Slashdot Mirror
VPN Clients Not Allowed On Residential Service
wayn3 writes "ComputerWorld reports here that two of the major cable companies have language in their terms of service that VPN clients are forbidden for "residential" class, forcing clients on their "business" offering which is at twice or more times the cost of residential service.
Has any been bit by this, and do those companies consider SSH a VPN client? This would stop me from telecommuting since my company would not be able to afford the business service."
I mean, you're using the connection for business purposes, you should be willing to pay for that. If your company can't afford it, then tough. It's not rocket science. Not only that, if you require 24-7 availability of your systems, you can always install a modem or two and connect that way.
If you require internet access for work, then you get a work account. If you require it for home, then it's a home account.
Hell, if you work from home, get the damn work account, then deduct the cost from your income taxes.
The obvious question is "what classifies as a VPN?" A VPN is a Virtual Private Network which usually is constructed using a secure IP layer such as IPsec. While it is easy to scan for IPsec usage (it has it's own protocol number - even as TCP and UDP has), it is much harder to scan for other types of VPN solutions.
Even encrypted HTTP, HTTPS, can be used to build a VPN-similar type of thing (think "VNC"). Since HTTPS is used to encrypt on-line banking traffic, e-commerce sites and such, they cannot just stop everyone from using HTTPS.
Furthermore, since the data (by definition) is encrypted, it is impossible to peek at the data to determine if a data stream is "a VPN" or just some other HTTPS transfer.
The conlusion is that they will have huge problems trying to enforce this.
Girard said cable business-class service "is not any better than residential, yet they charge you more."
Imagine your phone company doubling your bill because they analysed your calls and decided you made a call to the office!!
I buy bandwidth. What I do with the bandwidth is nobody's business (obvious exceptions included..)
Backward%20compatibility%20is%20over-rated
What if I'm not using a VPN but just doing research on the web for work? Are the cable companies gonna stipulate that you can't do anything for a business from home, even browsing the web?
--"Karma is justice without the satisfaction"
Their TOS are terrible, and getting worse every rev. They have always had a 'no servers for the use of others' policy, and I've always run sshd because it's a server for my own use. On the last rev they disallowed 'any servers at all', which I didn't take seriously because IRC is broken without ident. Besides, technically ICMP could be considered both client and server, and the whole freakin' net is broken without it. Finally, my sshd is for my use only, and is configured and firewalled that way.
Also on the last TOS update they disallowed sucking feeds on their mostly-broken newsservers. They really don't know what they're doing, because in the grand scheme of things, they're just pushing those people to a sucking feed on an external newsserver, and eating their head-end bandwidth. Besides, an off-hours sucking feed would probably be more benign, and I'd be happy to adjust my cron setup to cooperate.
AFAIK they have no anti-VPN wording in their TOS, but IMHO that's only because they aren't clued in to its existence to forbid it.
IMHO, Adelphia wants to be in the 'TV for your computer' business.
The living have better things to do than to continue hating the dead.
I can. I have family in the area, some with broadband of various kinds. If we shared files more (which will probably happen in the future), it would be nice if we could be hooked up on a VPN so we could just drag and drop to various locations, rather than emailing. It would be simpler and it would take up less bandwidth (one copy vs one upload + one download).
Hate trolls? Troll 'em back...at home!
As long as people are complacent and accept these kinds of bully tactics from their providers, they really have no standing to complain about it later. Don't like the fact that your cable company wants to be your net.babysitter, and tell you what you can or can't do on the Internet?
Well, rewarding this kind of arrogant big-brother attitude by giving them even MORE money for business-class service is certainly going to encourage a change for the better, wouldn't it? Or, perhaps, you should tell them to shove their port filters, and their DHCP garbage, up their network interface, and switch to someone else who does indeed provides real internet connectivity.
People really need to vote with their feet, and stop agreeing to put on their Internet provider's straightjackets. There are ISPs who will sell you a residential class DSL service, with a static IP address, and let you run servers. That's real Internet connectivity.
to determine if you're using a VPN client, you can always implement something like this.
Hey, is HTTP based, so how would they tell the difenrence ?
What ? Me, worry ?
"This would stop me from telecommuting since my company would not be able to afford the business service."
If you are TELECOMMUTING then you ARE a business customer. The only difference is that you aren't PAYING as a business customer.
Everyone can argue about if there should be different "classes" of service, but that is the business structure the Providers have chosen.
There will be people posting here "I use VPN but not for business." With those people I agree: Simply claiming the using VPN makes you a "business" customer is unfair.
But in the case where you ARE using the service as a business but want to only get charged the residential rate:
Quit your whining and stop being cheap
A business has the right to charge you the rates they see as fair and you have the right to not use their convenient service and start driving to work.
---"What did I say that sounded like 'Tell me about your day?'"---
Here's the point: Business usage (phone, cable, whatever) CAN be more costly to the provider because these users will scream louder and demand quicker restoration of service when something goes wrong (line failure due to snowstorm, flooding, you name it). They also threaten to sue for lost business revenues due to the company's failure to restore said service in what they think is a timely manner. Residential customers don't bring that baggage.
So, they don't really care if you USE the line for business, because you won't be able to file suit as in the case above -- according to the TOS you weren't supposed to be using it for that purpose anyway. BUT, if you want them to treat your service as an essential component of running your business, you have to pay business rates...which is not wholly unfair IMHO.
It's not funny till someone gets hurt.
I invesigated Comcast cable a while back, as I'm out of range for DSL. Their terms of service were, in a word, unacceptable.
I suspect that you could get away with practically anything as long as nobody complained and you didn't generate too much traffic.
Oh, as to their "business solution"? DSL. Not an option. Near as I can tell, there is no such thing as "business class cable" Internet.
No high-speed internet for me. Sigh.
Welcome to the Turing Tarpit, where everything is possible but nothing interesting is easy.
They've all but said that outright. They don't sell bandwidth. They sell a high speed web surfing experience.
This should no longer surprise anybody here. Let's get over it.
My Heart Is A Flower
that has been there from day one. Excite is the ones forcing the issue and always have. Look at AT&T's TOS now that they sluffed off the leeches called excite. servers allowed, linux specifically mentioned and unofficially supported (as in they'll tell you the ip information instead of saying it all has to be dhcp or we'll kill you or the funny, the dns servers ip address is prepriatory information I cant tell you.)
I'm sure comcast and cox will get a clue when they also fling excite the bord later next year.
Do not look at laser with remaining good eye.
Why should that matter? Do you pay more for bus/train/toll because you are going to work, instead of to the movies?
You should pay for the service you're getting: bandwidth, IP address and quality of service. What you do with it is non of the ISP's bussiness.
...richie - It is a good day to code.
The choice is not using a different company. The decision is use broadband from THE company servicing your community under THEIR terms or revert to dial-up service.
*IF* you're lucky, you can "choose" between the monopoly cable company's service and the monopoly phone company's service. If you are REALLY lucky, you can get DSL from a CLEC or COVAD reseller. If you are insanely fortunate, you can get wireless service or your buddy next door has a T-1 you can tap into.
I live a few miles from AOL, mci/worldcom/uunet, and many other MAJOR data centers. Yet *my* choices are: Cable modem, overpriced IDSL service, ISDN, or modem. People living in spitting distance of the main MCI center can't even get my limited selection.
There is no choice, the broadband providers are well aware of that fact, and they are determined to keep it that way.
Plus they recently added a nationwide dialup service. 10 hours / month for free, 99 cents an hour after that. In the past year I've had only three memorable outages and one was at 1am.
Do this make me sound like Scott Case's bitch or what?
Let me get this straight, the company pays you enough that you can in turn pay $X for the service but they "can't afford" to additionally pay $X themselves (to make up the difference to the $2X price of business-class)? BS. Either you are exaggerating or the company is lying to you--they just don't want to pay for it.
I work for a large (3000+ people) company in the Philadelphia region. The company currently supports telecommuting with broadband through VPN. Currently, they pay $39.95 per month for connectivity, plus $30 per month for outsourced broadband routers/firewalls. (The latter part I think is stupid, but I digress.) So for each person telecommuting, they pay roughly $70 per month
Now, increase that highspeed access from $39.95 to $95.00, and they would have to pay roughly $125 per month per person. If only 300 out of the 3000 people here telecommute, that's a cost of $37,500 a month, or $450,000 a year just for broadband users. At the previous price, it would be roughly $252,000 per year. Almost 200k more. That's a lot of money to just "find" in your budget. So what happens? Comcast loses money because my company suspends all high-speed telecommuting. So now instead of getting their extra 200k a year, they get nothing, and the people who benefited from telecommuting no longer can.
You know, if Comcast wanted all these people/companies to shell out $50 more per month, the LEAST they could do is remove that 128kbps upstream cap they enforce for business accounts. Its really annoying to transfer large files to work or VPN to a server when you can't send out over 15K/sec, peak.
>What exactly classifies as business use
I'll say that when the service goes out for an hour, any you say "shoot, guess I'll go iron my socks for a while and call support if it isn't back up when I'm done" then you are not a business customer.
If the service goes out for ten minutes and you are on the phone right away screaming at them to restore your service RIGHT NOW because every minute that goes by you are losing money, then you are a business customer.
The problem here is that most people who use VPNs to connect to their workplace aren't telecommuters, but people who need a file or to check mail or something simple on an infrequent basis. Relatively few people truly telecommute (i.e. work from home most or all of the time). This more expensive business use, as well as actually running a business (servers, whatever) should cost more. But it seems unfair for someone to have to shell out the extra dough so they can check their mail from home.
Obviously there are secure ways besides VPNs to implement this functionality, and eventually I think we'll see a move towards these. The question remains how will the enforce this prohibition? And if it's allowed on business connections, does that mean they'll support it, too?
See, the real issue here isn't "no you can't do that here," but that certain types of users call with certain kinds of questions, and this allows those answering the questions to segregate the questions so the right people can answer them. IP/SEC traffic requires certain very specific protocols and ports to be opened which may not normally be open on a standard ISP network. Most legacy hardware, and much current hardware doesn't support IP/SEC, so it cannot work. Your cable modem/router probably doesn't, unless it's high end or very new.
By prohibiting this activity on their "home" networks, they need not burn cycles explaining why "you can't do that, it just won't work," while really saying "our hardware can't handle it." The latter unfairly casts a negative shadow on an ISP who simply didn't design their network to handle this traffic, and perhaps doesn't see that as being cost effective to do.
So this is another attempt to cover themselves for not providing any sort of support for VPN, including enabling the funcationality on their hardware. It's like their not supporting more than one machine in your house, or not supporting linux on their cable network. It would cost them way more to do it right than it's worth. They aren't doing anything wrong, though they're not doing anyone any favors, either. They aren't likely to tell you to stop, just not to ask for help. IP/SEC may never work on these networks, but other VPN-like items will probably fly under the radar.
The policy says
In reality I have and continue to use ssh for unix connectivity without hearing a thing from them. I've used pptp in the past when I was forced to work on Evil Empire(tm) OSes and that worked fine. I've got some GRE stuff running now between Cisco boxes on cable modem and that is fine as well.
The only thing they really watch for here is overall transfer volume. Use a gig a day every day for a week and you'll get The Phone Call. Other than this monitoring they don't have the time, energy, or hardware to observe/filter anything else.
I'd say go ahead and use it as you see fit
I am very easy to get along with, but I don't have time to waste being nice to people who are being stupid. -Theo
Are you sure this isn't just their way of not supporting your VPN? There are similar requirements that you use Windows or Mac OSes, Netscape/IE and these rules are simply to shield tech support from alternative OS/browser questions but I've never received a notice to shut off my Linux systems running SSH, CIPE, Apache (not on port 80), FTP, etc....I also don't call their support and ask how to configure httpd.conf...
-- @rjamestaylor on Ello
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
I have comcast, and I dont see this written anywhere in the TOS, and Ive been looking at them for a while. I'm reading them here, and I see nothing about VPNs or that I interpret as VPN usage.
Ive been looking at these TOS for a while, becuase a whole lot of crap has been going on with comcast lately. Here are some of the email I've recieved from them lately.
They are changing mail services. This means my address changes from user@mediaone.net to user@comcast.com (or comcast.net, cant remember). No prob, EXCEPT the new addres becomes active Dec 29th, old address is deactive Dec 31s. This means we have 3 days to make the udate to all our online accounts, subscriptions, mailing list, etc. and what 3 days do we get? Sat, Sun, New Years Eve. If I have a problem making this update for one of my accounts, good luck finding someone to help, since most companies will be closed these 3 days.
Furthermore, until mid Jan, we will only have 1 comcast email address. What about those of us now that have 2 or 3 address. We only have 1 until mid Jan. I have an email, my wife has an email, some families have kids with emails. I guess someone in the household get left out in the cold for half a month (luckily for me/my wife, I've already transitioned to my own personal domain with email, so its not an issue for me, but Im sure it is for MANY, MANY people). They wont get email in that time, and what happens when they try to switch over one of their accounts in mid jan, and the system tells them "to confirm your update, we have send an email to your previous address. Please click the link in that email to complete your update".
What else have they told me lately...oh yeah. They send me an email all about how some home pages are going to change, something really minor. Then, burried 5 paragraphs down, they mention that, by the way, there will also be a new acceptable use policy effective Jan 1st, 2002 which "includes new information on several subjects, including use of bandwidth". Are they going to charge us for excessive downloads or uploads? I tried to look up these changes at the URL I posted above, but I see nothing about bandwidth. It says what I can/cant do, but nothing about how much of it I can do. Im puzzled. Are they getting worried about wireless neighborhood area networks?
What else...oh yeah. Im getting a new modem mailed to me that I have to hook up by end of year. According to them "This new modem will prepare your computer for upcoming Comcast High Speed Internet product enhancements including improved reliability and new features". I talked with some people, and came up with rumors that they are decreasing our upload speed to 128Kbit. I currently get 250Kbit up, and I know people that get almost 400Kbit up. I looked on their site, and nowhere do they mention upload speeds anymore, except on one pricing chart, they list the serivice as "1.5/128K" (1.5Mbit down/128Kbit up). Im afraid this new modem is their attempt to "upgrade" my upload speeds.
Oh, yeah, I almost forgot about the letter I got through postal mail last week...price goes up $5.
YEAH COMCAST!!!!!!
Bull. Show me stats - real stats that back this up. Residential users actually use more bandwidth than a business user @ home ever would. Gnutella, Browsing heavy graphical sites, etc. Most business users use VPN to check .... email. Maybe access a file server but how many files will they work on at once?
This is typical telco mindset being applied by cable companies - jack up business rates for the same service you provide to homes since you lose money on residential service. Then try to get as many folks on business lines as possible. Same thing happened with dial up - telcos wanted us to have business lines for hoem dialup users into our corporate networks - and we did - why? The IT managers wanted 'business class' support on these lines to get problems fixed faster - like it was gonna shut the company down if manager X couldn't dial in from home on his 2nd phone line and the telco hadn't committed to having it fixed by X hours. (um - what about the first)
I chuckle at all the ISP issues out there - just like banks - the bigger monoliths screw you while you get GREAT service and such from smaller ones. My ISP is a mom/pop phone company that got bought by another company that specialized in running mom/pops. We have excellent service (DSL), great rates, and they are pretty laid back about how you use it (no blocks - not even port 25, etc)
Top Most Bizarre/Disturbing Error Messages
What little chance I had of sympathizing with the "no business use" restrictions of residential service vanished once I realized that residential service is ALL there is.
The places that talk about the restrictions on residential service seem to imply that just by paying more, one can sign up for a "business class" service that is essentially the same as residential service but without those restrictions.
Unfortunately, that's not the case. Business class service (except briefly for some of the areas served by Cox cable) over cable lines does not exist. It is a strawman that cable ISPs use to pretend that their restrictions on "business" use are somehow rational. This is a re-occuring thread in various @Home newgroups.
Hopefully having an article in ComputerWorld will produce more explicit explanation from cable ISPs about what exactly they mean by business use.
Consider that a common Comcast@Home commercial shows someone auditioning for an acting job halfway across the country through an @Home webcast. If that's not allowed, I smell a bait-and-switch lawsuit.
I've got AT&T Broadband in New Hampshire, and I recently found out something interesting. Apparently, AT&T has different TOS restrictions for different states/areas. In other states, the subscriber agreement specifically forbids servers of any kind. In NH, it simply says "it is the sole responsibility of the customer to keep their machines secure, including configuring any servers they choose to run."
:)
I found this out when I mentioned servers while talking to a tech support guy, and he told me that servers were prohibited. I challenged him to show me the clause in the agreement that said this, and he pointed me to a web site. On the site, it asks for your zip code, and you get a different version of the agreement depending on your location. He was looking at the Massachusetts version, and I was looking at the New Hampshire one. Apparently he hadn't been aware of the distinction either until then
-- Brett
Having briefly worked as tech support for @Home, allow me to show a brief glimpse of why providers may want to do this.
An inordinate amount of cable internet support calls are VPN related. If you thought that clueless people having trouble connecting to their AOL email was a tech support nightmare, you've not seen anything until you get someone unable to connect to a VPN. A typical call would go like: "Dammit, why can't I get online!" After asking a few questions and running some tests it's made clear that the connection is fine, and they're able to connect through their desktop machine, just not their laptop. "Okay," I'd say, "It's probably just an error in the settings somewhere." I'd then proceed to describe how to open up the relevant controls in NT4 (it was always NT4...) "What? Are you kidding?!" they'd scream "This is my companies laptop and we're not allowed to touch anything on it!!!!!" "That's a problem, then," I'd say. "You'll have to have your sys admin check the settings for you then." "You're fucking kidding me! I'm in Redmond, WA and the company is in Denver! I work from home!"
The story was always the same: dumbass company gives employess laptops so they can work from home, and told them they had to get a broadband internet service, but didn't configure the machines for even DHCP or give the employees the admin passwords to configure things. You'd get that call about 20 times a day.
I'm so fucking glad I'm back in research. :)
"Business" lines are usually sold to brick-and-mortar businesses, e.g., a pizza shop, because they tend to use the phone far more than most residential customers. This requires more resources (switches, physical lines), and they are charged more. By the time a business has a PBX, the lines may be use constantly.
But then modems came along - and the telcos had to beef up their switching equipment because evening residential usage jumped way up. That's why there was a short-lived proposal for a modem tax. But the telcos eventually figured out that selling second (and third lines) for modems, teenagers and other heavy users was more profitable than that tax, and a lot less politically explosive.
Nowadays, I doubt many telcos care about home business use - during the day there's excess capacity in the residential areas since they're currently designed to handle everyone getting online in the evening.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
That's something solved by language such as "VPN access not supported", not by expressly forbidding it. Not supporting a certain service is a sign of limited human resources, whereas not allowing smacks of money grubbig.
-
Oh, goody, someone just finished reading Atlas Shrugged...
If you don't like the way Company A sells their bandwidth, don't purchase from Company A.
How about, if I don't like the way Company A sells their product, I rescind the government granted right-of-way that allowed Company A to dig up countless miles of public and private property to bring their product to me?
Fair is a socialist concept.
So is eminent domain, but without it we wouldn't have any cables (or utilities) reaching our homes at all. If we're already granting corporate monopolies based on one socialist theory, why stop there?
These cable clowns won't give up until they turn broadband into a product that nobody wants. Why not get it over with and block ALL the ports? For $39.95/month you get port 80 unblocked. Then they could have a list price for any other port you might want unblocked. That would achieve their objective of bandwidth conservation, as well as reduced calls to the help desk! I would think it would be fairly easy to support a network if all the data were eliminated.
If some data still remains on the network after phase one of the plan, they move on to phase two, where you pay per hop. At the basic rate of $39.95, the maximum hop count is five. If you pay for "expanded basic" it goes to ten, and "business class" is unlimited (at least for the first three months)!
These guys would license the number of mouseclicks and keystrokes if they thought anyone would pay. I think it's all part of a huge conspiracy to make dialup service more attractive.
All joking aside, the real issue with VPN has nothing whatsoever to do with bandwidth. It is more about controlling the availability of ports and access to IP addresses that might otherwise be blocked. Carried to it's logical conclusion, you get a few people with commercial high speed connections and unrestricted access -- then a few thousand cable customers using VPN to circumvent access restrictions by the cable company. It still has nothing to do with bandwidth, because in an unrestricted environment this type of VPN would be unnecessary -- you would still have the same packets going to the same destination (probaby via a more efficient route).
If these guys have any brains, they are fearful of a P2P like utility that might facilitate the exchange of quasi-public VPN logons, which would create a "Massive Rogue Virtual Network" (MRVN). In the pefect nightmare scenario, we throw in a bunch of house-to-house 802.11b users that eventually hit a residential cable modem "gateway" that allows entry to the MRVN world. Of course, all of this could be solved with reasonable pricing and fewer restrictions, but they're not that smart.
I have just about had it with their incessant "dumbing down" of the service. As time goes by, broadband costs more and more while it delivers less and less.
I have Pacific Bell DSL AKA SBC Internet.
Just spent 10 minutes TRYING to find an "Acceptable Use Policy" or something similar.
It's just NOT THERE... Really, it seems, they don't *care* what you do with your Internet Service! Basic rate is $50/mo, Biz use starts at $65. (I subscribed to a plan they no longer offer, a single static IP for $50/mo)
I know, I'm in bed with that evil monopoly, Pac Bell, but Hey! This is COOL! I've run my own DNS/Web/Mail/Proxy/NTP/etc Linux server for 2 years without a hitch. No complaints, nothin' - and reliable bandwidth to boot.
I *LOVE* these guys! (Even if they ARE an evil monopoly)
-Ben
I have no problem with your religion until you decide it's reason to deprive others of the truth.