@Home Stops Allowing VPNs

cwilson writes: "I just got a message from my cable modem provider, Comcast@Home (a member of the Excite@Home network) that the terms of service were being changed. The interesting bit: Section 6. Prohibited Uses of the Service. This section specifies that use of the Service in conjunction with a VPN (Virtual Private Network) or a VPN Tunneling Protocol is a prohibited use of the Service. See for yourself here in section 6." Apparently @Home is looking for the little bit of extra revenue they can get by selling additional IPs to people (like me) who have more than one computer. This might not be so bad if @Home provided reliable e-mail and DNS servers and other "basic" services one expects from an ISP, which they don't. This is just another piece of woe for those of us whose only broadband choice is @Home. Bah! Update: 08/14 14:16 by michael : Yes, Robin confused NAT and VPN. TLA's are a PIA.

Re:Here's a hypothetical situation...

[cr0sh]

@Home simply takes a certain set of services and says 'off limits' to non-business clients so they have something to sell to business clients.

I understand what you are saying - but the fact is that people are going to want to do VPN someday at home. One could argue at one time that no one would ever set up a home network, that was just a business thing - but people are now doing it.

I tend to wonder if many of these things are just business imposing artificial scarcity on a "resource". In other words, would home networking have happened faster if the cards were cheap(er) to begin with? Maybe, maybe not (of course, the counter argument would be that the computers weren't cheap enough to have multiple machines at home).

So now are we left with a business telling us that we can't do VPN, because it is a business thing only - when I have already outlined several personal uses of such technology for home use?

Like I said before, just give us the pipe, and leave us alone (home, business, who cares).

I support the EFF - do you?

FTP? True, but...

[cr0sh]

Yeah, they could - or they could (in a Windows case), just turn on sharing, etc - and drag and drop.

However, none of these things is secure. Nor will an FTP server allow for easy access to that MP3 collection at the cabin.

A well set up VPN would be much more secure, and more flexible - because it would simply be an encrypted tunnel between two seperate private networks. I am sure right now people are doing exactly as you suggest, setting up multiple FTP servers and sharing files with family - and I am sure people are doing the Windows sharing thing as well (at least within a particular subnet - maybe with their neighbor or something). However, these people will be in for a rude "suprise" when someone "comes in" and takes a bunch of stuff not meant for them, or places something nasty on the machines, or for that matter, reformats the drive, etc (I am assuming Windows boxes).

Of course, if people are doing this, one could argue about how could we expect them to properly set up a VPN, when they don't even try to firewall their boxes - a good question indeed...

I support the EFF - do you?

One other thing...

[cr0sh]

If they are charging at the "break even point", why don't they allow @Home users the ability to get some of the services from @Work - in other words, instead of having a two-tier approach, with two radically different pricing levels (I know - I looked into getting @Work for my home), why don't they have more of an "a la carte" setup, where one could pick and choose bandwidth and services based on what they want or need, with the option to add or subtract bandwidth and services whenever they wish (or every 3 months, or whatever).

Give us more tiers, and charge accordingly! That way consumers get what they want, and businesses can get theirs. DSL works this way, telephone works this way - why can't cable (and don't get me started on cable TV - I hate sports channels, but I am forced to get them, even though I don't watch them, at all - why?)...

I support the EFF - do you?

Re:One other thing...

[MikeBabcock]

This would make perfect sense if their market research didn't (probably) show that users pick companies with simple options and a single price point.

That's why all those phone companies market on 'shows up on your normal bill'. You and I aren't 'normal' people to market researchers, so our opinions aren't valid. Remember, this is a market-based society, not a democratic one.

:-)

DSL is set under phone company tarrifs

[maynard]

which operated under tight access regulations as defined in your state tarrifs for telephone service. Go to your local department of public utilities and look up phone company tarrifs, you'll see that they BY LAW cannot regulate what you do with your telephone (and by extension, your DSL connection) after the demark point in your house. Cable companies are NOT subject to these regulations.

Re:DSL is set under phone company tarrifs

[PenguinX]

And the service hasn't suffered one iotia. My experience with Cable has been horrid - where as with DSL & DSL hybrids (such as reflexcomm.com - my ISP) the service is absolutely great.

AT&T didn't call me back after calling them twice just for a price quote when I wanted a "special" package. Reflex got my hooked up in about 30 minutes - in fact when I was signing up I was on my cell phone and it was cutting out a few times... so they *69ed me. For some reason when they came to my building the door buzzer did not work - so when I called they sent someone out right away and was done in less than 35 minutes.

Just my view,

Brian

Question...

[V0oD0oMan]

does using microsoft internet connection sharing qualify as a vpn...because i'm planning on switching on over to att@home because i just can't stand the shoddy adsl service ameritech provides in my area.

Re:Question...

[Alan]

Personally I'd use IPMasq regardless of the # of IPs I get. Right now I'm on Telus's ADSL with one DHCP address which is masqing 4 (though with lan parties that jumps up considerabley) addresses inside.

IMNSHO you should use masqing or at *least* a decent firewall on xDSL or cable modem simply because you really don't want your documents, pr0n or private mail being snooped by your neighbors or even the @HOME people.

The only reason I'd use the multiple IPs is to set up a separate web/mail/whatever server on a DMZ for myself. Of course, you're not allowed to set up a webserver right? Well, a little ipchains magic to block the scanning address :)

Re:Question...

[B'Trey]

Snooping the outgoing packets isn't the issue here. Most people, including most "professional" installers for cable modems or xDSL, throw a nic into the computer, set up TCP/IP and viola, you're on the net. Trouble is, the net is also onto you. I've seen @Home installations where you could browse the hard drives of half your neighbors in Network Neighborhood. Even if you don't have loose shares just hanging out, cracking the typical home computer is trivial. A firewall and/or IP masquerading makes things a bit more difficult. If they're set up properly, it should make things difficult enough that the average script kiddie will go find easier prey.

Re:Question...

[hoefkens]

No it doesn't. But that part wis also forbidden by the Subscriber Agreement (it says ...OR AS AN END-POINT ON A NON-COMCAST LOCAL AREA NETWORK OR WIDE AREA NETWORK).

So the agreement essentially says: you may not put a LAN or a WAN at the end of your line and you may not join another LAN or WAN via an encrypted channel. Kind of interesting...

Enlist the help of your city/count gov't

[jkeene]

Two things to do that will apply the hurt to a cable company that tries this.

1) It's anti-telecommuting, so write a nice letter to your county gov't official that is most sensitive to growth and road paving issues. Might be your district official, might be a transportation committee chair. Let them know that your cable company (granted it's monopoly by the county) opposes telecommuting by its AUP.

2) It's abuse of monopoly, so write another nice letter to your county official that periodically reviews the cable company's franchise. Every few years, 3-7 or so, depending on where you live, the franchise has to be renewed. Most counties have staff to forward complaints from county residents to the cable company, and track the cable company's performance on fixing them. Use this channel, it's powerful!

Re:IPSec is the standard.

[Syberghost]

Sure you can. But who else (except a few Linux users) cares?

@Home customers who use any of the dozens of other operating systems capable of performing this feat.

Or did you think SSH and PPP were Linux things?

--

But neither will sell a home user a static IP.

[BigBlockMopar]

You can run a server on Bell's HSE. The only thing is they don't offer support for it.

43. If I have a domain name, is it possible to get the IP address associated with that name?
The Bell Sympatico High Speed Edition service does not allow for the hosting of domain names other than the sympatico.ca domain.

That was from their FAQ. I suspect their problem with users hosting their own domains is the following:

41. Can I have a static IP address with the Bell Sympatico High Speed Edition service?
The Bell Sympatico High Speed Edition service uses dynamic IP address allocation only. In the Internet environment where demand is growing at a fast pace, dynamic IP addressing allows for optimum usage of IP addresses.

Funny. dsl.ca lets me rent a static IP for an extra $5/mo.

Now, Bell's service agreement has softened up about servers, because when I did initially look into HSE as an alternative to @Home, they did specifically indicate that you were not allowed to use servers at all. Currently, this is the situation:

Without limiting the foregoing, you agree not to use the Service or any equipment provided in connection with the Service, for operation of an Internet Service Provider's business nor for any other non-residential purpose.

Their Agreement.

That's a lot better than it was when I looked, but one could argue that webserving at home is a non-residential use. (The same way that I like working on cars, but actually working on them at your residence is actually technically illegal in Toronto's zoning laws.) dsl.ca specifically covers "home office" options, perhaps allowing the use of their high speed connection for tasks associated with their small business or self-employment, without having to pay for expensive business-grade DSL.

Again, dsl.ca isn't perfect. But they're a lot more geek-friendly than the other two (three, if you count look.ca's unidirectional service) broadband options.

Re:Here's a hypothetical situation...

[MikeBabcock]

If you want the pipe, and to be left alone, call up your local fibre supplier and pay the $500/mo for it. They won't care what you do with it. Ditto for ISDN or several other 'mainstream' subscriber systems. Sure, cable is excessively fast, but the only reason you're getting it at the price point its at is because they limit your use of it (especially upstream).

Note: I E-mailed @Home at one point and pointed out that I ran Linux and had SSHD2 running on my machine to transfer files from home to work and to access my home Email while at work. They told me that was fine, and put a flag on my account.

If you have a problem with a company's policies, ask them about it politely, don't make a big case out of it.

Re:A home network is not a VPN!

[StenD]

While its true that a home network is not a VPN, it is a LAN. In the agreement linked to the article, I don't see anything prohibiting connecting a home LAN to the service.

According to section 6 of the Comcast Online Subscriber Agreement,

CUSTOMER AGREES NOT TO USE THE SERVICE ... AS AN END-POINT ON A NON-COMCAST LOCAL AREA NETWORK OR WIDE AREA NETWORK...

I would be inclined to consider your home LAN would be a non-Comcast LAN.

Re:Are you confusing VPN's and ip masquerading?

[1010011010]

I can't see how they would know you're doing maquerading.

I plan on using a VPN, however, to provide a small number of real, routable addresses to my home machines while using the single random DHCP address I get from the cable modem providers.

-M

---- ----

Re:More than one computer....?

[DrgnDancer]

I have to say that I was totally confused for a moment as to why diallowing VPNs would affect your ability to setup more than one computer on the Net. If anyone is interested, Wingate is pretty good proxy software for MS Windows, and Tucows has a nuber of other. *nix of course has internal support for this knid of stuff.

Detecting VPNs (shutting off SSL POP3 and SMTP?)

[satch89450]

I suspect that @Home will now start monitoring connections for encryption (think SSL and TLS), then look at traffic patterns to determine whether it's a secure Web browser or "something else". That means that you might be shut off for using SSL-encapsulated FTP or SSL-encapsulated SMTP (for secure mail transfer). Indeed, I can see where people regularly using PGP encryption on mail content may get a little note from the company.

Hmmm...there is very little difference between a VPN and SSL encrypted services. Could it be that we are seeing something caused by the FBI demands to snoop on mail? A VPN is one way to block Carnivore and ISP monitoring from capturing e-mail traffic. Another way is to use STARTTLS-enabled mail clients to talk directly to STARTTLS-enabled mail transfer agents.

Perhaps it isn't just a bid for money...but then again, I admit I'm paranoid.

Re:Read the entire agreement!!!

[mikpos]

The part about "reselling" is completely orthogonal to the part of VPNs. Here what you want:

without limiting the generality of the foregoing, the service is for personal and non-commercial use only and [the] customer agrees not to use the service for operation as an internet service provider, a server site for ftp, telnet, rlogin, e-mail hosting, "web hosting" or other similar applications, for any business enterprise including, but not limited to, those in competition with the service, or as an end-point on a non-comcast local area network or wide area network, or in conjunction with a vpn (virtual private network) or a vpn tunneling protocol;

That said, it's probably wise to just ignore the policy. I would suspect fully 100% of @home subscribers are breaking at least two of the rules mentioned there; if they're not, they're wasting their money. It seems that @home (at least in my part of the world) only gets annoyed when you start using up obscene amounts of bandwidth (e.g. around 1GB/day regularly/constantly).

Re:data security

[nellardo]

The only "good" reason I can think of for them to bring in this change is that they don't like not being able to sniff all the information on your/their connections.

Even this doesn't make much sense to me. If they start sniffing everything, they open themselves up to huge liability problems (of course, they can and do hire lots of lawyers to deal with this). It's the difference between being a common carrier like a telco (who is not responsible for what is said over their wires) and a newspaper (who is responsible for everything said in their pages). Slashdot skims this line - Slashdot is liable for the stories, but not for the comments (since they never get deleted or edited, Slashdot can reasonably claim common carrier status) (ObDisclaimer - I ain't no steeekin' Lawyer)

The only bad reason I can think of for them to bring in this change is that they don't like people using their service because that means they need more real bandwidth....

No, I think they have higher rates for @Work. If you can't put a LAN on @Home, you can't really use it in a business environment. So you're forced to use the more expensive commercial service, rather than the residential one. In some sense, this is a very crude way of doing usage-based metering (about as much as minimum age requirements "guarantee" responsibility in drinking, smoking, voting, or driving). IMNSHO, these kinds of policies are going to eventually change as home networks become more and more prevalent. No one will sit still for paying more for a cable modem connection just because their "set-top box" happens to be made by Sony and thus has a 1394 connection that happens to be capable of running TCP/IP. I mean, really. That would be like charging someone different phone rates based on having a y-jack for their phone.

Re:VPN's are NOT masquerading firewalls

[EvlG]

The masqueradiong/NAT prohibiting clauses are mostly intended to ensure that the service provider can't be liable for running your network. If you do something in trying to set up a IPMasq/NAT LAN behind the cable modem, and find out that you can't get it to work, they don't want to be in the position to have to support your setup. To do so would be unreasonable. This way, when you set up masq/NAT and can't get it to work, crying to @Home will only get you a big "See? It's prohibited by the TOS."

I'm sure there is also a motivation to try and get people to pay for extra IPs, but I suspect that support issues are the main motivation.

Re:Are you confusing VPN's and ip masquerading?

[mxs]

He probably is ...

But apart from this, how does Comcast think to actually enforce this ? I mean, come on, everybody with some knowledge of ipchains, squid, and maybe a generic ip proxy will be able to masquerade that he/shes masquerading his/her traffic. Out of the box masquerading is easily detectable (who seriously uses ports upwards of 60000 ?), but with some precaution you can make it seem to be one computer, running MSIE if you want.

Oh, and how the heck would they tell a VPN protocol from http, provided one uses a sufficiently encrypted connection (ssh will do, so will any ssl-based app). Everybody who runs VPNs without encryption should be shot on the spot anyway. Or take out the P from VPN.

Can you believe the "Deutsche Telekom" (the phone company in Germany holding the monopoly to local lines and thus flatrates) actually prohibits this exact same behavior on even analog connections ? As if that would make any difference at all (they dont sell you IPs, theyre dynamic anyway), but what do you expect from monopolies.

Comcast Clarification of VPN

[rc-flyer]

I sent them a question asking for clarification about the VPN paragraph. This is their reply:

It is not the intent of this text to prohibit customers from establishing a connection for residential purposes. Activities such as online banking, online trading and making purchases online are not considered in violation of the Subscriber Agreement.

The Comcast Online residential service is not intended for those that attempt to host a VPN connection or for those persons attempting to establish a VPN connection with their workplace.

Thank you for choosing Comcast@Home!

Not just Comcast

[Dor]

I use Cox@Home and they also have this provision.

From the Cox@Home User Agreement:

8. Prohibited Uses of the Service; Indemnity.
Customer shall not use the Equipment or the Service directly or indirectly to:

m. use a VPN (virtual private network) or VPN tunneling protocol;

Here's the link to it.

However; I looked at the @Home Acceptable Use Policy and they didn't have anything specific about VPNs.

I've liked my service so far, but if they try and enforce this, I'll have to switch to DSL (Man I HATE Southwestern Bell) because I have to be able to VPN into work. I really think they are shooting themselves in the foot with this, although it may end up being something they never enforce. I'm not going to start worrying about it untill they do. And if/when they do enforce it, then that will be $40/mo less revenue for them from me.

Re:VPN != IP Masquerading / NAT

[rc-flyer]

I think they have a bandwidth problem, and don't want people using it for business. Here is a clarification I received from them:

It is not the intent of this text to prohibit customers from establishing a connection for residential purposes. Activities such as online banking, online trading and making purchases online are not considered in violation of the Subscriber Agreement.

The Comcast Online residential service is not intended for those that attempt to host a VPN connection or for those persons attempting to establish a VPN connection with their workplace.

Thank you for choosing Comcast@Home!

The AUP is not really clear, but...

[trims]

...it probably should be passed in front of a tech-savvy legal expert.

There are two possible interpretations of Section 6(b)(vii):

1. (restrictive version): you are forbidden from running a VPN between your @home computer and a business (actually, between any computers) for any reason whatsoever. Period.
2. (more open version): you cannot run a VPN between your @home computer and a business IF you intend to operate business-related services on the @home side of the VPN. Using a VPN if you are only doing client-side stuff on the @Home side is fine.

Comcast needs to clarify this quickly. If they are banning VPNs of any kind, well, that kills their telecommuter business immediately, which I can't see them doing (telecommuters are good for the service - they use the network at an otherwise low-use period and are not any more of a strain on the network than an ordinary user). I suspect that the intent was to prevent businesses from using @home as a channel to set up remote office VPNs and/or to prevent people from setting up clandestine Internet servers (i.e. ones that don't serve out from the @home IP, but do on another IP, and are undetectible by @home).

I'd call Comcast and make this point. I suspect that they aren't going after the telecommuter, but instead have a badly-worded AUP addition, and should change that.

-Erik

they'll use @work...

[Barbarian]

Here's the real question: What are businesses going to say if their @Home-connected employees can't VPN to work anymore?

They'll pay twice as much for @Work.

--

Re:Detecting VPNs *NOT* detecting encryption.

[Jeff+Mahoney]

Most VPN software packages aren't running over TCP/IP. From what I've seen, everything from Cisco-Cisco router tunnelling all the way to MS VPN software uses IP Protocol 47. (GRE/IP) In the case of MS's they also use a TCP/IP port (17xx something) to provide authentication.

Disallowing most VPNs would be as simple as blocking IP protocol 47 at their gateway router. Trivial. "gre deny any any" in Cisco's IOS parlance.

As a reminder (and not really related to the post I'm replying to), VPN != Masquerading, although many sites could "detect" masqueraded traffic simply by watching for a higher-than-normal use of ports over 60,000. Most network providers - even companies and schools - have network monitoring hardware. I've learned how to configure Netscout probes and software to show me information very similar to this.

IPsec is also used, but I'm not as familiar with the details of that.

-Jeff

Re:VPN is a strange thing to forbid

[cwilson]

I never assumed that "it means creating a home network". I know the difference between NAT and VPN. Roblimo deleted my commentary on the news and added his own, and forgot to put closing quotation marks to end my part of the story. Roblimo said,

Apparently @Home is looking for the little bit of extra revenue they can get by selling additional IPs to people (like me) who have more than one computer. This might not be so bad if @Home provided reliable e-mail and DNS servers and other "basic" services one expects from an ISP, which they don't. This is just another piece of woe for those of us whose only broadband choice is @Home. Bah!

So, blame Roblimo, NOT me, for the ensuing confusion in almost EVERY BLASTED message in this thread, where people are mixing up NAT and VPN. My original commentary was something along the lines of

What possible reason could Comcast have for dissallowing this service? Are they just trying to insist on being able to snoop on my traffic, and don't want any encryption? What's next -- no outgoing ssh client connections to external ssh servers? GASP: Could ssh itself be considered a VPN Tunneling Protocol?

That's not a completely accurate quotation of my original comments; I can't seem to access my story as originally posted, but Roblimo probably can. Anyway, that's about what I was thinking when I wrote it. FWIW, here is the email I sent to my provider last night:

While most of the revisions specified seem reasonable, I would like to know your rationale for the apparently arbitrary decision to disallow the use of VPN Tunneling Protocol. While I do not currently use a VPN, I have always considered the *possibility* of hooking up to my company's VPN one of the main benefits of a fast, always-on connection.

WHY are you disallowing this use of the service for which I am paying? Is it because you don't like it when your customers encrypt their packets? For the life of me, I can't imagine what possible detriment VPN could have on your infrastructure or other users.

Re:No more secure working from home with @Home?

[rc-flyer]

Yes, you are. Here is a clarification I received from them about this:

It is not the intent of this text to prohibit customers from establishing a connection for residential purposes. Activities such as online banking, online trading and making purchases online are not considered in violation of the Subscriber Agreement.

The Comcast Online residential service is not intended for those that attempt to host a VPN connection or for those persons attempting to establish a VPN connection with their workplace.

Thank you for choosing Comcast@Home!

Re:Can they detect it?

[norton_I]

VPNs that use IPsec (instead of a proprietary protocol) use not TCP/UDP packet types, thus blaring to the world that they are VPN. However, if you run PPPd over SSH (or SSL) on port 443 (HTTPS), they probably won't know the difference, especially since several client-server applications hijack port 443 to make long term connections through corporate firewalls (almost all of which support the CONNECT method on port 443 to open a completely transparent connection)

Detecting IPSec is easy

[maynard]

The reasons for restricting VPN traffic and restricting ip-masq are completely different.

ip-masq: They would restrict this if they wanted to sell you more IP numbers.

VPN: They would restrict this if they wanted to charge you BUSINESS rates for telecommuting.

They can't possibly detect ip-masq. They could only detect VPN with a lot of effort.

You're absolutely right that the reason for this is to charge extra for "business" uses of the connection. However, detecting IPSec is a snap. All the need do is enact a filter for protocol 50 in the IP header of any inbound or outbound packet and discard. Bye bye IPSec connection.

This is a terrible precident because long term it prevents the use of ubiquitous point-point Transport Mode IPSec, which is the whole point behind the IPSec standard. Sure, it's neat to make tunnels to work, but in the long term the IPSec community wants to create a mechanism to secure ALL IP traffic. This blows that goal right out of the water.

Also, are they going to start limiting SSH service to my employer? Can I telnet to my employer? Where do they draw the line between "personal use" and "business use"? If my cable modem provider pulls these tricks they'll lose a customer.

Re:Detecting IPSec is easy

[Ed+Avis]

Can't you tunnel your VPN traffic over ssh or something? Tell ssh to forward port 50 on the local machine to port 50 on some remote machine, and the remote machine then continues the VPNing.

Do they portscan

[smartin]

Can any Comcast customers tell me if they perform regular portscans for servers? If so what address do the scans come from?

I'm getting hooked up this week (after waiting 2 months in vain for Bell Altantic to hook up my DSL) and fully intend to run ftp, http and email servers for personal use.

Re:Do they portscan

[smartin]

Can you supply a URL for this doc?

Re:Missing out on the V in VPN?

[rc-flyer]

You are absolutely correct. Here is a clarification I received from them about this:

It is not the intent of this text to prohibit customers from establishing a connection for residential purposes. Activities such as online banking, online trading and making purchases online are not considered in violation of the Subscriber Agreement.

The Comcast Online residential service is not intended for those that attempt to host a VPN connection or for those persons attempting to establish a VPN connection with their workplace.

Thank you for choosing Comcast@Home!

Re:Make your own

[SoftwareJanitor]

I was paying for a 256Kbps link, and was seeing roughly 30Kbps throughput.

I use 256Kbps ADSL from US Qwest in the same market, and I typically see 32KBps on the upstream side and between 32 and 60KBps on the downstream side. 32KBps is approximately 256Kbps. I haven't noticed problems with latency.

One possible difference is that while I use US Qwest for the wire part of the service, I use a different ISP for the Internet part.

I know of some other AT&T @Home subscribers in the area that aren't quite so happy either. One guy in particular was complaining that at certain times of the day he was getting bandwidth about like a 14.4 modem. He probably has some warez kiddies in his neighborhood or something.

Re:Oh yeah

[Detritus]

T1s are hideously overpriced in most areas. Modern technology has made them much cheaper to provision but the rates have not dropped to reflect the lower costs. We will never have cheap bandwidth while the telephone companies control the market for high speed data lines.

Re:Yes, poster was confused

[SimonK]

Its also a traffic issue. Cable modem lines are shared between houses on the same street, using a CSMA/CD system like ethernet. I you're running slashdot on your cable modem box, you're reducing the quality of service for your neighbours.

I'm not sure whether similar constraints apply to ADSL.

Sharing the Comcast Equipment

[Vassily+Overveight]

I see that others (including Roblimo himself) are parsing the exact meaning of the Service Agreement. Rather than get into that, I'd like to recommend that, if the goal is just to share the cable modem (oops, I mean "Comcast Equipment"), you ought to just buy an inexpensive Linksys router and hook it between the Comcast Equipment and other computers (perhaps using a 10/100 hub to hook the machines themselves together, since I don't think the Linksys router provides 100 MBps Ethernet). They'll be unable to tell, short of physical inspection, how many machines you have on the line. Nor should it be any of their business anyway, IMO, no matter what their Service Agreement document says. You also get the additional benefit of a hardware firewall between you and the hordes who seem to be constantly trying to find an open port on my @Home machine.

Re:Broadband

[Mullen]

Here here!
Although I do have broadband (Cox@home), I do remember not having access to broadband, and it sucked. People whine about @home, RoadRunner, or DSL, but try a 56K modem then go back to broadband and they won't complain anymore.

I am one @home customer that is greatful to be able to download at 100K/sec+ and have 40ms Quake3 ping times.

Re:Make your own

[Pope]

And, @Home sucks. Is ADSL any better?
Since I can *only* get ADSL in my hood in Toronto, I'll give you my perspective:
downloads are fine, speed is consistent, uploads are slow (which isn't that big a deal to me), and more importantly to me: the USENET servers have been upgraded a couple of times in the past year, so News if really great. From what I've heard, the @Home News servers really bite and @Home couldn't care less.
Downside: the PPPoE servers occasionally go down,so you can't get a connection. Sometimes, my speed drops from 70K/s to 30K/s for a few hours.

Personally, I'm happy with the service because it's way better than a modem. I don't expect 100% on time, full-speed connections because I know better: judging by the amount of bitching I hear about all the different broadband options, it appears that most people have forgotten that nothing is 100% perfect EVER, especially when it comes to computers!

Pope

Freedom is Slavery! Ignorance is Strength! Monopolies offer Choice!

Re:ISP Monopoly

[Genom]

LOL

Sad thing is that AOHell is/will be a cable ISP monopoly after the acquisition of Time Warner - If you can't beat 'em, buy 'em out, I guess. I'm just waiting for my RR speeds to go down the toilet.

At that point I'll try to find a decent DSL provider. Anyone have good luck with one? Concentric seems to be running a $50/month DSL bit with no equipment or setup charges - which sounds REALLY good, but I'd like to hear from someone who has it first, before I ditch my cable connection.

VPN, Internet Connection Sharing, etc.

[the_schnoov]

I subscribe to ATT@Home, and it's not bad. The speed could be more consistant, but I haven't experienced any downtime so far and overall I'm happy. After looking at the Comcast@Home Subscriber Agreement, I certainly hope that AT&T doesn't start making policy changes using Comcast as a model.

AT&T's policy is that you cannot run any servers, i.e. FTP, Telnet, News, etc. including VPN servers. They could care less whether or not I connect to work or elsewhere through VPN. The Terms of Service also say nothing about hosting a personal web site. It goes along with the upstream bandwidth limits, they want you to subscribe to their business services (which just happen to be significantly more expensive).

As far as sharing the internet connection goes (this is what I was told by the installation guy), the policy "we don't support home networks" really means "we're not going to set one up for you." I personally use a 2000 server configured as an internet router to share my connection. But he said he'd seen quite a few people with linux boxes or hardware routers. The companies just want you to buy more IP addresses from them (at $4-5 a month per IP address, it adds up).

Confusion

[mindstrm]

VPN has nothing to do with NAT & local networks. They are not saying 'you must get additional IPs from us', they don't care. the IPs are there if you want; firewall off your own privat network if you want.

What they are trying to prevent is people using @home to VPN in to their office networks, and this should REALLY DISTURB PEOPLE.

It should *NOT* be @HOME's place to tell us what kind of traffic is acceptable, other than network abuse itself. If they want to up bandwidth fees, that's fine.

Hmm. I wonder why @home is so insistant on forcing people to web surf and email only... could it be they are tracking statistics?

Two points.

[mindstrm]

1) VPN != Private network. These changes have nothing whatsoever to do with 'multiple IP addresses' or 'running a private firewalled network' at home. They don't care one iota about this. A VPN is when a secure tunneling protocol is used to create virtual network connections to remote private networks, ie: your office network.

2) This is not an @home change, only a comcast@home change.. specific, it appears, to comcast, as it doesn't appear in any other cable provider's network. I believe individual providers are allowed to add their own restrictions if they wish.

Re:Broadband Monopoly

[Malc]

That was exactly my reaction.

I live in Ontario (Canada, not California!) working remotely for the Colorado office of a San Jose based company. I wouldn't be able to do this without a VPN.

My DSL internet access from Sympatico (Bell) costs Cdn$40/month (including $10 modem rental). The equivalent business service (identical in all forms) from Bell itself costs about $80. Faster services start at $150 quickly rising to $450/month, but they are all business only. The only alternative is Rogers@Home (some alternative, eh?). Banning VPN would force me to switch to a corporate plan, which would mean paying through the nose :(

VPN's, @Home, and cable networks

[jd]

First, it sounds like the TOS for @Home are now (deliberately?) vague and open to a lot of interpretation.

Second, whilst the "stated" aim is to prevent the customer from using @Home as a means to compete -with- @Home, the effect is to essentially make @Home largely pointless. There is no purpose in being connected 100% of the time, if you can't make -some- use of the unused bandwidth that you (after all) -ARE- paying for.

IMHO, if they had said -commercial- web server, or -commercial- VPN, then @Home would have a point. It would also make some kind of "legal" sense, due to US zoning laws.

On the other hand, blanket bans, where what is being banned is not clearly stated or described, sounds more like a means to sue anyone they happen to feel like, on some kind of ill-defined pretext.

I thought King John had ended this kind of practice. Obviously not. Maybe we need another uprising, to remind people that "authority" is NOT about power but responsibility.

OTOH, if some Grey Hats could, umm, find a few billion to rewire the US with 3 terrabit Optic Fibre running to everyone's house, then @Home's TOS would be quite redundant.

BellAtlantic DSL

[Zarcon,+God+fo+Typos]

I suppose it's Verizon now, but when they started offering DSL service they would tie their service directly to your MAC address (they provided the modems etc...). After a few months, and the numerous crashes this authentication caused on their end, they stopped. However, the explanation they gave me for this when I called and asked was to try to stop me from using their service from more than one computer; I was told that I would have to purchase another DSL if I wanted to have another hookup in my house. While this was easy to work around, I was still surprised that they would try this.

Toronto DSL vs. Cable - @Home, Bell Atlantic

[BigBlockMopar]

Bottom line, I have lots of friends who are running LANs behind the scenes, and, at least in the Kingston area, none of them have been hassled.

Yeah. Most of the people I know in Toronto and Ottawa who are on either Shaw@Home or Rogers@Home are very happy with their service. Friends in Niagara Falls NY on Adelphia's unidirectional cable system love that, too, even piped into their LAN. It's worth noting that one of those friends actually works as a sales rep for Bell Atlantic DSL.

And, @Home sucks. Is ADSL any better?

Okay. Well, I've never had cable internet service.

My decision went as follows:

• Price. Cable is $50/mo if you don't subscribe to cable TV.
• Quality. Bell Canada's Sympatico HSE service is considered to be absolute junk, at $40/mo. (I use Bell long distance, so I don't have to pay the $10/mo grab.)
• Server-Friendly? I wanted the option of a static IP, with an ISP that didn't care if I wanted to run a webserver in my home. Neither @Home or Symatico HSE offered that. And then, I lucked into something...

• dsl.ca is a division of Velocet. They offer their DSL service only in Toronto at the moment. $34.95/mo + $5/mo modem rental (okay, no cheaper than Sympatico). But for an extra $5/mo, they'll rent a static IP. Installation went like a million bucks. PPPoE is the only downside, but even so, Roaring Penguin's PPPoE solution is great.

  Many people complain about the stability of DSL connections. I have no concerns:

  2:37pm up 20 days, 14:21, 1 user, load average: 0.13, 0.03, 0.01
  55 processes: 54 sleeping, 1 running, 0 zombie, 0 stopped
  CPU states: 0.7% user, 1.3% system, 0.0% nice, 97.8% idle
  

  My PPPoE-based DSL connection is started up when my computer starts up. Most of that CPU load is actually top, then there's a bit from the PPPoE client. Even with all 5 computers on my home LAN streaming Real Video from the Big Brother website, the PPPoE client never gets about 2.5% or so CPU useage. (Pentium 133 with 32 megs RAM.)

  If you're in Toronto, look into dsl.ca if you want a cable/Sympatico alternative. I love these guys.

Re:Toronto DSL vs. Cable - @Home, Bell Atlantic

[BigBlockMopar]

I may be missing someting, but what does system uptimte have to do with DSL stability?

LOL Nothing directly, of course.

The DSL connection is made when Linux boots.

The DSL connection is not automatically reconnected if it goes down. (I just haven't gotten around to creating the scripts.)

I haven't paid the extra $5/mo for a static IP yet, mostly because I still want the ability to log off and get a new IP address if I think someone has cracked my box. (I'm not new to using a *NIX system, just new to being root.)

The uptime display there came from telnetting (bad, I know, but I never do it as root, and my passwords are all huge and ugly) into my box, and using copy and paste to put it into a message. The DSL connection must still be up for that to work, and has been up since the computer was last booted. No interruptions, and, in fact, no IP changes, either.

Of course, I could just type "adsl-start" to restart my DSL connection if it went down, but I doubt that would work through telnet... you'll have to take my word for this (note, of course, that my IP address and username are hidden):

Last login: Mon Aug 14 15:12:32 from mail1.litton-marine.com
You have mail.
[*****@proxy *****]$ uptime
5:07pm up 20 days, 16:52, 1 user, load average: 0.00, 0.00, 0.00
[*****@proxy *****]$ cd /
[*****@proxy /]$ ./usr/sbin/adsl-status
adsl-status: Link is up and running on interface ppp0
ppp0 Link encap:Point-to-Point Protocol
inet addr:204.138.***.*** P-t-P:204.138.***.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1450 Metric:1
RX packets:1666960 errors:0 dropped:0 overruns:0 frame:0
TX packets:1175240 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10

[*****@proxy /]$

Re:Toronto DSL vs. Cable - @Home, Bell Atlantic

[BigBlockMopar]

Considering the widely negative reviews I've seen with dsl.ca I'm surprised at your comments. You're the first person I've seen who has said anything positive about them. Are they actually providing the 1.2meg service they are advertising on the website? If so how?

Actually, for sustained transfers and stuff, yeah, I actually top out about 800k/sec, which is a little short of the 1.2 megs promised. But, it's rare that I get 800k/sec, too: I think that's more a factor of internet traffic than it is Velocet (dsl.ca).

The other thing, too, is that the PPPoE overhead will eat up a certain percentage of the DSL "modem"'s capacity. Doesn't PPPoE cost about 15-20%?

While PPPoE is not ideal, I really don't have much problem with them, except that their ping times seem to be high. When I do a traceroute, it seems to me that it takes a huge number of hops to get from me to the Toronto backbone.

What the hell is reptiles.org?

[*****@proxy /]$ ./usr/sbin/traceroute slashdot.org
traceroute to slashdot.org (64.28.67.48), 30 hops max, 40 byte packets
1 trebucbet-redf1x.tor.velocet.net (204.138.59.213) 73.023 ms 62.160 ms 51. 985 ms
2 hadrian-trebucbet.tor.velocet.net (216.126.83.25) 74.320 ms 57.738 ms 60. 070 ms
3 gate.velocet.net (216.126.81.1) 62.594 ms 69.898 ms 62.918 ms
4 gw-151.reptiles.org (204.138.40.5) 64.112 ms 61.132 ms 59.473 ms
5 209.135.88.249 (209.135.88.249) 63.479 ms 61.737 ms 63.535 ms
6 209.135.96.17 (209.135.96.17) 67.638 ms 78.423 ms 67.265 ms
7 dis1-toronto63-pos7-3.in.bellnexxia.net (206.108.111.29) 79.217 ms 80.167 ms 79.363 ms
8 core1-toronto63-pos1-2.in.bellnexxia.net (206.108.98.5) 83.207 ms 80.710 m s 111.743 ms
9 bx1-chicago23-pos3-0.in.bellnexxia.net (206.108.98.42) 94.517 ms 87.950 ms 79.582 ms
10 exodus-gw.bx1-chicago23-pos7-3.in.bellnexxia.net (206.108.108.250) 79.043 m s 160.032 ms 150.868 ms
11 bbr02-g2-0.okbr01.exodus.net (216.34.183.98) 119.095 ms 101.186 ms 115.64 7 ms
12 bbr01-p5-0.wlhm01.exodus.net (216.32.132.210) 150.731 ms 132.936 ms 103.2 58 ms
13 dcr04-g1-0.wlhm01.exodus.net (64.14.70.50) 103.193 ms 104.853 ms 107.543 ms
14 64.14.80.146 (64.14.80.146) 114.489 ms 133.506 ms 143.776 ms
15 64.28.66.203 (64.28.66.203) 134.878 ms 138.133 ms 126.927 ms
16 slashdot.org (64.28.67.48) 123.078 ms 116.882 ms 131.026 ms

I'm not a gamer; high ping times aren't really much of a problem, because the sustained data transfer rates are consistently great.

What happens if I choose not to use your high-performance proxy or I'm serving (uploading) off my ADSL connection? If you do not wish to use our proxy and/or are serving off your ADSL connection (i.e. uploading), we offer 5 Gigs of download/upload data transfer monthly at no cost. This averages out to 250 Megs per day. Even with a fairly popular website hosted on your ADSL connection, you will not come close to exceeding that. Should you exceed your 5 Gig free, we charge you what we pay for additional bandwidth: $10.00 a month per additional Gig."

Notice that they're the only high speed consumer ISP I've ever seen that says, "Sure, you can run a website off your DSL connection".

I agree, I'd prefer to not be asked to use their proxy server. In fact, I don't. But I can also understand that bandwidth costs money, and that if Yahoo, etc, is cached locally, they can provide everything with no problems to the average user.

But remember, 5 gigs a month really is a hell of a lot of information. Unless you're talking about the overhead of leaving Gnutella running. <grin>

False advertising? You have to wonder about anybody who engages in misleading [and IMHO false] advertising that dsl.ca is doing.

No more so that any DSL provider talking about the security and speed of an individual connection, versus that of a shared connection a-la cable. Gimme a break. Everything on the Internet is an exercise in shared bandwidth.

@Home and Sympatico HSE specifically forbid servers. Now, could they ban me because some versions of ICQ actually include a little webserver? Bet your ass they could. Could they eventually turn me off because Napster is a server? How about my own personal goals of running Apache and stuff? Of the three high speed ISPs available in my location (Toronto) at the time, as they would have cost me, they were as follows:

Rogers@Home: $50/mo (I don't have cable TV). DHCP. No servers allowed. 5 POP3 mailboxes. Small hosted site.

Sympatico HSE: $40/mo. DHCP with PPPoE. No servers allowed. 3? POP3 mailboxes. Small hosted site. All aspects of their service are unreliable (from what www.sympaticousers.org was saying at the time)

dsl.ca: $40/mo. DHCP with PPPoE, static IP option. Servers allowed. 5 gigs/mo cap before extra charges. Web e-mail accounts included, POP3 available at extra cost (Yahoo offers free POP3). Service seems to be stable and reliable, with little speed brownouts every now and then (usually late at night); apparently the Bell loop cards and lines aren't the items that make Bell Sympatico HSE unreliable, since dsl.ca uses them, too.

look.ca: Not really a high speed ISP at the time, since their upstream is through a dial-up connection. Part of the attraction of a high speed ISP is the always-on connection. Besides, $40/mo (I don't get Look TV service), no servers allowed, requires my phone line, slow uplink, no static IP, weird hardware reminiscent of a unidirectional cable modem attached to a flat microwave antenna on my house. Oh yeah, and they have an idle cutout of 5 minutes, and a busy cutout(!) of six hours, where they disconnect you halfway through downloading a big file.

dsl.ca just seems to be more geek-friendly than most high speed consumer ISPs. And that's mostly why I'm with them.

Re:Yes, poster was confused

[bonehead]

ip-masq: They would restrict this if they wanted to sell you more IP numbers.

VPN: They would restrict this if they wanted to charge you BUSINESS rates for telecommuting.

I can't speak about comcast, but I've been using AT&T@Home (formerly TCI) for a couple years now, and have been running pretty much all of the "forbidden" services on my box. Granted, the daemons don't account for a great deal of traffic, but certainly enough to be detectable if they were looking.

My gut feeling is that running these services is "forbidden" simply to relieve their tech support staff from having to answer questions, and from complaints like "my users are getting horrible download speeds from my ftp site." Other than that, they really have no reason to care what you run on your machines, especially with the upstream bandwidth caps they've recently put in place.

As much hype as there has been about these restrictions, I don't think I've heard of even one case of somebody getting their service terminated for running an ftp or http server.

Why kill VPN?

[_Sprocket_]

So we've established that a VPN isn't NAT. It isn't a home network. Its an encrypted connection often used by telecommuters. So why ban it?

Quick. Lets get out our conspiracy hats. Its either money or power. Corporate greed or government subversion of our privacy. Which could it be?

rc-flyer was nice enough to call up the Comcast folks and get clarification. Encryption for consumer use such as shopping and banking? OK. Telecommuters? No way.

Aha. While it might be more exciting to strain for the sounds of black helicopters and carnivorous black boxes, greed wins out. A look at the @Work site gushus:

End-To-End Security
@Work Remote eliminates the risks associated with sending critical information over the Internet by providing the privacy of a secured data network via encrypted "tunnels." In addition, our 5Gbps fiber-optic IP network is continuously monitored by the @Work Network Operations Center, and managed at the most secure level possible using a combination of cryptographic techniques, packet filters, passwords, and secure configurations. @Work provides subscriber PC security options for remote users, as well as gateway security for the corporate connection.

It would seem that telecommuters are finding it easy to do their own "@Work" solution and aren't interested in the undoubtfully higher price tag of @Work over @Home service.

Re:Make your own

[tjwhaynes]

And, @Home sucks. Is ADSL any better?

Running PPPoE on Sympatico HSE ADSL, I see pings to the most local Q3 demo servers in the range 30-50ms. Download speeds up to 102Kbytes/second, particularly to the Helixcode Akamai server, so I'm pretty happy with it. Performance under Linux is good and gets connected faster than on Windows when using the RP PPPoE client so I'm happy. Especially as the reason for getting the ADSL in the first place was VPN connectivity.

Cheers,

Toby Haynes

Re:Clarifying the confusion (maybe)

[mindstrm]

There is no 'standard' VPN protocol. All you would see is an encrypted datastream.

Re:How would they know...

[baka_boy]

Claiming unlawful search and seizure might work, except for the clauses higher-up in the agreement, which gives Comcast the right to enter your home to check, change, or shut down the service. Like most ISPs, they've covered their asses, and probably wouldn't have to explain jack if they wanted to cut you off -- they'd just pull the plug at their end, and send you a letter a week later.

ISPs can get away with outrageous bullshit if they like...most usage agreements, no matter how innocuous, contain a clause allowing them to modify the terms of service at any time, for any reason. Business users get a bit more slack, but they pay through the nose for it. Personally, I'm sick of it, but there's no public, open alternative to the ISP oligopolies.

Yes they portscan...

[TobyWong]

...to varying degrees. Some of the cable co's seem to take rather draconian measures in portscanning/enforcing their AUPs.

Rogers@home isn't overly anal (at the moment anyhow) about this sort of thing although the one thing they will portscan and hunt you down for is an open newsfeed. This is in response to the whole usenet @home blackhole fiasco of some time ago. I've noticed that they don't even mind if you have an ftp server up so long as it's not anon access and you don't cause trouble (you would never get an @home rep to say this on record tho so take it for what it's worth).

Oh yeah

[Dungeon+Dweller]

gettings cable and cablemodem services up at school, + the equipment rental costs about half as much as my RENT for my APPARTMENT with ALL OF THE UTILITIES INCLUDED. This is OBSCENE.

Re:VPN is a strange thing to forbid

[Tower]

>The most likely the reason why they are banning VPN's from @home is to sell their @work remote access service [LINK].

I like the fact that they have a typo in their graphic on that page... 'Corporat' and 'Corporate' both appear... you think they could at least be consistent...

--

WRONG!

[zTTTz]

@Home frequently runs portscans on their domains to "Make sure their client's aren't running any services they where not aware of." If the scanner finds one it will auto-mail you. This is more political then anything. All my services run above port 40000 and you have to connect to a triger port 500 ms before (which is in the low 1000's) and that fundamentally kills @Home's portscans (as well as the other million portscans I get and failed ftp login attemps with user/pass:warez). If they do find a way to block you, try setting up an SSH tunnel to that port. Use the Linux VPN howto as a template on how to pull this off. Not rocket science.

Re:WRONG!

[IpSo_]

Why not just block them all together with IPChains? 966120470 - 08/12/2000 15:47:50 Host: authorized-scan.security.home.net/24.0.94.130 Port: 119 TCP Blocked I've been doing that on 10 machines (all different cities) ever since they started scanning their hosts, and I run a full set of services on each machine. Haven't been bothered yet.

Re:WRONG!

[synx]

no way, i catch authorized-scan.security.home.net with portsentry all the time as well. they always scan port 119, i have no idea why. its wierd.

And yes, I run full services as well, tons and tons of services, and i never get bothered. then again i dont read the @home official email, so who knows?

@work may be the answer

[Vassily+Overveight]

I haven't read their service agreement lately (they seem to change once a month), but the last time I checked the Cox@Home one, you could do things like run servers, VPNs, upload scads of data, etc. by becoming an @Work user. Same hardware hookup, but they remove those restrictions, plus they don't cap the data rates. So, while it might be true that you're stuck with your provider, it's not technically true that you're without recourse for obtaining these services. You just have to be willing to pay the additional money, a question best left up to you as to whether it's worth it.

Re:Read the entire agreement!!!

[jovlinger]

How could they tell? Doesn't a VPN just look like one computer doing a whole lot of network activity?

I called them up to find out, here's what I got.

[josephscott]

I'm signed up to start this service soon. So I went and read this section of the service agreement. Like you I noticed that the is wording in there that may indicate that these things can not be done in relation to "Business Use".

My reading of this however did not make it clear that VPN was tied to this "Business Use". So I called up their tech support folks. Who didn't really understand what I was even asking, so they went to their boss. What I wanted to know is if it was ok for me to do VPN to work because that's how I access my systems remotely.

Their response,....

NO!

If I was to do so I would recieve a warning and if I continued I would be kicked off the sytem.

This really, really bugs me! It also makes me wonder exactly what they mean by VPN, does connecting with any encrypted method count (SSL web pages)? What about remote access with SSH? What about port forwarding with SSH? From what I'm hearing from them, I'm not allowed to access anything in a secure manner.

It looks like they want to totally kill of the work from home user.

It's time to make some noise about this.

Are you confusing VPN's and ip masquerading?

[Hairy_Potter]

I thought a VPN was a simulated private network across the internet, which I supposed you could use to connect two of your computers, but only if they were physically far apart, using a VPN to connect two computers in the same room sounds insane.

Perhaps you meant to mention the previous clause in the contract, where they prohibit you from being an endpoint for a lan, which is what you need to do if your sharing an internet connection with IP masquerading.

So? Anyone reading /. is already in violation

[overshoot]

Big whoop. The @Home AUP already prohibits connecting any servers to their network, and they go to considerable pain to make it clear that they're not just talking web, ftp, etc. If any of your computers are listening to any TCP ports you're in violation.

Since they don't (can't?) enforce this most people aren't bothered by it in the least. A few of us have hangups about making agreements with the intent to violate the terms, so we avoid @Home. Not that there aren't plenty of reasons to avoid them without ethical excuses...

How it should be

[interiot]

I don't think ISP's should restrict you at all, other than capping your bandwidth. Once they give you the pipe, anything else is unenforcible if the user has enough time on their hands.
--

Looks to be Comcast, not @home doing this

[RocketJeff]

I was interested in hearing about this since I use AT&T/@Home. It appears that this is only the Comcast user agreement and not the @Home agreement.
Remember, Comcast (and AT&T) use @Home services and can set their own user agreements seperate from @Home.
Looks like Comcast sucks, but not all @Home providers are quite this bad.

No VPN? How to make your life interesting

[wafath]

Comcast, being a cable provider, usually operates in accordance with local, county, city, or municipality governments. They have a licensed monopoly from the local government. Comcast MAY have presented @Home as a service in many ways, including offering an easy way for consumers to telecomute. This is of interest to the government because telecomuting appears to be a cheap way to lighten trafic loads.

So what I am saying is that you could try to contact your local government. They would take a deep interest in this sort of thing. Since comcasts billing of cable customers has to be approved by the county, the county has leverage over them.

Also, another question is how would they know? The only way to know is by checking the contents of a packet. Doesn't this violate wire-tapping laws in your state?

Oh, IANAL, but just some things to consider.

W

Re:Make your own

[Bill+Currie]

even 100Mhz is (IMHO) overkill. My ipchains firewall is a 386-33 which very happily pumps 300k/s through it (330 is the highest I've seen yet, but I've managed to get 700k/s out of the box using ftp (as a host)). And yes, that's 300 kilobytes/s (2.4-3Mbps).

Ok, compiling things on my firewall sucks, but I don't do that often :/

Bill - aka taniwha
--

VPN is a strange thing to forbid

[wa1hco]

VPN usually means creating an encrypted IP in IP tunnel, for example between home and office, to allow secure connections. So, we have a difference of interpretation here that hard to understand. cwilson assumes it means creating a home network, probably with ipmasquerading. But I've never seen "VPN" used in that context. On the other hand, what does it mean for @home to forbid encrypted tunnels. Do they mean you can't encrypt? What about SSL? Do they mean you can't create a site that allows others to VPN in from the internet? Mysterious.

Re:VPN is a strange thing to forbid

[Sloppy]

Idea: Maybe the reason they do this is that VPN is sort of like the ultimate portscan-proof blocks-almost-everyone firewall. If people use tunnelling, they can set up any imaginable type of server (including servers prohibited by the TOS) without there being any means to detect it. Put up a web server or something, and have it only accessible through the tunnel, and their portscanners won't see it.

Of course, by its very nature, I would think that using a VPN would mean that the overall .. uh .. "audience" for the server would probably be rather small, perhaps among a group of friends or whatever, so it wouldn't really be contrary to the spirit of the ISP's TOS. Perhaps I'm not thinking deviously enough.

Ultimately, I think that an ISP controlling how its customers use their bandwidth makes about as much sense as a movie producer trying to control how its customers play their DVDs. And it'll be about as effective too.

---

Re:I'm only going to pay for a pipe...

[Detritus]

They are providing no additional benefit but think they are entitled to additional money.

What do you expect from a cable company?

They are used to a world where they control the content and everyone has to pay rates based on perceived value, not cost. You are just another set of eyeballs, a passive consumer of product.

data security

[bfree]

The only "good" reason I can think of for them to bring in this change is that they don't like not being able to sniff all the information on your/their connections.
The only bad reason I can think of for them to bring in this change is that they don't like people using their service because that means they need more real bandwidth, so instead they are just banning anything you could possibly want to use it for other than surfing and email (and even email they are not generous about) because if they banned these they wouldn't be able to convince anyone that it was a good deal :-)

VPN != IP Masquerading / NAT

[TheLurker]

First of all, the poster's interpretation of what this clause means is incorrect and what the term "VPN" means is incorrect. VPN is a way of securely connecting two networks over an insecure network and doesn't necessarily have anything to do with IP Masquerading / NAT.

Still the interesting question is, what would they have against VPN tunnels... I use them all the time to create encrypted links to the servers I administer... hmm... what would a huge ISP have against encrypted VPN links.. encrypted...

Could it be that encrypted tunnels would prevent them fromm sniffing your packets and thus participating in echelon or court ordered wiretaps? Nahh.....

Re:How would they know...

[baka_boy]

Read the AUP linked from the original article -- they do indeed reserve the right to enter your home, with prior notice, to check, modify, or remove the equipment. It's not illegal if you sign a contract (or agree to an AUP) giving them that right.

How enforcable is this?

[Picass0]

After all, they have to hack through my proxy before they can see my other machines, and that makes them guilty of computer crimes....

Is such a policy enforcable by any practical means?

Re:they will have you think

[Bill+Currie]

Apperently, another reason for the terms of use is spam. Here in Calgary, Shaw@Home doesn't seem to mind you running a mail server so long as it doesn't relay. I'm not sure about http, but for ftp they don't care so long as it's non anonymous (uploads?). Basicly, it seems they don't want you getting them blackholed or chewing up all their bandwidth :).

As with you, I've only ever seen them scanning nntp, though I've had several attempted connections for smb/nmb (probably windows types trying to see what's out there). I'm actually a bit worried because I haven't seen anything in my logs since the beginning of the month.

Bill - aka taniwha
--

Download Porn Faster! (TM)

[coyote-san]

Not every area has both @Home and @Work. My area (Boulder, Colo) just got a few weeks ago, and we only have @Home with "casual, residential use" guarantees. Reading between the line: I can't complain if I can't telecommute because the system is down for hours while they continue rebuilding the system.

As for the telecommuting issue - I read my @Home AUP, and I actually kicked out the US Worst DSL for non-preformance, and I understand that both organizations strongly downplay the telecommuting aspect because they don't want to catch the flak when people can't work. Worse, a particularly clueless drone once suggested that I "just go into the office" those days when the connection is flaky, not comprehending that as an independent consultant my home *is* my office on some projects.

The fastest way to change this attitude, in my experience, is to ask them if they think the sole reason people order this service is so they can download porn faster. (Esp. since the TV ads always show someone downloading images on a web browser, not downloading source tarballs.) This always seems to force them to reevaluate what's left after they make life unbearable for independent workers and telecommuters.

Confusion?

[Sloppy]

I don't get Roblimo's comment. What do VPNs have to do with NAT or IP Masquerading?

---

VPN's are NOT masquerading firewalls

[dutky]

The cited portion of the @home contract is not preventing users from running a masquerading (aka NAT in the non-Linux world) firewalls. VPN's are a way of tunneling network traffic over a non-secure network in a secure fashion (using encrypted connections/packets) and provide the illusion that many, spatially distant computers are communicating over a common LAN, rather than over the open internet.

There may well be a section of the @home contract that forbids masquerading/NAT firewalls, I know that such clauses were popular a year or so back (mostly specifying that only a single computer could be hooked up to the service, which pretty much forbids masquerading/NAT firewalls) but the cited section is dealing with something else entirely.

Bye Bye HEAT.net and MPlayer.com

[Hynman]

Couldn't it be construed that packet encapsulation all together is a VPN and HEAT and MPlayer will be fuct? If that is allowed then can they stop IPv6? And... drum roll please... IPv6 features encryption, even user defined encryption. So in thoery you could do IPv6 under the same principals that HEAT and MPlayer are allowed.

I've written (email) the following letter to @home to see if they have a clue:
------------------------------------
I am a current @Home subscriber. The future of you providing my service
rests on the following questions:

Pertaining to section 6 d:
'OR IN CONJUNCTION WITH A VPN (VIRTUAL PRIVATE NETWORK) OR A VPN TUNNELING PROTOCOL'

I wish to clarify that you do indeed mean VPN and not NAT.

Question 1a) Do you really mean VPN?
1b) How does @home define a VPN?

A VPN may be implemented over HTTP or other already allowed protocols.

Question 1c) Does this also deny such a VPN?

Question 2) Do you really mean NAT?

While a NAT (Network Address Translation) computer would cut into the $6.95 it costs for additional IP address, it us unclear why you would ban use of a Virtual Private Network (VPN), because it would not cut into profits. These two items are not related, but may be used in conjunction (but usually are not.) A VPN provides secure networking between computers over the Internet.

Question 3) Why would @home ban VPN? Note: 'Because' is not sufficient. Please explain in detail why this restriction was chosen to
be amended to the agreement. Please include any examples or relevant material.

Section 9 A: You cover eavesdropping and how it is a risk. A VPN is the solution to such risk.

Question 4) Do you still wish to ban VPN?

My friends an I (All @home subscribers (for now)) wish to run a VPN. Provided that the VPN is in accordance with US and local authorities:

Question 5a) Is this permitted by @home?
5b) If so, are there any restrictions? 5c) what are those restrictions?

Question 6) What measures will @home take to prevent/and/or detect VPNs?

Question 7) If a VPN is discovered, through legal means, what measures
will @home take?

Question 8a) Is packet encapsulation considered VPN? If so it will dis-allow services like heat.net and mplayer.com to not function, since
these services encapsulate IPX over IP. What about for IPv6? Also, AOL ould be affected.

Question 8b) Are you aware of these ramifications?

Please note that an answer such as 'whatever is deemed necessary' is vague. Please elaborate as much as possible. Answers will be taken with consideration as to the notion of 'progress' and 'advancement' of the service. Also please place the answer to each question below that
question. Please answer each question. If answer is 'unknown', then please state 'unknown' and refer me to the appropriate person inside @home who would know.

Thank You for your time,
A current subscriber.

Re:@Home

[drix]

Oh they are not outrageous - c'mon. I can remember back to a time when the mere thought of getting 2.5mbps of bandwidth for $40 a month would have made me soil myself. It's time to gain a little perspective here. You have no idea what a good deal you are getting; before you go whining about pricing perhaps you should check out the going rates for a modem connection in most parts of Europe, which is still priced per minute of usage, and where DSL is almost nonexistant. @Home is providing you with an extraordinarily high level of service for your money, and the fact of the matter is that they don't charge too much for what they offer already. What they offer is T1 level service for a little more than a dollar a day. If you really think they charge to much, I'd invite you to make a few phone calls and verify the price of a full-blown T1 line.

--

Re:Clarifying the confusion (maybe)

[tweek]

Sure. All they would need to do is block IP traffic type 47 - GRE traffic. They could block pptp traffic as well but once the pptp initial connection is made, it switches over to GRE anyway so it would fail.

Demanding Decryption Rights?

[Effugas]

The "Private" context of a VPN is much more important than the virtualized network presence of a transferred network link.

Privacy and cryptography are intimately linked in Virtual Private Networks; it's the cryptography that makes people willing to use the link at all.

So, from that I have to ask a simple question: Does @Home plan to monitor my traffic for information they can't decrypt? Is @Home saying that if I would use an unencrypted link to my work email, they'd have no problem with my working from home?

Can you imagine if a *telephone* company tried to specify who you were and weren't allowed to call, and what you were allowed to say, and that they needed to be able to understand every word you spoke?

What part of "Common Carrier" doesn't @Home understand?

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Read the entire agreement!!!

[nharmon]

ROBLIMO!!! Please read the links of the articles before posting them.

resell the service or otherwise charge others to use the service, in whole or in part, directly or indirectly, or on a bundled or ununbundled basis. the service is to be used solely in a private residence; living quarters in a hotel, hospital, dorm, sorority or fraternity house, or boarding house; or the residential portion of a premises which is used for both business and residential purposes. without limiting the generality of the foregoing, the service is for personal and non-commercial use only and customer agrees not to use the service for operation as an internet service provider, a server site for ftp, telnet, rlogin, e-mail hosting, "web hosting" or other similar applications, for any business enterprise including, but not limited to, those in competition with the service, or as an end-point on a non-comcast local area network or wide area network, or in conjunction with a vpn (virtual private network) or a vpn tunneling protocol; or

Note: I had to use Lotus Wordpro to switch this to lower case, because /.'s unintelligent bastardized lameness filter stopped me. *smile*

All it is saying, is that you cannot resell @HOME services. What is wrong with that? I think it's perfectly fine. If you want to use it commercially, you pay for such access.

But seriously. Can Slashdot posters PLEASE read links, it might reduce the amount of FUD which gets passed through.

Just throwin' my $0.02 in..

[UGNS]

After reading a good deal of the posts on this thread I figured I'd toss in a few bits of wisdom I've pick'd up...

For one I personally do not think Telephone or Cable companies should be in the internet business as they can't provide reliable service for their primary business let alone a secondary... Some may wish to argue this but if you think about it long enuf you can find the rationale behind this...

Next I always try to find a local or regional provider before I look at any large company... This thread in and of itself is a good case in point... My ADSL service provider is a local company... I've gotten to know the company employees and have openly discuss'd with them my actual usage of the line... They know I run Linux (In fact they even offer tech support) and that I also have host'd web sites and a co-located box or two online as well... All of which I am paid for hosting... I've also got a complete subnet of valid IPs and could have another block in a short period of time should I need it... The point is if you find a smaller local company you generally can get on better terms with them... I'll add that the relationship I have with my provider has also been great when I've had hack attempts made on my equipment as they are as responsive as if it were their own equipment... Honestly I feel you get better quality service in the long run... My only outages have been the result of the Telco who carries the "last mile" of copper performing unscheduled maintaince on the DSLAM that they fail to inform the customer or the ISP offerin ADSL service...

On the topic of the VPN... It's relatively easy for them to block IPSec VPN traffic as it uses standard ports and protocols... All you actually need to do is block the ESP (50) and AH (51) protocols along with the IKE (500) port on UDP (17).

Is it me

[mosch]

or does this mean that comcast @home customers can't use a vpn to get into their corporate networks anymore. bye-bye telecommuting.
----------------------------

Trick them - use something other than PPTP

[bgarcia]

I think it's pretty safe to assume that if they're going to stop people from establishing vpn's to work, that they'll be looking for the most common ones. In a word, they'll be looking for Microsoft PPTP connections.

Just trick them? Use one of the other less well known vpn solutions, like VPND. I've been using vpnd for well over a year now, and it works wonderfully. Just pick a non-standard port, and they'll never even know to look for it.

Re:Yes, poster was confused

[ruud]

They can't possibly detect ip-masq.

Unless you patch your kernel, Linux uses ports 61000 and up as the source port for masqueraded connections. A lot of traffic originating from that port range makes it at least suspicious that masquerading is used, but indeed they can never be 100% certain.

--

FWIW

[David+A.+Madore]

I've written a little program that will use the Linux ethernet tap device to take ethernet frames, optionally encrypt them using blowfish, and encapsulate them in UDP datagrams that are sent to a certain list of peers (either fixed or dynamically updated). So, in effect, it performs the task of a VPN; the advantage, though is that the datagrams are standard UDP datagrams, which are not distinguished by their protocol number (only their port number, but that can be changed at run time), thus essentially impossible to filter from "legit" packets (there isn't even a recognizable application level header, because all is encrypted using blowfish and transmited "as is"; changing the blowfish key could produce just about any content in the datagram). This could be useful in getting around any kind of filtering mechanism of this sort (unless they decide to completely disallow UDP, but that would be a bit fascist even for most ISPs).

I use it, together with a UDP bouncer program, to get around a fascist firewall. I used to do it on TCP, but I had all sorts of nasty resonance problems between the two TCP windows, so I dropped that (the advantage of TCP, though, is that it never lost any frames as UDP does).

Program is GPL'd. Your mileage may vary. Use at your own risk. Standard disclaimers apply.

Re:Just set up firewall to refuse packets from @ho

[charnov]

Don't forget that cable modem hanging off that copper is a full-fledged router/monitoring device. The hardware in a DOCSIS (the standard) cable modem is truly impressive. It contains the logic to function as a router with plenty of monitoring tools built-in. A proxy or NAT style router/firewall is still the safest (and highest performing) method of placing multiple computers on a cable or DSL connection. There is (almost) no way of detecting multiple machines behind a NAT router or something similar.

ADSL is better

[spinfire]

I have ADSL service from Speakeasy.net and they are incredibly flexible. They allow whole networks on residential circuits and i run a mail/web/ftp server on mine.

Thus, I come to the conclusion that DSL is a better deal, provided you can find a good ISP (I strongly recommend speakeasy, they even fully support linux).

I really wouldn't worry..

[signe]

Personally, I'd just ignore this little change, like many people ignore the "don't run servers" rule. Why? @Home doesn't care.

How do I know this? Well, I was at a conference in DC last spring called Spam Summit. Basically, everyone involved with blocking spam, or opt-in (real opt-in, like MyPoints) advertising systems got together and talked about the technology. @Home did a big presentation on anti-spam things which happened to include some talking about their policies on people running servers.

The fact of the matter is that @Home just doesn't enforce the policy. The exec from @Home giving the presentation said very clearly that they don't routinely check for servers (excepting NNTP proxies, since they had that little problem with the UDP this past winter), and they really don't care if people run them as long as they are not causing problems. He defined problems as taking up too much bandwidth, or causing a security problem for @Home itself.

So I really don't think this is a cause for concern. I doubt they're gonna bother checking for these things (they'd have to sniff the network constantly... VPNs operate on arbitrary ports, and it's not like they can check for a server, since @Home users are gonna be VPN clients (for the most part).

-Todd

---

Is Roblimo confusing VPN's and ip masquerading?

[fence]

Don't blame the original poster for confusing VPN and ip masq, blame Roblimo.

The op-ed stuff at the end of the story is clearly Roblimo's opinion, not cwilson's opinion.
---
Interested in the Colorado Lottery?

I'm only going to pay for a pipe...

[sjbe]

I've run into this with our local cablemodem vendor. (Buckeye Cablesystem in this case - unfortunately I can't yet get DSL to my door even though I'm close enough) They want to charge an extra $10 for every extra computer hooked up to their lines. Where do these folks get off thinking they are entitled to this extra money? I'm paying for the pipe to my house, nothing more. If I'm leasing equipment from them (ala cable boxes or NIC's) then they can charge me for thoses but beyond that it is none of their business what I hook up to the pipe. (so long as I'm not doing anything illegal with the connection)

I've no problem with companies trying to make a buck but this is ridiculous. They are providing no additional benefit but think they are entitled to additional money? Not from me. I'm paying for a pipe, not the right to use my own computers.

Besides, this is really not enforcable as far as I can tell. If you set things up right, I'm not sure how they could tell if you had such a network or not.

Yes, poster was confused

[mojotooth]

The original poster was indeed confused.

The reasons for restricting VPN traffic and restricting ip-masq are completely different.

ip-masq: They would restrict this if they wanted to sell you more IP numbers.

VPN: They would restrict this if they wanted to charge you BUSINESS rates for telecommuting.

They can't possibly detect ip-masq. They could only detect VPN with a lot of effort.

So don't even sweat it, just ignore this policy.

VPN != NAT

[sanemind]

You people are confusing VPN's with NAT!

Using, say, masquerading for many machines inside your home or buisness to seem to be coming from the one IP your ISP gives you is NAT (network address translation[I prefer masquerading, it is more descriptive, more obvious to the novice])

VPN, or (virtual private networking), is when you tunnel IP over something else, so it's sort of like you have a PPP link [across the net] to some other host... and it is usually encrypted so that you can have the effect of a WAN or a dedicated private leased line, but using the public internet infrastructure instead. [Except for cpu lost in crypt [Still much cheaper ;) ]

--sanemind

man signature

Forgetaboutit!

[dr_strangelove]

Go ahead and use a VPN to connect whereever you like. Or use a SSH tunnel, as I routinely do.

All the ISP is going to see is packets with encrypted payloads going back and forth. Tough. Bandwidth is what you are paying for, they can't really complain if you use it.

If they have the nerve to actually call you on it, ask nastily why they are trying to intercept a private electronic communication without a warrant. Mention the FBI, the FCC and the local cops if necessary.

Stand your ground. Make the bastards bleed.

All Tunnels aren't IPSec

[Tor]

IPSeq (service 50) are not the only way to establish a VPN. For instance, you can use IP inside IP (Using either the kernel-based 'ipip.o' module, or a user-space ipip driver), or do as I do, create a PPP tunnel inside an SSH connection.

Here is how:

• From your machine inside a firewalled LAN (e.g. work), use the following `pppd' options file (under Debian, create it in /etc/ppp/peers, e.g. /etc/ppp/peers/my-home):
  
  # This link is over a SSH network connection
  pty "ssh -t -enone -C yourhost.home.net /usr/sbin/pppd noauth ipparam 172.16.0.0/16"
  
  # IP Addresses to use for this link
  192.168.0.1:192.168.0.2
  
  # Let the remote host start the conversation
  silent
  
  # We trust each other
  noauth
  
  # Keep modem up even if connection fails
  persist
  
  Here, replace 172.16.0.0/16 with your company network. This will be used as argument for the PPP 'if-up' script on your home computer.

• Make sure the root user on your work machine can SSH to your home machine (as root) without being prompted for password. If neccessary, run 'ssh-keygen', and copy the '/root/.ssh/identity.pub' file from work to '/root/.ssh/authorized_keys' at home.

• At home, create an if-up script, as follows:

  • Under Debian, create /etc/ppp/ip-up.d/vpn
  • Under RedHat, create or add to /etc/ppp/ip-up.local
  
  The script should contain:
  
  #!/bin/bash
  ################################################## ######################
  ### FILE: /etc/ppp/ip-up.d/vpn
  ### PURPOSE: Add routes after bringing up PPP link
  ################################################## ######################
  
  ### The following two lines are only needed with RedHat;
  ### Debian supplies these from the master ip-up script.
  ### $6 contains remote network/netmask (e.g. 172.16.0.0/16)
  [ "$PPP_IFACE" ] || PPP_IFACE=$1
  [ "$PPP_IPPARAM" ] || PPP_IPPARAM=$6
  
  
  ### Configure the route
  if [ "$PPP_IPPARAM" ]
  then
  /sbin/route add -net $PPP_IPPARAM dev $PPP_IFACE metric 1
  /sbin/ipchains -I input -j ACCEPT -i $PPP_IFACE
  /sbin/ipchains -I forward -j MASQ -s 192.168.1.0/24 -i $PPP_IFACE
  /sbin/ipchains -I output -j ACCEPT -i $PPP_IFACE
  fi
  

• Edit root's crontab on your work machine (crontab -e), to start this PPP link. Under Debian, it will look as follows:
  
  */20 * * * * netstat -rn | grep -qs ^192.168.0.2 || pon my-home
  
  (replace 'my-home' with the name of the PPP options file in /etc/ppp/peers).

Using this, you now have a PPP over SSH tunnel to/from your home. If it breaks, it is immediately brought back up (hence "persist" above); and if too many retries have passes and PPP gives up, a new connection is retried every 20 minutes (or whatever you set the crontab line to).

Undetectable. :-)

Re:The business world will revolt

[PenguinX]

Agreed, however traditionally all the DSL providers do precisely not what @home has done.

Re:Clarifying the confusion (maybe)

[mindstrm]

?? IPSec? (perhaps this is what you describe?)
There are also a half dozen or so private protocols for doing such thing... everything from ppp over ssh, or ssltunnel, or what have you, to UDP versions, to privately encrypted IPIP.

And the public has to wake up and realize that the internet is more than just 'surfing the web' and email... that it's a data routing service. Other things they offer at higher layers like caches and such are conveniences, and may make their service more appealing, but in the end, they should *NOT* be able to tell you what application layers you can use. PERIOD.
If they want to cap bandwidth, and charge for bandwidth, that's just fine..but they must not tell me what I can and can't use as far as applications.

Hodwash..

[Thomas+Charron]

Apperently their lawyers should take some classes on basic WAN networking. You see, the issue here is, according to ComCast:

OR AS AN END-POINT ON A NON-COMCAST LOCAL AREA NETWORK OR WIDE AREA NETWORK, OR IN CONJUNCTION WITH A VPN (VIRTUAL PRIVATE NETWORK) OR A VPN TUNNELING PROTOCOL;

So basically, you *CANNOT* surf the net. The Net, after all, is basically a WAN connecting many LANs together, and hence, while using the net, you are breaking the service agreement. Personally, I'd sue them like no tommorow, becouse they are placing a stipulation in the agreement that disallows the service to be used for what you're actually paying it to do..

The business world will revolt

[PenguinX]

Seems to me that all people who want to work from home via VPN now are going to have to switch to DSL - darn.

Different NAT Flavors

[billstewart]

NAT comes in several different flavors.

• Basic Static NAT just translates IP addresses on a 1-1 basis (and does any necessary inside-packet juggling on FTP, etc.), so 111.111.111.111 port P maps to 222.222.222.222 port P. This means it's possible to have both incoming and outgoing connections on defined ports.
  
• Fancier static NAT - you can map a whole subnet, so 111.111.111.XXX/24 maps to 222.222.222.XXX/24 with one NAT command.
  
• Masquerading does a 1:many, but changes ports - one machine is visible to the outside world, and translates for a bunch of machines behind it, using dynamically assigned ports, so 10.1.1.1 port 222 will get translated to 111.111.111.111 port 61111 this time, and port 62222 next time, and 10.2.2.2 port 333 may be port 61234. The catch is that you can't do incoming connections except to the gateway machine unless you extend the mapping model (e.g. connections to 111.111.111.111 port 25 will only go to one place, and the system isn't designed to let you map incoming 62222 to 10.2.2.2 port 80, though Open Source means you could do it if you really wanted to.)

A home network is not a VPN!

[StenD]

The Comcast subscriber agreement already banned connecting a home LAN to the cable modem. A VPN allows your home system to appear to be part of private WAN across the public Internet. In reality, this change doesn't take anything away, as connecting to a non-Comcast WAN was already prohibited, but this makes it an explicit statement for people like Roblimbo who don't know what makes a LAN, a WAN, and a VPN different.

Re:Here's a hypothetical situation...

[MikeBabcock]

I hear these silly arguments constantly. As a person who sells services, it is very difficult to price them for consumers. I offer computer training. If you're a business, the going rate is over $75/hr. Am I going to charge a small family of 4 $75 for an hour's Internet training? How about installing a modem for them? Not a chance. How do I justify the pricing difference? By making good-faith deals with people, that's how.

@Home has a service they want to sell, and they're selling it really close to their break-even point. My $42.75 (CAN)/mo is pretty cheap for the 1.5 or so megabits I get (quite often). Where do they make up their margins? By charging more to businesses. Why? To make real money at all. As someone in business, I can understand perfectly.

@Home simply takes a certain set of services and says 'off limits' to non-business clients so they have something to sell to business clients. They can tell businesses "You're allowed to host a VPN on our network!" and not have the business retort "but I can do that at home for $40".

Re:Yes! And they should be!!!

[Skapare]

Specific contracts (which are nothing more than attempts to stifle usage) aside, there is nothing wrong with using the bandwidth you pay for for any purpose you want. If I want to exchange random numbers with a friend, it should be no business of the upstream provider. If those computers doing the exchange are deeper in LANs, that doesn't change anything. If those computers are dialed up to my LAN's dialup server, again, it's none of their business. If I get paid for that bandwidth, either more or less than I pay for it, it is still none of their business.

I'm buying BANDWIDTH and a (dynamic) IP address to use it with. Any company wanting to offer less than that is offering less than Internet service. Any contract establishing that is a contract to deny service.

Make your own

[MrEd]

You don't need to shell out for a router! Make your own!

I'm in the Kingston area, on COGEGO@Home, living in a student house. We have six computers sharing a cablemodem connection using a linux box running the Linux Router Project. Very nice. It has no HD, no fan, and does its job quietly and well. A hub and two shitty network cards were all we had to buy.

The cable guys who installed the modem were very understanding about it too... I pretended that my computer was the only one being connected, but strangely enough they ended up leaving behind enough free coax cable so that we could run it into the closet... :)

Bottom line, I have lots of friends who are running LANs behind the scenes, and, at least in the Kingston area, none of them have been hassled.

And, @Home sucks. Is ADSL any better?

How would they know...

[Shotgun]

what you are using, unless they are snooping your traffic? If all they are doing is pushing packets then how do they know what those packets contain? Could this clause be safely ignored? If they threaten to cut service because you're running NAT or VPN, then you can sue them for 'breaking and entering' your property. (Remember, the lawyers are claiming that information is property.)

What happens if the USPS starts deciding that they want to open and read all the mail?

Noooo!!!!

[robl]

resell the service or otherwise charge others to use the service, in whole or in part, directly or indirectly, or on a bundled or ununbundled basis. the service is to be used solely in a private residence; living quarters in a hotel, hospital, dorm, sorority or fraternity house, or boarding house; or the residential portion of a premises which is used for both business and residential purposes. without limiting the generality of the foregoing, the service is for personal and non-commercial use only and customer agrees not to use the service for operation as an internet service provider, a server site for ftp, telnet, rlogin, e-mail hosting, "web hosting" or other similar applications, for any business enterprise including, but not limited to, those in competition with the service, or as an end-point on a non-comcast local area network or wide area network, or in conjunction with a vpn (virtual private network) or a vpn tunneling protocol; or

See, you *ARE* prohibited from using a vpn.

Re:ISP Monopoly

[Skapare]

Build your own cable monopoly.

Stealing addresses is technically bad.

[billstewart]

OK, so you've been lucky so far recycling a DHCP address you got once as if it were a static address. That's because most of the machines in your DHCP domain keep renewing the same addresses. But as long as you don't have your machine configured for DHCP, it won't go periodically renewing the lease, so there's a risk that the next time there's a new customer on your block or an existing customer add a new machine, the DHCP server may give the address you're squatting to them. Then there will be a "two machines trying to use the same IP address" conflict, and if they've got any competence at debugging, they will hunt you down like a dog. Be a good neighbor and go back to using IPmasq or equivalent.

Bandwidth and transfer limit checking - some cable systems are equipped for it, some aren't, some have rate-limiting hardware, some don't. To a certain extent, the obnoxious acceptable use policies against anything resembling a server are to make up for the lack of bandwidth-limiter equipment and accounting systems - otherwise they'd be happy to bill you for it, just like the other part of the cable system is happy to bill you for pay-per-view. Gradually they'll get newer equipment deployed, especially as they roll out DOCSIS, but it'll take a while to get obnoxious policies changed.

According to Comcast

[ahappli]

I just got off the phone, what the Comcast rep told me is that, you can VPN into your work, but they don't want to you to use the Comcast@Home service to run a business off of. They would rather you use the Comcast@Work service if you are going to operate a home based business. Which makes sense (at least to me). So I can still push my users at work to get Comcast@Home, and then VPN into work if they want or need to work from home.

Now I just wish I could work from home too.

IPSec is the standard.

[maynard]

Sure you can. But who else (except a few Linux users) cares? With IPSec I can implement either a Transport Mode or Tunnel Mode connection between Linux hosts running FreeS/WAN, OpenBSD/FreeBSD IPSec (don't know about NetBSD), Win2K and NT (using PGPNet), many CISCO (among other vendor) routers, and even MacOS X (I understand). So, it's nice that you can circumvent a stupid ISP policy which prevents protocol 50 between the hosts you use, but the rest of the world has already chosen IPSec as the standard Tunnel(VPN)/Transport Mode IP level encryption standard. This policy will prevent sane IP level encryption for many services beyond just employees logging into work from home.

Hell, with Transport Mode IPSec one could securely telnet to a remote host WITHOUT ANY CLIENT MODIFICATIONS or end user re-training. The same is true for web connections... no more SSL negotiations and key certification nonsense for the web, ssh and config files for secure telnet, some new "secure" protocol for ftp, etc etc etc, all handled with different configurations, incompatible key management protocols, and separate encryption libs... this should all be standardized under the hood at the IP level for the sake of consistency alone; (consistency increases security by reducing unnecessary complexity). @Home just made a colossally stupid blunder here... which will come back to bite them in the ass.

Here's a hypothetical situation...

[cr0sh]

@Home is prohibiting VPN's, and obviously wants to relegate you setting one up as a business thing, as an @Work option. IE - they want you to pay more...

How long do they think this can last? I can imagine a normal family, in the very near future, who want to share all the resources of their family network, via VPN connections. Maybe mom and dad have @Home, the son is in college, lives off-campus and has @Home, the daughter and new husband lives across town and has @Home, and maybe the family (the mom and dad) also own a cabin by the lake, and they get @Home there as well.

They want to share their files, so they each set up a fileserver, at each node: at mom and dad's, the son in his apartment, as well as the daughter (and husband). After setting these fileservers up, they probably want to access (and share) files anywhere in the network - their personal, home-use only files, nothing business related. They each are paying for their IP's. The only way to let them do what they want, securely, is via VPN connections, right? What if mom wants to print a recipie for her daughter? She could email it, or print it through the VPN connected printer at her daughter's house. Or maybe they want to set up a VPN'd family recipe book (of course, accessed via a mod'ed iOpenner in the kitchen)? Or maybe they want to setup a private family email "ring", or "list" (wedding announcements, family get-togethers, etc)? Here's an angle: What about those MP3s (of CD's they own, of course) stored on the home server, that the family wants to stream to the cabin, while on vacation (this is fair use, right - or at least, domain shifting)?

@Home doesn't get it - they really don't get broadband, and the possibilities it opens for the sharing of data amongst people (or maybe they do, and are running scared, perhaps?). This hypothetical VPN use I've outlined doesn't warrant an @Work setup - it is a private VPN.

If it isn't happenning already, it will - private VPN's will be the next "thing" in private home networking - and @Home is shooting themselves in the foot for disallowing this...

I wish @Home would just give us the pipe, and let US decide what to do with it!

I support the EFF - do you?

ADSL isn't even _available_.

[yerricde]

DSL users have to live practically next door (within 12,000 ft) to the local telephone monopoly. What other broadband Internet access choice is there other than the local cable monopoly?
<O
( \
XGNOME vs. KDE: the game!

VPN != PCAnywhere, ssh

[Gothmolly]

And what ports do they look at anyway? Probably the stupid 1723 port. Either that or they block Protocol 47 somehow. Either way, just run ssh and tunnel everything over that, or use the encryption options in PCAnywhere. Problem solved.