@Home Stops Allowing VPNs

cwilson writes: "I just got a message from my cable modem provider, Comcast@Home (a member of the Excite@Home network) that the terms of service were being changed. The interesting bit: Section 6. Prohibited Uses of the Service. This section specifies that use of the Service in conjunction with a VPN (Virtual Private Network) or a VPN Tunneling Protocol is a prohibited use of the Service. See for yourself here in section 6." Apparently @Home is looking for the little bit of extra revenue they can get by selling additional IPs to people (like me) who have more than one computer. This might not be so bad if @Home provided reliable e-mail and DNS servers and other "basic" services one expects from an ISP, which they don't. This is just another piece of woe for those of us whose only broadband choice is @Home. Bah! Update: 08/14 14:16 by michael : Yes, Robin confused NAT and VPN. TLA's are a PIA.

Detecting VPNs (shutting off SSL POP3 and SMTP?)

[satch89450]

I suspect that @Home will now start monitoring connections for encryption (think SSL and TLS), then look at traffic patterns to determine whether it's a secure Web browser or "something else". That means that you might be shut off for using SSL-encapsulated FTP or SSL-encapsulated SMTP (for secure mail transfer). Indeed, I can see where people regularly using PGP encryption on mail content may get a little note from the company.

Hmmm...there is very little difference between a VPN and SSL encrypted services. Could it be that we are seeing something caused by the FBI demands to snoop on mail? A VPN is one way to block Carnivore and ISP monitoring from capturing e-mail traffic. Another way is to use STARTTLS-enabled mail clients to talk directly to STARTTLS-enabled mail transfer agents.

Perhaps it isn't just a bid for money...but then again, I admit I'm paranoid.

Re:Read the entire agreement!!!

[mikpos]

The part about "reselling" is completely orthogonal to the part of VPNs. Here what you want:

without limiting the generality of the foregoing, the service is for personal and non-commercial use only and [the] customer agrees not to use the service for operation as an internet service provider, a server site for ftp, telnet, rlogin, e-mail hosting, "web hosting" or other similar applications, for any business enterprise including, but not limited to, those in competition with the service, or as an end-point on a non-comcast local area network or wide area network, or in conjunction with a vpn (virtual private network) or a vpn tunneling protocol;

That said, it's probably wise to just ignore the policy. I would suspect fully 100% of @home subscribers are breaking at least two of the rules mentioned there; if they're not, they're wasting their money. It seems that @home (at least in my part of the world) only gets annoyed when you start using up obscene amounts of bandwidth (e.g. around 1GB/day regularly/constantly).

Re:data security

[nellardo]

The only "good" reason I can think of for them to bring in this change is that they don't like not being able to sniff all the information on your/their connections.

Even this doesn't make much sense to me. If they start sniffing everything, they open themselves up to huge liability problems (of course, they can and do hire lots of lawyers to deal with this). It's the difference between being a common carrier like a telco (who is not responsible for what is said over their wires) and a newspaper (who is responsible for everything said in their pages). Slashdot skims this line - Slashdot is liable for the stories, but not for the comments (since they never get deleted or edited, Slashdot can reasonably claim common carrier status) (ObDisclaimer - I ain't no steeekin' Lawyer)

The only bad reason I can think of for them to bring in this change is that they don't like people using their service because that means they need more real bandwidth....

No, I think they have higher rates for @Work. If you can't put a LAN on @Home, you can't really use it in a business environment. So you're forced to use the more expensive commercial service, rather than the residential one. In some sense, this is a very crude way of doing usage-based metering (about as much as minimum age requirements "guarantee" responsibility in drinking, smoking, voting, or driving). IMNSHO, these kinds of policies are going to eventually change as home networks become more and more prevalent. No one will sit still for paying more for a cable modem connection just because their "set-top box" happens to be made by Sony and thus has a 1394 connection that happens to be capable of running TCP/IP. I mean, really. That would be like charging someone different phone rates based on having a y-jack for their phone.

Comcast Clarification of VPN

[rc-flyer]

I sent them a question asking for clarification about the VPN paragraph. This is their reply:

It is not the intent of this text to prohibit customers from establishing a connection for residential purposes. Activities such as online banking, online trading and making purchases online are not considered in violation of the Subscriber Agreement.

The Comcast Online residential service is not intended for those that attempt to host a VPN connection or for those persons attempting to establish a VPN connection with their workplace.

Thank you for choosing Comcast@Home!

Re:VPN is a strange thing to forbid

[cwilson]

I never assumed that "it means creating a home network". I know the difference between NAT and VPN. Roblimo deleted my commentary on the news and added his own, and forgot to put closing quotation marks to end my part of the story. Roblimo said,

Apparently @Home is looking for the little bit of extra revenue they can get by selling additional IPs to people (like me) who have more than one computer. This might not be so bad if @Home provided reliable e-mail and DNS servers and other "basic" services one expects from an ISP, which they don't. This is just another piece of woe for those of us whose only broadband choice is @Home. Bah!

So, blame Roblimo, NOT me, for the ensuing confusion in almost EVERY BLASTED message in this thread, where people are mixing up NAT and VPN. My original commentary was something along the lines of

What possible reason could Comcast have for dissallowing this service? Are they just trying to insist on being able to snoop on my traffic, and don't want any encryption? What's next -- no outgoing ssh client connections to external ssh servers? GASP: Could ssh itself be considered a VPN Tunneling Protocol?

That's not a completely accurate quotation of my original comments; I can't seem to access my story as originally posted, but Roblimo probably can. Anyway, that's about what I was thinking when I wrote it. FWIW, here is the email I sent to my provider last night:

While most of the revisions specified seem reasonable, I would like to know your rationale for the apparently arbitrary decision to disallow the use of VPN Tunneling Protocol. While I do not currently use a VPN, I have always considered the *possibility* of hooking up to my company's VPN one of the main benefits of a fast, always-on connection.

WHY are you disallowing this use of the service for which I am paying? Is it because you don't like it when your customers encrypt their packets? For the life of me, I can't imagine what possible detriment VPN could have on your infrastructure or other users.

Detecting IPSec is easy

[maynard]

The reasons for restricting VPN traffic and restricting ip-masq are completely different.

ip-masq: They would restrict this if they wanted to sell you more IP numbers.

VPN: They would restrict this if they wanted to charge you BUSINESS rates for telecommuting.

They can't possibly detect ip-masq. They could only detect VPN with a lot of effort.

You're absolutely right that the reason for this is to charge extra for "business" uses of the connection. However, detecting IPSec is a snap. All the need do is enact a filter for protocol 50 in the IP header of any inbound or outbound packet and discard. Bye bye IPSec connection.

This is a terrible precident because long term it prevents the use of ubiquitous point-point Transport Mode IPSec, which is the whole point behind the IPSec standard. Sure, it's neat to make tunnels to work, but in the long term the IPSec community wants to create a mechanism to secure ALL IP traffic. This blows that goal right out of the water.

Also, are they going to start limiting SSH service to my employer? Can I telnet to my employer? Where do they draw the line between "personal use" and "business use"? If my cable modem provider pulls these tricks they'll lose a customer.

Are you confusing VPN's and ip masquerading?

[Hairy_Potter]

I thought a VPN was a simulated private network across the internet, which I supposed you could use to connect two of your computers, but only if they were physically far apart, using a VPN to connect two computers in the same room sounds insane.

Perhaps you meant to mention the previous clause in the contract, where they prohibit you from being an endpoint for a lan, which is what you need to do if your sharing an internet connection with IP masquerading.

Looks to be Comcast, not @home doing this

[RocketJeff]

I was interested in hearing about this since I use AT&T/@Home. It appears that this is only the Comcast user agreement and not the @Home agreement.
Remember, Comcast (and AT&T) use @Home services and can set their own user agreements seperate from @Home.
Looks like Comcast sucks, but not all @Home providers are quite this bad.

Download Porn Faster! (TM)

[coyote-san]

Not every area has both @Home and @Work. My area (Boulder, Colo) just got a few weeks ago, and we only have @Home with "casual, residential use" guarantees. Reading between the line: I can't complain if I can't telecommute because the system is down for hours while they continue rebuilding the system.

As for the telecommuting issue - I read my @Home AUP, and I actually kicked out the US Worst DSL for non-preformance, and I understand that both organizations strongly downplay the telecommuting aspect because they don't want to catch the flak when people can't work. Worse, a particularly clueless drone once suggested that I "just go into the office" those days when the connection is flaky, not comprehending that as an independent consultant my home *is* my office on some projects.

The fastest way to change this attitude, in my experience, is to ask them if they think the sole reason people order this service is so they can download porn faster. (Esp. since the TV ads always show someone downloading images on a web browser, not downloading source tarballs.) This always seems to force them to reevaluate what's left after they make life unbearable for independent workers and telecommuters.