell computer to be your server." Right.
Any monitoring they could possibley do is really to get around; just use a vpn tunnel over non-tunneling ipsec, or something similar. Or over an ssh connection, or something similar.
Really, they can't really prevent vpn usage without banning the use of encryption. This would not look pretty, and would likely anger the EFF, the EPIC, etc.
Since the ISP's costs are the same whether you use encryption or not, they are completely unjustified in charging different amounts for them.
I've been on Insight @home in Indiana for over a year now and their news servers sucked at first, in terms of the feed, but now they have a huge feed and more speed than I can keep up with (my arm gets tired before my news feed shows any sign of slowing ;-)!
--
Actually they can control much more than you can possibly imagine. I used to work for the very big vendor that they bought most of their software from, and was somewhat responsible for handling change requests for their software (what Deutsche Telekom wanted, Deutsche Telekom got). So if you can conceive of it, and they think it is worthwhile, it'll be done.
Screw Micro$oft.
?? IPSec? (perhaps this is what you describe?)
There are also a half dozen or so private protocols for doing such thing... everything from ppp over ssh, or ssltunnel, or what have you, to UDP versions, to privately encrypted IPIP.
And the public has to wake up and realize that the internet is more than just 'surfing the web' and email... that it's a data routing service. Other things they offer at higher layers like caches and such are conveniences, and may make their service more appealing, but in the end, they should *NOT* be able to tell you what application layers you can use. PERIOD.
If they want to cap bandwidth, and charge for bandwidth, that's just fine..but they must not tell me what I can and can't use as far as applications.
Apperently their lawyers should take some classes on basic WAN networking. You see, the issue here is, according to ComCast:
OR AS AN END-POINT ON A NON-COMCAST LOCAL AREA NETWORK OR WIDE AREA NETWORK, OR IN CONJUNCTION WITH A VPN (VIRTUAL PRIVATE NETWORK) OR A VPN TUNNELING PROTOCOL;
So basically, you *CANNOT* surf the net. The Net, after all, is basically a WAN connecting many LANs together, and hence, while using the net, you are breaking the service agreement. Personally, I'd sue them like no tommorow, becouse they are placing a stipulation in the agreement that disallows the service to be used for what you're actually paying it to do..
-- I'm the root of all that's evil, but you can call me cookie..
Erg, wtf? The fact that they're dissalowing VPN's isn't the big issue here. If you read the terms of service: AS AN END-POINT ON A NON-COMCAST LOCAL AREA NETWORK OR WIDE AREA NETWORK, OR IN CONJUNCTION WITH A VPN (VIRTUAL PRIVATE NETWORK) OR A VPN TUNNELING PROTOCOL; or you'll see something much more interesting. "an END-POINT" would be a *BSD NAT box, or a Linux IPMASQ box, and the local area network would be your machines you're NAT'ting too. Why the story talks about the VPN aspect is beyond me, since that's a relatively minor issue in comparison. And yes, this also bans Windows Internet connection sharing.
Seems to me that all people who want to work from home via VPN now are going to have to switch to DSL - darn.
Of course they could just set up FTP on all the computers and do the same thing...this really isn't THAT big a deal...
@Home would have more bandwith that they could shovel if they just follwed through on abuse reports.
...
those little fuckers are always knocking
.
Don't know if anyone metioned it, but I read over the changes to the user agreement last night myself and noticed interesting changes to section 5c. "Confidentiality of Information". The following information (in bold) was added to the policy:
:/
"Comcast will disclose to third parties personal information that Comcast maintains related to Customers only when it is necessary to deliver the Service to customers or carry out related business activities, in the ordinary course of business, for ordinary business purposes, and at a frequency dictated by Comcast's particular business need, or pursuant to a court order or order of any regulatory body having jurisdiction over matters which are the subject of this Agreement. Comcast may also disclose personal information to prevent criminal activity(including bomb threats), violation of the @Home Network Acceptable Use Policy, or in the event of fraud...
Sounds like it could be the Carnivore policy they told me they hadn't developed yet.
@Home, etc. certainly have a problem with encrypted tunnels, but it likely has nothing to do with wiretaps, echelon, or little green men. Money is the likely driver:
1. If a customer uses encrypted tunnels, there's no way to read the packets, so there's no way to route requests to network-edge cacheing (i.e. Akamai). All the bband-to-the-home providers are working hard to keep as much traffic local, so they don't have to constantly expand their backbone bandwidth. VPN makes this impossible.
2. As others have said, there's a desire to have customers who are using the network for business purposes pay business-esque rates, rather than residential rates. If this seems strange to folks, remember that business customers for standard phone lines, who get _exactly_ the same thing as residential customers, pay 30-50% more per month b/c they are businesses. Explicit cross-subsidy there, in the cable case it's more implicit.
I am with Cox@home, and this is what I have been told both by the installers and the telephone techsup: @home does not "support" home networking, as in they will not help you with it in any way shape or form. They have no prob with you running a proxy to give other 'puters access, so long as you aren't running a server on it for MP3, warez, or anything else that is bandwidth intensive.
You've got to be joking.. I'm sure they have better things to do with there time then to analyse the types of data flowing across their network. That is just dumb. If you cause a problem then they may look into your traffic situation.. but I'm sure for the most part they don't care, and couldn't do much about it if they did.
--Hired Net Grunt
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
The Comcast subscriber agreement already banned connecting a home LAN to the cable modem. A VPN allows your home system to appear to be part of private WAN across the public Internet. In reality, this change doesn't take anything away, as connecting to a non-Comcast WAN was already prohibited, but this makes it an explicit statement for people like Roblimbo who don't know what makes a LAN, a WAN, and a VPN different.
Your IP/NAT box can be viewed as an endpoint for a non-Comcast network (Does Comcast own your LAN?). They got ya in that regard.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Be careful when selecting your DSL provider, to see how they route traffic. I examined Speakeasy and nearly picked them as my ISP, then I found out that they backhaul all their traffic to Seattle (I live in Virginia). Although this is most important for gamers like myself, it is something to look into. I would be careful to select a DSL provider that has a POP near your location. I eventually went with Megapath, who have provided excellent service and route my traffic to DC, which is a single hop and I'm out of their network. Just something to consider.
---
Yes, upstream is limited. If I recall correctly (a rare occurance, but its kinda neat when it happens), with the Motorola head-end and nodes that Shaw@Home is using (used?) in Alberta, each node can deliver a maximum 30MBit downstream, and 1MBit upstream.
Consider the fact that you're sharing both of those with everyone in your neighbourhood, all it takes is one person running a 1337 w4r3z server to chew up everyone's upstream. And up here, things are REALLY bad, as they've got more subscribers than they know what to do with. When I had cable, I was being portscanned and probed (ooo, touch me *there*!) on a daily basis from their network management workstations.
The upstream number may be a little higher in newer hardware, but I know it used to be that low. IIRC thats part of the reason Excite@Home was talking about capping upstream on each modem.
This looks like a draft copy of a proposed service agreement. Don't jump the gun and think a document with red ink and strike-out lettering is written in stone. I'm with Cogeco@Home and while they won't lift a finger to support a VPN or any other feature beyond a single Mac or Windows PC connected directly to the cable modem, they don't care what you do with your connection as long as you aren't being a bandwidth bastard.
I hear these silly arguments constantly. As a person who sells services, it is very difficult to price them for consumers. I offer computer training. If you're a business, the going rate is over $75/hr. Am I going to charge a small family of 4 $75 for an hour's Internet training? How about installing a modem for them? Not a chance. How do I justify the pricing difference? By making good-faith deals with people, that's how.
@Home has a service they want to sell, and they're selling it really close to their break-even point. My $42.75 (CAN)/mo is pretty cheap for the 1.5 or so megabits I get (quite often). Where do they make up their margins? By charging more to businesses. Why? To make real money at all. As someone in business, I can understand perfectly.
@Home simply takes a certain set of services and says 'off limits' to non-business clients so they have something to sell to business clients. They can tell businesses "You're allowed to host a VPN on our network!" and not have the business retort "but I can do that at home for $40".
- Michael T. Babcock (Yes, I blog)
I believe that what they mean is that GRE will not be routed on their Network. I recall having to get GRE routed from end to end in setting up a MS VPN solution. I can't remember what it stands for but it was needed.
I don't think that this would prevent SSH since SSH is a 100% IP solution that could be installed on any port and as long as that port is being routed it will work.
Specific contracts (which are nothing more than attempts to stifle usage) aside, there is nothing wrong with using the bandwidth you pay for for any purpose you want. If I want to exchange random numbers with a friend, it should be no business of the upstream provider. If those computers doing the exchange are deeper in LANs, that doesn't change anything. If those computers are dialed up to my LAN's dialup server, again, it's none of their business. If I get paid for that bandwidth, either more or less than I pay for it, it is still none of their business.
I'm buying BANDWIDTH and a (dynamic) IP address to use it with. Any company wanting to offer less than that is offering less than Internet service. Any contract establishing that is a contract to deny service.
now we need to go OSS in diesel cars
There's a difference between using multiple machines hidden behind an IPmasq/Winproxy/Wingate/etc and multiple machines out on the cable modem's internet grabbing DHCP addresses and shipping traffic out a bridged connection. Cable companies are usually much more concerned about the latter, though most have figured out that they should let you use a couple of addresses so you can at least have your desktop, printer, and occasionally your laptop or your kid's machine on the net. The right way to do your network, if you can, is to have one ethernet for your inside machines and a separate ethernet connecting your gateway box to the cable modem, so it doesn't see your local traffic.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Actually, Shaw@Home expressly prohibits running any servers on their network. See this link to their Service Agreement for more info.
Personally, I have already had trouble with Shaw, but I was able to get around their bungling. I did drop running my servers, but I'm not very impressed with their new ToS. Thankfully Calgary has 4+ high-speed ISP alternatives.
Sarge
You know you've been in this buisness too long when you read the above line filling in all the anacronyms as you go.
I didn't even glitch as I read it. Time for a new Job :-)
I'll be curious to see how long till other @Home associated companies do this as well - Optus@Home in my area
I've noticed @Home routinely scans port 119 on systems connected to their network since they were targeted for that Usenet Death Penalty.
Ok, I may be ignorant on this, but I'm pretty sure I know what I'm talking about.
The art of flying is throwing yourself at the ground...
... and missing.
The TOS says that you can't use @home for business crap or tunneling out, that has nothing to do with how many computers you run thru them (proxied or not)
It looks like they don't want people who work from home to 'dial' into their corprate network and create buttloads of traffic with a tunnel.
How many people use sygate/wingate/ipmasq to run many computers over a cable modem? Tons. Is that tunneling? No. Its either a form of a proxy or NAT or however the program decides to implement the exchange of the packets.
I dunno how togther I sound, I just woke up.
-paul
---------------------------------------
Don't forget, in addition to the $6 and change a month IP charge, there's also a ~$25 "service change" fee as well.
I'm ready to dump comcast altogther, between hidden fees and those insipid commercials they play trashing all alternatives every 5 minutes...
"So some *MAN* who I don't even know is going to come over and install the dish?"
This article inspired me to track down the user agreement I have with my cable ISP, and it's pretty much the same. If not a little worse even. :-)
The URL is http://www.cox.com/OKC/CoxatHome/agreement.asp, but the jist of it is that I A) can't do anything illegal (not defined), B) can't download or possess anything obscene (not defined), C) can't download or possess trademarked material (not defined, but I assume I can't use Napster), D) I may not operate a Web, http, FTP, email, chat, nntp, game, Gateway or proxy server from home, and E) I may not use a VPN (virtual private network) or VPN tunneling protocol.
The consequences of these henious crimes is that I might get "upgraded" to the business plan and/or prosecuted.
James
http://james.nontrivial.org
Actually, in Calgary (Alberta, Canada) Shaw@Home has already killed this. IP masq, proxies, etc is prohibited in their ToS. They have also disallowed all servers on their client machines. And they will come after you - it has already started happening.
Sarge
I'm in the Kingston area, on COGEGO@Home, living in a student house. We have six computers sharing a cablemodem connection using a linux box running the Linux Router Project. Very nice. It has no HD, no fan, and does its job quietly and well. A hub and two shitty network cards were all we had to buy.
The cable guys who installed the modem were very understanding about it too... I pretended that my computer was the only one being connected, but strangely enough they ended up leaving behind enough free coax cable so that we could run it into the closet... :)
Bottom line, I have lots of friends who are running LANs behind the scenes, and, at least in the Kingston area, none of them have been hassled.
And, @Home sucks. Is ADSL any better?
Wah!
After all, how the hell are they supposed to know what that encrypted traffic actually is. And if they actually do start paying attention to traffic, they run the risk of voiding their common carrier protection (which protects them from being liable if their network is used for attack). In my mind this is bluster to discourage the 10% of users who would actually read these agreements, and perhaps annoy a bunch of companies to no end. I don't see how they can do this and stay in business, however - one of the driving forces behind broadband connections to the home is telework, and if their Service Agreement prevents VPNs, companies will have to go with DSL or (yuck!) use dial-up. The only people this hurts are businesses, not home users.
Whatever.
A VPN and a home network are two completely different things. A virtual private network is connecting a computer or LAN to another computer or LAN across public, ie the Internet, wotj encrypted connections. A home network is using a computer/LinkSys/router to share your single broadband connection. What @Home is describing is the VPN. However, for my Charter Pipeline *cable modem server*, the agreement wording is such that I can't run a home network either. I suspect the @Home agreement is similar.
How dynamic are the dynamic IP's that @home uses, and how hard is it to get set up with a static?
I will be using @home this semester at school, and i am curious about being able to run a MINOR MINOR MINOR webserver off it for my own purposes...
mov ax, 13h
int 10h
what you are using, unless they are snooping your traffic? If all they are doing is pushing packets then how do they know what those packets contain? Could this clause be safely ignored? If they threaten to cut service because you're running NAT or VPN, then you can sue them for 'breaking and entering' your property. (Remember, the lawyers are claiming that information is property.)
What happens if the USPS starts deciding that they want to open and read all the mail?
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba
resell the service or otherwise charge others to use the service, in whole or in part, directly or indirectly, or on a bundled or ununbundled basis. the service is to be used solely in a private residence; living quarters in a hotel, hospital, dorm, sorority or fraternity house, or boarding house; or the residential portion of a premises which is used for both business and residential purposes. without limiting the generality of the foregoing, the service is for personal and non-commercial use only and customer agrees not to use the service for operation as an internet service provider, a server site for ftp, telnet, rlogin, e-mail hosting, "web hosting" or other similar applications, for any business enterprise including, but not limited to, those in competition with the service, or as an end-point on a non-comcast local area network or wide area network, or in conjunction with a vpn (virtual private network) or a vpn tunneling protocol; or
See, you *ARE* prohibited from using a vpn.
Prohibitting using the service for VPN connections is new, but has nothing to do with forcing individual IPs on each machine in your home. The latter has been there for a while, but I think is only so that they don't have to support your home LAN questions.
Using the service for VPN connection may assume that you are doing work from home, which they want you to do using their @Work service (more expensive). Another interpretation may be that you can't offer VPN services, but that would fall under their "no public servers" policy.
Can they track VPN connections? I think they can, as this is a specific protocol, which can be selectively sniffed. Even though the payload is encrypted, the protocol information would be visible. I hope someone will correct me if I am wrong on this.
Yeah, my local cable access provider has pretty much the same attitude, so we just hid the Linux box, let them install it on the laptop (which needed access too anyways) and then set up IP masquerading. Unfortunately they must've done portscans of everyone on their systems recently because I had to shut down my webserver after receiving a threatening letter. It had virtually no traffic though (the URL was never published anywhere) and they didn't even notice my mail and FTP services that were (and still are) running too. Makes you wonder if anyone there actually knows what they're talking about. I have a feeling they don't.
"Well kids, you tried your best, and you failed. The lesson is, never try."
Oh well... at least they still allow VPLs ;)
create | destroy | enjoy
Bandwidth and transfer limit checking - some cable systems are equipped for it, some aren't, some have rate-limiting hardware, some don't. To a certain extent, the obnoxious acceptable use policies against anything resembling a server are to make up for the lack of bandwidth-limiter equipment and accounting systems - otherwise they'd be happy to bill you for it, just like the other part of the cable system is happy to bill you for pay-per-view. Gradually they'll get newer equipment deployed, especially as they roll out DOCSIS, but it'll take a while to get obnoxious policies changed.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I just got off the phone, what the Comcast rep told me is that, you can VPN into your work, but they don't want to you to use the Comcast@Home service to run a business off of. They would rather you use the Comcast@Work service if you are going to operate a home based business. Which makes sense (at least to me). So I can still push my users at work to get Comcast@Home, and then VPN into work if they want or need to work from home.
Now I just wish I could work from home too.
Sure you can. But who else (except a few Linux users) cares? With IPSec I can implement either a Transport Mode or Tunnel Mode connection between Linux hosts running FreeS/WAN, OpenBSD/FreeBSD IPSec (don't know about NetBSD), Win2K and NT (using PGPNet), many CISCO (among other vendor) routers, and even MacOS X (I understand). So, it's nice that you can circumvent a stupid ISP policy which prevents protocol 50 between the hosts you use, but the rest of the world has already chosen IPSec as the standard Tunnel(VPN)/Transport Mode IP level encryption standard. This policy will prevent sane IP level encryption for many services beyond just employees logging into work from home.
Hell, with Transport Mode IPSec one could securely telnet to a remote host WITHOUT ANY CLIENT MODIFICATIONS or end user re-training. The same is true for web connections... no more SSL negotiations and key certification nonsense for the web, ssh and config files for secure telnet, some new "secure" protocol for ftp, etc etc etc, all handled with different configurations, incompatible key management protocols, and separate encryption libs... this should all be standardized under the hood at the IP level for the sake of consistency alone; (consistency increases security by reducing unnecessary complexity). @Home just made a colossally stupid blunder here... which will come back to bite them in the ass.
Well, I can't say anything about VPN usage, but the issue with NAT / Firewalls / NO-Pay Internet for multiple machines can be at least (partially) gotten around... I set up DSL for office networks, and instead of forking out money for a DSL router, I just use the really inexpensive Nortel modem, an inexpensive PC, and 2 (Two) NICs. I run my PPPoE client bound only to one nic (hooked to Nortel DSL modem) and my Proxy / Firewall only bound to the other NIC (100bT, hooked to the office network). This works well, and in use with the cable modem system in question, would at least (physically) still eb allowed acording to the TOS: The endpoint of 'their' network is the computer with 2 nics - at no point is their network (physically) distributed. Mind you, this breaks the intended meaning of their TOS, ancd their lawyers could argue this, or they could make their TOS even more restrictive; but where I live this allows me to use 25 machines (legally I think and hope) one one DSL (or Cable) IP.
Having read a lot of the messages here, it seems like there are more than a few people who are VPNing from home to work using the Comcast@Home service. But for all the dissatisfaction with this change in the subscriber agreement I didn't see anyone ask this question, is the @Home network regulated by the FCC and are there any grounds for a complaint or appeal of this restriction? If the sole purpose of this is to force residential customers to pay the business rate for the same service isn't that illegal? For example if I were in business selling widgets and Joe from 111 Smart St. came in and I sold him one for $20, then right behind him Jim from Acme Accounting came in and I sold him the same widget for $80 just because he's a business isn't there something illegal about that?
Comment removed based on user account deletion
@Home is prohibiting VPN's, and obviously wants to relegate you setting one up as a business thing, as an @Work option. IE - they want you to pay more...
How long do they think this can last? I can imagine a normal family, in the very near future, who want to share all the resources of their family network, via VPN connections. Maybe mom and dad have @Home, the son is in college, lives off-campus and has @Home, the daughter and new husband lives across town and has @Home, and maybe the family (the mom and dad) also own a cabin by the lake, and they get @Home there as well.
They want to share their files, so they each set up a fileserver, at each node: at mom and dad's, the son in his apartment, as well as the daughter (and husband). After setting these fileservers up, they probably want to access (and share) files anywhere in the network - their personal, home-use only files, nothing business related. They each are paying for their IP's. The only way to let them do what they want, securely, is via VPN connections, right? What if mom wants to print a recipie for her daughter? She could email it, or print it through the VPN connected printer at her daughter's house. Or maybe they want to set up a VPN'd family recipe book (of course, accessed via a mod'ed iOpenner in the kitchen)? Or maybe they want to setup a private family email "ring", or "list" (wedding announcements, family get-togethers, etc)? Here's an angle: What about those MP3s (of CD's they own, of course) stored on the home server, that the family wants to stream to the cabin, while on vacation (this is fair use, right - or at least, domain shifting)?
@Home doesn't get it - they really don't get broadband, and the possibilities it opens for the sharing of data amongst people (or maybe they do, and are running scared, perhaps?). This hypothetical VPN use I've outlined doesn't warrant an @Work setup - it is a private VPN.
If it isn't happenning already, it will - private VPN's will be the next "thing" in private home networking - and @Home is shooting themselves in the foot for disallowing this...
I wish @Home would just give us the pipe, and let US decide what to do with it!
I support the EFF - do you?
Reason is the Path to God - Anon
DSL users have to live practically next door (within 12,000 ft) to the local telephone monopoly. What other broadband Internet access choice is there other than the local cable monopoly?
<O
( \
XGNOME vs. KDE: the game!
Will I retire or break 10K?
And what ports do they look at anyway? Probably the stupid 1723 port. Either that or they block Protocol 47 somehow. Either way, just run ssh and tunnel everything over that, or use the encryption options in PCAnywhere. Problem solved.
I want to delete my account but Slashdot doesn't allow it.