How to Work Around Broken Port-80 Routing?

Dr. Zowie writes "My ISP places an opaque (intended to be transparent) web proxy between me and the rest of the world. It is causing me problems due to misconfiguration or misdesign. My question is twofold. On the micro level, what can I do in the short term to work around the broken routing (in the long term, I switch ISPs if it's not fixed)? On the macro level, what can we as a community do to prevent breakage of the net on a global scale by poorly designed routing hacks?"

Dr. Zowie continues: "I use a regional ISP with otherwise-very-good policies. However, they seem to be intercepting anything that comes from my home net on port 80, so that they can ``transparently'' cache web requests based on the payload of those packets. The proxy seems to work rather well in most cases: I never noticed it until I started using OpenNIC. Then I found that some web pages that should have resolved OK through the OpenNIC system failed even though routing on different ports worked OK.

"I did some experimentation using ``telnet'' on port 80 directly, and found that packets are being routed based only on the payload regardless of the original destination address: I can (for example) retrieve the Slashdot front page by using ``telnet www.google.com 80'' and asking for "http://www.slashdot.org http/1.1". The tech support folks seem to be stonewalling me: the main contact tells me that the behavior is "not broken" even though it clearly violates RFC 1812, the standard set of rules for IP routing.

"The practice of ``transparent'' proxy routing seems to be growing more widespread. It appears to break the internet standard in a way that works for most folks for now, but that breaks port 80 usage in general. Looking ahead, this breakage seems like a growing nightmare waiting to happen. At the very least, I expect more instances of my particular problem to appear as folks give up on the corporate hegemony of ICANN. More insidiously, transparent proxy routers break the layered nature of the internet protocol and restrict the flexibility that made it work in the first place. One would hope that such proxies would at least act like routers when the fancier proxying fails, but at least my ISP's doesn't. What about your ISP's?"

could this be more of an anti-server thing instead

[NotAnotherReboot]

I know my ISP's AUP doesn't allow ANY servers of ANY type (which is rediculous, but I know for a fact that whining will get me nowhere with them). One of the ways they do this is to actually block anything coming in on port 80 to block an http server. Of course, I just change the port, but it could very well be that your isp just doesn't want you running a server and is trying to find an automated solution to stop most people.

Administrative competence / certifications

[cravey]

Once again, we're shown what happens when someone who doesn't know what they're doing gets into the pilots seat. In the past, I've seen the situation complicated by management demanding that something be implemented NOW. This leads to a new technology being put in place as an improperly implemented solution. In the end, when you consider the amount ot support work required for it, it end up being cheaper to do it right, but more slowly. For some reason too few people realize this.

Certifications would certainly seem to alleviate the frequency of many of these occurances, but in practice, I have seen too many certified employees who really don't understand the basic ideas of what they're trying to do. Sure they have a piece of paper stating that they passed the test, and may have paid $20k for a 1 month course in their given certification, but without real experience with the technology, it's all worthless. Combine this with management that believes that technical staff is merely there for implementation and not design or recommendation and you have a cycle where poor decisions are implemented 'just to get by' and are depended upon from that time on because noone who knows what they're doing has the authority to veto stupid decisions.

What we really need are more certifications that concentrate on ability and broad based knowledge than a specific way of doing things for not only admins, but also the managers of those admins. An incompetent manager has no business having the authority to tell a network admin to implement a new technology on a specific schedule. I fear that competent admins will soon become only slightly more respected than the guy who unclogs the toilet.