I never specifically studied mechanical engineering in school except in connection with electronics engineering but did later on the job. My experience in designing for temperature extremes never had to include liquid nitrogen but we were using it in the testing chamber and my boss asked how low the circuit could go before failing. I said something like, "I'm not sure. The thermometer does not go below negative two hundred and ninety nine degrees." That was way lower then the specification we were trying to meet of -85C but I was searching for destructive failure modes by that point. I had already taken steps like avoiding aluminum electrolytic capacitors in the initial design which freeze at an inconveniently high temperature. In a different project I had to substitute polypropylene for polystyrene capacitors when high temperature operation was important and even then I had to run my own tests over temperature to qualify a manufacturer because the characteristics we needed were not commonly specified when using polypropylene. Teflon capacitors were too large and too expensive.
After the liquid nitrogen pooled out onto the work bench I had great fun flinging it at coworkers. Racket balls when frozen are especially entertaining when thrown against hard surfaces.
Placing heaters on the Mars rovers inside the insulated body always seemed obvious to me. The only real way to get around it would be matching most of the temperature coefficients and perhaps adding strain relief where that is not possible. Using heaters should make for a much easier testing process. I expect NASA and JPL have an institutional book on what works and what does not but if they have to rely on commercial technology and parts which evolve rapidly, they will have to do their own qualification and testing.
. . . it will likely be crossing the Earth's orbit at an extreme angle, and thus the Earth -> Comet line of sight will be at a narrow angle to the Sun -> Comet -> Tail line.
It could just as easily hit us when traveling away from the sun in which case the tale would come first and extend through our position.
The only place where I think he's totally off base is calling the brain "a patchwork". It's not, in fact.
Hell! Whoever did the design did not even know enough to use backface illumination on the attached CCD array and ran all of the metalization traces along the front of the retina! Take a look at a cephalopod eye to see how it should have been built. To the designer's credit however, they used channel routing in the primate designs which raised the active capture area for better performance but that just shows another level of patchwork engineering. I can understand it though. What are you going to do when stuck with an already working in production design by a contractor who has left the scene and management wants improvements immediately? The DSP color correction for the chromatic aberration caused by the complex index graded curved lense was a pretty clever fix at well.
It's extremely finely tuned to do what we need it to do
I completely agree with this and the rest of your post.
I do not particularly disagree with the general point of your post however:
. . . Your dog, however, may have some problems getting along with it. The reason is because fido's brain isn't as far along as yours. It only deals with emotions and autonomic responses to the world. You brain, however, is able to ignore these responses and (usually) accurately assess the situation. But only if it chooses to.
Fido's brain is just as evolved as ours. It has evolved for the aspects of the environment which dogs interact with and live in.
I have myself used this fact to acquire vast sums of money from casinos, to the point where I was able to purchase a casino myself. You should come and visit and play at my craps table. I'm sure with my the knowledge I've given you, you will soon be buying the casino from me!
You had me going for a second but having already sold my casinos, I recognized your ploy.
You can't apply "evolution" as a blanket to tool use at the level we've taken it; we have evolved a capacity for abstract thought which allows us to create highly complex tools...Saying that we're not evolved to assess risk on a level as abstract as this is disingenous...
We have evolved to assess risks in the environments that we spent time evolving in. This is so much the case that specific physical brain structures are devoted to handling specific aspects of those ancient and evolutionarily significant environment of 100,000 years ago and earlier. Modern society has changed so rapidly that many of these facilities can no longer be relied on for reliability.
Our ability for abstract thought allows us to train ourselves to assess modern security threats accurately but it requires specific training toward that end.
When was the last time a virus jumped out of your computer and ate you? There is no evolutionary pressure involved with such intellectual pursuits.
That is Bruce Schneier's point. There has been no evolutionary pressure for humans to develop specific facilities to accurately gauge and respond to modern security threats. Those things now have to be learned in the same way one would have to learn to read and write as opposed to how one can learn to speak and listen during childhood. The later proceeds through the use of imprinting and the former requires artificial training.
I don't think any of us UKians really appreciate the size of the USA until we've watched it grind by through an airplane window or . . .
. . . Americans can't cope with the frankly ludicrous size of their country so they deliberately build all their cars, houses, trains and teenagers to 150% scale so that the land looks smaller than it really is . ..
I remember hearing a story saying that when the federal government forced the states to adopt 55 mile per hour maximum speed limits (which itself was a lesson still not understood in its implications), the governor of Texas complained that they had just made the state twice as large.
. . . such a massive outage would be more likely encourage appropriate law enforcement agencies (of whatever nations) to get off their collective asses and actually solve the problem at its source.
My first shotgun (single shot.410) wasn't 762mm in length, it was only 28". That's patently ridiculous. They gonna call that a pistol, too? I'm assuming they're talking about barrel length, here, since total length is meaningless.
There were similar issues in the US after the NFA (National Firearms Act) was passed in 1934 placing restriction on machine guns among other weapons. Occasionally,.22 rifles would show up with barrel lengths of 16 inches that were actually smooth bore. BATF figured these were actually short barreled shotguns and would use possession without the tax stamp as a felony to persecute dealers and owners. In the US for shotguns the barrel length has to be 18 inches or longer and the overall length has to be 26 inches or longer. Anything else is a short barreled shotgun which has additional restrictions and of course all of the violations are instant felonies.
The Sixth Circuit includes Kentucky, Michigan, Ohio, and Tennessee. Couldn't the government just continue enforcing the law on producers and distributors outside of the Sixth Circuit? I figure that would essentially force those inside the Sixth Circuit to continue providing the documentation even if they do not have to maintain the records themselves and be subject to warrant less search.
It's scary, because record-keeping mistakes are felonies. So it is just like the requirements on people who have federal firearms licenses? My understanding is that all of the paperwork mistakes are felonies and in addition, all of the paperwork mistakes that the government makes are also felonies. That is that they are felonies for the FFL holder and not the government.
Compute cycles may be, but the rollout of additional network infrastructure, accounting systems, billing systems, and extensive customer support for people who don't know why they are getting a $500 bill isn't.
The compute cycles I was thinking of are not in the billing but in the traffic analysis, inspection, and shaping itself. I have no illusions that routers which do these things are complex however my point was that over time computer cycles have become cheaper faster then bandwidth so at some point smarter routers to handle these tasks become a good investment to make the most of scarce network throughput. Keeping the customer's billing simple is important if only so they can understand it.
Of course, maybe I know just enough to be dangerous.:) I can conceive of putting hardware and software together to handle up to 1 Gbit/s line speeds and perhaps multiples of that for an almost arbitrary number of stateful and stateless connections. My own built systems should easily handle 100 Mbits/s although I have not had any need to tax them above about 30 Mbits/s.
ISPs are just trying to do the cheapest and simplest thing that gets the job done. Port-based filtering still works on average, so they are using it.
I agree however what is ultimately needed is more complex and based on their actions I do not believe Comcast is preparing for it although I hear rumors that they are having financial problems which could preclude serious long term planning.
The problem isn't the ISPs here, the problem is that people are not thinking about how their usage affects everybody.
I disagree. I see a giant prisoner's dilemma (although tragedy of the commons is just as apt) in the making where it is not possible for users to police their own collective action but the centralized ISPs can. The later may choose the method and that will determine the outcome. The course Comcast has chosen will neither yield a workable business model nor the best outcome for their users unless Comcast fails.
Some BT clients are horrible, and they'll create so many NAT states that a typical consumer firewall will not have the resources to route very well. I've seen it happen at home before, using a Buffalo with DD-WRT. I've seen a similar thing happen with the pfsense box I use at the office when one workstation had some sort of bot on it.
A bot managed to overload the state table on FreeBSD based pfsense? I am impressed. Did it crash like a consumer router or just stop creating new states? I have never managed to fill up a BSD based router's state table myself.
The other method is to realize that while most protocols would be disrupted due to forcibly closing the connection, BitTorrent will not be.
Does anything preclude the use of a forged ICMP Source Quench packets? If the endpoints are filtering these out to avoid shaping then they will likely be able to filter forged RST packets as well anyway and perhaps it would be better to cooperate with the user in rectifying the situation for all involved.
That, of course, is reasoned and intelligent debate without stupid emphasis on various words to make the story more sensational. The EFF is ridiculous. Like the ACLU, it's a good idea in principle. In practice both of those organizations aren't protecting anyone's liberties because they aren't having an open discussion about what is and what is not an infringement on one's liberties. They pre-decide what they consider to be infringements then hire armies of lawyers to ram their decisions down everyone else's throat.
I might believe this if Comcast had been transparent in what they are attempting. By using forged RST packets to drop connections instead of using ICMP Source Quench or other means while simultaneously playing the deny game, I find it very difficult to trust anything they say and I find their motives questionable.
4.5) Upset users of both Comcast and other ISPs install DD-WRT images which helpfully forward lost Comcast RST packets to various Comcast servers. Unexplained crater appears overnight along Market Street in Philadelphia.
Bah! This is a Slashdot discussion. Stop confusing me with rational discourse.
If they want to implement traffic shaping then do it transparently and in such a way that obfuscation of traffic is not worth the trouble. Knowing which streams are SSH and which are HTTPS is valuable if you provide low latency for the former and high throughput for the later. If everything ends up inside encrypted tunnels everybody loses. This can currently be done with a combination of traffic analysis and inspection but wait long enough with current trends and traffic inspection could become impossible. It might be worthwhile to enforce different policies within the Comcast network since traffic to their peers is more expensive. Is all of this complicated? Sure. But so is what they are going to end up with anyway if they continue their present course except they will have paid a cost in customer satisfaction and end up with less control over their network traffic.
Or let's say Comcast is legally required to provide the bandwidth they advertise at a sustained rate. They can't do that at 4Mbps. So, what will happen? Everybody will be dropped back to a rate they can actually guarantee at the price they charge, which is probably, oh, 256kbps.
I do not really expect any ISP to provide a continuous data rate equal (or even similar) to the link data rate. If they wish to use traffic analysis and shaping to moderate any one user's traffic to 256kbps over a 24 hour period, that would be fine. But plainly advertise what the limit is and none of this "we reset your allowance every 24 hours" stuff. Just manage the bookkeeping using a token system or similar. Compute cycles are cheap compared to WAN throughput.
All ISPs should go to volume-based pricing, like, oh, $1/Gbyte or so. Then, if you want to run BitTorrent 24/7, you pay your fair share for the volume you actually use, and eventually, Comcast will give you your own line.
This would be fine but just advertise the limits clearly. I am not sure how the accounting could be handled but traffic with Comcast's peers should be more expensive then traffic within the Comcast network. I suspect that my suggestion above would be more user friendly although more complicated in implementation.
But, I'm not so sure that one could not just simply use a suitable 75-Ohm transformer to break S/PDIF grounds. Seems that just about anything from the conventional broadcast video world would work fine, where such devices are somewhat common.
Perusal of the S/PDIF specifications (I have not had the occasion to use it myself) shows that those audio guys knew what they were doing. It uses biphase mark code and the bit rate can be up to about 4 MHz (depending on how you count it) so transformer isolation should be trivial although you would probably want one with a significantly higher impedance then 75 ohms to prevent loading down the driver. A transformer for isolating IEC 60958 Type I would probably work fine.
I have occasionally seen the results of MOV induced earth ground failure as well although I was not the cause. I always add some resistive isolation to non-isolated RS-232 and similar ports when designing new equipment. It saves on the cost of replacing development systems.
It seems like we are on the same side in a mirror universe sort of way.
Just to be clear, I completely disagree with their policies and would feel no remorse by violating them but I also would not complain when they kicked me off in violation of their ToS. If they are going to do so, I might as well give them a reason. Of course not being a Comcast subscriber, I am not in that position and only have to deal with their forged RST packets from the outside.
And the only thing that stops me from exceeding the posted speed limit but otherwise traveling safely is the threat of being detained and given a ticket. I hate funding the state through sin.
Comcast can't currently afford to intercept all SSL connections, inspect the certificate to see if they can forge it, and proxy the connection just to do packet inspection.
Apparently they can not even afford to use traffic shaping on their network if they are relying on traffic analysis and forged RST packets coming from a device not involved with the actual TCP connection. Wouldn't executing a man in the middle attack of unauthenticated SSL traffic take a hell of a lot more processing power then a router that included packet inspection for the purposes of traffic shaping?
My post was inspired by my recent investigations (last night while suffering from a sugar and caffeine high while attempting to diagnose a balky router at 3am) into Comcast's interference with TCP connections.
Both the m0n0wall and pfsense FreeBSD based routing projects support enough packet classification in their traffic shaping rules to do exactly what I described. The firewall rules themselves however do not so one of the first things I tried was creating a very long delay queue in dummynet (m0n0wall for this) and adding a shaping rule that would direct forged RST packets from Comcast IP addresses into it. With pfsense, it is not quite as straight forward because it uses a different traffic shaper which does not support queue delay.
What I am actually looking into doing is using a bare FreeBSD installation setup as my outer router to translate the incoming forged RST packets and direct them toward Comcast. After all, I know the other ends of my TCP connections did not send them so they must be misaddressed packets destined for some important address like the Comcast DNS server. Being a good netizen I will forward them to the correct destination.
RST is of course a valid TCP signal but my understanding is that Comcast is not altering the RST flag in existing packets but instead is forging their own minimum length flow control packet with an appropriate TCP sequence number. I will try classification based on that and the source address.
So, am I allowed to complain, then?
Nope.
If you did not vote for the winner you are not allowed to complain.
Dangit. Where is the sarcasm tag?
I never specifically studied mechanical engineering in school except in connection with electronics engineering but did later on the job. My experience in designing for temperature extremes never had to include liquid nitrogen but we were using it in the testing chamber and my boss asked how low the circuit could go before failing. I said something like, "I'm not sure. The thermometer does not go below negative two hundred and ninety nine degrees." That was way lower then the specification we were trying to meet of -85C but I was searching for destructive failure modes by that point. I had already taken steps like avoiding aluminum electrolytic capacitors in the initial design which freeze at an inconveniently high temperature. In a different project I had to substitute polypropylene for polystyrene capacitors when high temperature operation was important and even then I had to run my own tests over temperature to qualify a manufacturer because the characteristics we needed were not commonly specified when using polypropylene. Teflon capacitors were too large and too expensive.
After the liquid nitrogen pooled out onto the work bench I had great fun flinging it at coworkers. Racket balls when frozen are especially entertaining when thrown against hard surfaces.
Placing heaters on the Mars rovers inside the insulated body always seemed obvious to me. The only real way to get around it would be matching most of the temperature coefficients and perhaps adding strain relief where that is not possible. Using heaters should make for a much easier testing process. I expect NASA and JPL have an institutional book on what works and what does not but if they have to rely on commercial technology and parts which evolve rapidly, they will have to do their own qualification and testing.
I'm sure someone could think of a way to make write-only storage very efficiently.
It has been done and I remember when it was announced:
http://www.national.com/rap/Story/WOMorigin.html
It could just as easily hit us when traveling away from the sun in which case the tale would come first and extend through our position.
The only place where I think he's totally off base is calling the brain "a patchwork". It's not, in fact.
Hell! Whoever did the design did not even know enough to use backface illumination on the attached CCD array and ran all of the metalization traces along the front of the retina! Take a look at a cephalopod eye to see how it should have been built. To the designer's credit however, they used channel routing in the primate designs which raised the active capture area for better performance but that just shows another level of patchwork engineering. I can understand it though. What are you going to do when stuck with an already working in production design by a contractor who has left the scene and management wants improvements immediately? The DSP color correction for the chromatic aberration caused by the complex index graded curved lense was a pretty clever fix at well.
It's extremely finely tuned to do what we need it to do
I completely agree with this and the rest of your post.
I do not particularly disagree with the general point of your post however:
. . . Your dog, however, may have some problems getting along with it. The reason is because fido's brain isn't as far along as yours. It only deals with emotions and autonomic responses to the world. You brain, however, is able to ignore these responses and (usually) accurately assess the situation. But only if it chooses to.
Fido's brain is just as evolved as ours. It has evolved for the aspects of the environment which dogs interact with and live in.
I have myself used this fact to acquire vast sums of money from casinos, to the point where I was able to purchase a casino myself. You should come and visit and play at my craps table. I'm sure with my the knowledge I've given you, you will soon be buying the casino from me!
You had me going for a second but having already sold my casinos, I recognized your ploy.
You can't apply "evolution" as a blanket to tool use at the level we've taken it; we have evolved a capacity for abstract thought which allows us to create highly complex tools...Saying that we're not evolved to assess risk on a level as abstract as this is disingenous...
We have evolved to assess risks in the environments that we spent time evolving in. This is so much the case that specific physical brain structures are devoted to handling specific aspects of those ancient and evolutionarily significant environment of 100,000 years ago and earlier. Modern society has changed so rapidly that many of these facilities can no longer be relied on for reliability.
Our ability for abstract thought allows us to train ourselves to assess modern security threats accurately but it requires specific training toward that end.
When was the last time a virus jumped out of your computer and ate you? There is no evolutionary pressure involved with such intellectual pursuits.
That is Bruce Schneier's point. There has been no evolutionary pressure for humans to develop specific facilities to accurately gauge and respond to modern security threats. Those things now have to be learned in the same way one would have to learn to read and write as opposed to how one can learn to speak and listen during childhood. The later proceeds through the use of imprinting and the former requires artificial training.
I wonder how many days would that guy last in an East African village 100,000 years ago.
If he had grown up in that environment I would guess he would do fine. None of his ancestors died without having successful children.
I don't think any of us UKians really appreciate the size of the USA until we've watched it grind by through an airplane window or . . .
.
. . . Americans can't cope with the frankly ludicrous size of their country so they deliberately build all their cars, houses, trains and teenagers to 150% scale so that the land looks smaller than it really is . .
I remember hearing a story saying that when the federal government forced the states to adopt 55 mile per hour maximum speed limits (which itself was a lesson still not understood in its implications), the governor of Texas complained that they had just made the state twice as large.
Contact the users' ISPs and have them cut the connection to the infected machines until they are cleaned up.
That sounds like a job for Sandvine.
. . . such a massive outage would be more likely encourage appropriate law enforcement agencies (of whatever nations) to get off their collective asses and actually solve the problem at its source.
So like fbi.gov?
I believe we established in an earlier theory that math geeks can only attract women who like '95 Corollas.
There were similar issues in the US after the NFA (National Firearms Act) was passed in 1934 placing restriction on machine guns among other weapons. Occasionally,
The Sixth Circuit includes Kentucky, Michigan, Ohio, and Tennessee. Couldn't the government just continue enforcing the law on producers and distributors outside of the Sixth Circuit? I figure that would essentially force those inside the Sixth Circuit to continue providing the documentation even if they do not have to maintain the records themselves and be subject to warrant less search.
It's scary, because record-keeping mistakes are felonies.
So it is just like the requirements on people who have federal firearms licenses? My understanding is that all of the paperwork mistakes are felonies and in addition, all of the paperwork mistakes that the government makes are also felonies. That is that they are felonies for the FFL holder and not the government.
Compute cycles may be, but the rollout of additional network infrastructure, accounting systems, billing systems, and extensive customer support for people who don't know why they are getting a $500 bill isn't.
:) I can conceive of putting hardware and software together to handle up to 1 Gbit/s line speeds and perhaps multiples of that for an almost arbitrary number of stateful and stateless connections. My own built systems should easily handle 100 Mbits/s although I have not had any need to tax them above about 30 Mbits/s.
The compute cycles I was thinking of are not in the billing but in the traffic analysis, inspection, and shaping itself. I have no illusions that routers which do these things are complex however my point was that over time computer cycles have become cheaper faster then bandwidth so at some point smarter routers to handle these tasks become a good investment to make the most of scarce network throughput. Keeping the customer's billing simple is important if only so they can understand it.
Of course, maybe I know just enough to be dangerous.
ISPs are just trying to do the cheapest and simplest thing that gets the job done. Port-based filtering still works on average, so they are using it.
I agree however what is ultimately needed is more complex and based on their actions I do not believe Comcast is preparing for it although I hear rumors that they are having financial problems which could preclude serious long term planning.
The problem isn't the ISPs here, the problem is that people are not thinking about how their usage affects everybody.
I disagree. I see a giant prisoner's dilemma (although tragedy of the commons is just as apt) in the making where it is not possible for users to police their own collective action but the centralized ISPs can. The later may choose the method and that will determine the outcome. The course Comcast has chosen will neither yield a workable business model nor the best outcome for their users unless Comcast fails.
Some BT clients are horrible, and they'll create so many NAT states that a typical consumer firewall will not have the resources to route very well. I've seen it happen at home before, using a Buffalo with DD-WRT. I've seen a similar thing happen with the pfsense box I use at the office when one workstation had some sort of bot on it.
A bot managed to overload the state table on FreeBSD based pfsense? I am impressed. Did it crash like a consumer router or just stop creating new states? I have never managed to fill up a BSD based router's state table myself.
The other method is to realize that while most protocols would be disrupted due to forcibly closing the connection, BitTorrent will not be.
Does anything preclude the use of a forged ICMP Source Quench packets? If the endpoints are filtering these out to avoid shaping then they will likely be able to filter forged RST packets as well anyway and perhaps it would be better to cooperate with the user in rectifying the situation for all involved.
That, of course, is reasoned and intelligent debate without stupid emphasis on various words to make the story more sensational. The EFF is ridiculous. Like the ACLU, it's a good idea in principle. In practice both of those organizations aren't protecting anyone's liberties because they aren't having an open discussion about what is and what is not an infringement on one's liberties. They pre-decide what they consider to be infringements then hire armies of lawyers to ram their decisions down everyone else's throat.
I might believe this if Comcast had been transparent in what they are attempting. By using forged RST packets to drop connections instead of using ICMP Source Quench or other means while simultaneously playing the deny game, I find it very difficult to trust anything they say and I find their motives questionable.
4.5) Upset users of both Comcast and other ISPs install DD-WRT images which helpfully forward lost Comcast RST packets to various Comcast servers. Unexplained crater appears overnight along Market Street in Philadelphia.
And what policies do you prefer?
Bah! This is a Slashdot discussion. Stop confusing me with rational discourse.
If they want to implement traffic shaping then do it transparently and in such a way that obfuscation of traffic is not worth the trouble. Knowing which streams are SSH and which are HTTPS is valuable if you provide low latency for the former and high throughput for the later. If everything ends up inside encrypted tunnels everybody loses. This can currently be done with a combination of traffic analysis and inspection but wait long enough with current trends and traffic inspection could become impossible. It might be worthwhile to enforce different policies within the Comcast network since traffic to their peers is more expensive. Is all of this complicated? Sure. But so is what they are going to end up with anyway if they continue their present course except they will have paid a cost in customer satisfaction and end up with less control over their network traffic.
Or let's say Comcast is legally required to provide the bandwidth they advertise at a sustained rate. They can't do that at 4Mbps. So, what will happen? Everybody will be dropped back to a rate they can actually guarantee at the price they charge, which is probably, oh, 256kbps.
I do not really expect any ISP to provide a continuous data rate equal (or even similar) to the link data rate. If they wish to use traffic analysis and shaping to moderate any one user's traffic to 256kbps over a 24 hour period, that would be fine. But plainly advertise what the limit is and none of this "we reset your allowance every 24 hours" stuff. Just manage the bookkeeping using a token system or similar. Compute cycles are cheap compared to WAN throughput.
All ISPs should go to volume-based pricing, like, oh, $1/Gbyte or so. Then, if you want to run BitTorrent 24/7, you pay your fair share for the volume you actually use, and eventually, Comcast will give you your own line.
This would be fine but just advertise the limits clearly. I am not sure how the accounting could be handled but traffic with Comcast's peers should be more expensive then traffic within the Comcast network. I suspect that my suggestion above would be more user friendly although more complicated in implementation.
Perusal of the S/PDIF specifications (I have not had the occasion to use it myself) shows that those audio guys knew what they were doing. It uses biphase mark code and the bit rate can be up to about 4 MHz (depending on how you count it) so transformer isolation should be trivial although you would probably want one with a significantly higher impedance then 75 ohms to prevent loading down the driver. A transformer for isolating IEC 60958 Type I would probably work fine.
I have occasionally seen the results of MOV induced earth ground failure as well although I was not the cause. I always add some resistive isolation to non-isolated RS-232 and similar ports when designing new equipment. It saves on the cost of replacing development systems.
It seems like we are on the same side in a mirror universe sort of way.
Just to be clear, I completely disagree with their policies and would feel no remorse by violating them but I also would not complain when they kicked me off in violation of their ToS. If they are going to do so, I might as well give them a reason. Of course not being a Comcast subscriber, I am not in that position and only have to deal with their forged RST packets from the outside.
And the only thing that stops me from exceeding the posted speed limit but otherwise traveling safely is the threat of being detained and given a ticket. I hate funding the state through sin.
Apparently they can not even afford to use traffic shaping on their network if they are relying on traffic analysis and forged RST packets coming from a device not involved with the actual TCP connection. Wouldn't executing a man in the middle attack of unauthenticated SSL traffic take a hell of a lot more processing power then a router that included packet inspection for the purposes of traffic shaping?
My post was inspired by my recent investigations (last night while suffering from a sugar and caffeine high while attempting to diagnose a balky router at 3am) into Comcast's interference with TCP connections.
Both the m0n0wall and pfsense FreeBSD based routing projects support enough packet classification in their traffic shaping rules to do exactly what I described. The firewall rules themselves however do not so one of the first things I tried was creating a very long delay queue in dummynet (m0n0wall for this) and adding a shaping rule that would direct forged RST packets from Comcast IP addresses into it. With pfsense, it is not quite as straight forward because it uses a different traffic shaper which does not support queue delay.
What I am actually looking into doing is using a bare FreeBSD installation setup as my outer router to translate the incoming forged RST packets and direct them toward Comcast. After all, I know the other ends of my TCP connections did not send them so they must be misaddressed packets destined for some important address like the Comcast DNS server. Being a good netizen I will forward them to the correct destination.
RST is of course a valid TCP signal but my understanding is that Comcast is not altering the RST flag in existing packets but instead is forging their own minimum length flow control packet with an appropriate TCP sequence number. I will try classification based on that and the source address.