@Home Stops Allowing VPNs

cwilson writes: "I just got a message from my cable modem provider, Comcast@Home (a member of the Excite@Home network) that the terms of service were being changed. The interesting bit: Section 6. Prohibited Uses of the Service. This section specifies that use of the Service in conjunction with a VPN (Virtual Private Network) or a VPN Tunneling Protocol is a prohibited use of the Service. See for yourself here in section 6." Apparently @Home is looking for the little bit of extra revenue they can get by selling additional IPs to people (like me) who have more than one computer. This might not be so bad if @Home provided reliable e-mail and DNS servers and other "basic" services one expects from an ISP, which they don't. This is just another piece of woe for those of us whose only broadband choice is @Home. Bah! Update: 08/14 14:16 by michael : Yes, Robin confused NAT and VPN. TLA's are a PIA.

Detecting VPNs (shutting off SSL POP3 and SMTP?)

I suspect that @Home will now start monitoring connections for encryption (think SSL and TLS), then look at traffic patterns to determine whether it's a secure Web browser or "something else". That means that you might be shut off for using SSL-encapsulated FTP or SSL-encapsulated SMTP (for secure mail transfer). Indeed, I can see where people regularly using PGP encryption on mail content may get a little note from the company.

Hmmm...there is very little difference between a VPN and SSL encrypted services. Could it be that we are seeing something caused by the FBI demands to snoop on mail? A VPN is one way to block Carnivore and ISP monitoring from capturing e-mail traffic. Another way is to use STARTTLS-enabled mail clients to talk directly to STARTTLS-enabled mail transfer agents.

Perhaps it isn't just a bid for money...but then again, I admit I'm paranoid.

Re:Read the entire agreement!!!

The part about "reselling" is completely orthogonal to the part of VPNs. Here what you want:

without limiting the generality of the foregoing, the service is for personal and non-commercial use only and [the] customer agrees not to use the service for operation as an internet service provider, a server site for ftp, telnet, rlogin, e-mail hosting, "web hosting" or other similar applications, for any business enterprise including, but not limited to, those in competition with the service, or as an end-point on a non-comcast local area network or wide area network, or in conjunction with a vpn (virtual private network) or a vpn tunneling protocol;

That said, it's probably wise to just ignore the policy. I would suspect fully 100% of @home subscribers are breaking at least two of the rules mentioned there; if they're not, they're wasting their money. It seems that @home (at least in my part of the world) only gets annoyed when you start using up obscene amounts of bandwidth (e.g. around 1GB/day regularly/constantly).

Re:data security

The only "good" reason I can think of for them to bring in this change is that they don't like not being able to sniff all the information on your/their connections.

Even this doesn't make much sense to me. If they start sniffing everything, they open themselves up to huge liability problems (of course, they can and do hire lots of lawyers to deal with this). It's the difference between being a common carrier like a telco (who is not responsible for what is said over their wires) and a newspaper (who is responsible for everything said in their pages). Slashdot skims this line - Slashdot is liable for the stories, but not for the comments (since they never get deleted or edited, Slashdot can reasonably claim common carrier status) (ObDisclaimer - I ain't no steeekin' Lawyer)

The only bad reason I can think of for them to bring in this change is that they don't like people using their service because that means they need more real bandwidth....

No, I think they have higher rates for @Work. If you can't put a LAN on @Home, you can't really use it in a business environment. So you're forced to use the more expensive commercial service, rather than the residential one. In some sense, this is a very crude way of doing usage-based metering (about as much as minimum age requirements "guarantee" responsibility in drinking, smoking, voting, or driving). IMNSHO, these kinds of policies are going to eventually change as home networks become more and more prevalent. No one will sit still for paying more for a cable modem connection just because their "set-top box" happens to be made by Sony and thus has a 1394 connection that happens to be capable of running TCP/IP. I mean, really. That would be like charging someone different phone rates based on having a y-jack for their phone.

Re:Are you confusing VPN's and ip masquerading?

He probably is ...

But apart from this, how does Comcast think to actually enforce this ? I mean, come on, everybody with some knowledge of ipchains, squid, and maybe a generic ip proxy will be able to masquerade that he/shes masquerading his/her traffic. Out of the box masquerading is easily detectable (who seriously uses ports upwards of 60000 ?), but with some precaution you can make it seem to be one computer, running MSIE if you want.

Oh, and how the heck would they tell a VPN protocol from http, provided one uses a sufficiently encrypted connection (ssh will do, so will any ssl-based app). Everybody who runs VPNs without encryption should be shot on the spot anyway. Or take out the P from VPN.

Can you believe the "Deutsche Telekom" (the phone company in Germany holding the monopoly to local lines and thus flatrates) actually prohibits this exact same behavior on even analog connections ? As if that would make any difference at all (they dont sell you IPs, theyre dynamic anyway), but what do you expect from monopolies.

Comcast Clarification of VPN

I sent them a question asking for clarification about the VPN paragraph. This is their reply:

It is not the intent of this text to prohibit customers from establishing a connection for residential purposes. Activities such as online banking, online trading and making purchases online are not considered in violation of the Subscriber Agreement.

The Comcast Online residential service is not intended for those that attempt to host a VPN connection or for those persons attempting to establish a VPN connection with their workplace.

Thank you for choosing Comcast@Home!

Not just Comcast

I use Cox@Home and they also have this provision.

From the Cox@Home User Agreement:

8. Prohibited Uses of the Service; Indemnity.
Customer shall not use the Equipment or the Service directly or indirectly to:

m. use a VPN (virtual private network) or VPN tunneling protocol;

Here's [cox.com] the link to it.

However; I looked at the @Home Acceptable Use Policy [home.com] and they didn't have anything specific about VPNs.

I've liked my service so far, but if they try and enforce this, I'll have to switch to DSL (Man I HATE Southwestern Bell) because I have to be able to VPN into work. I really think they are shooting themselves in the foot with this, although it may end up being something they never enforce. I'm not going to start worrying about it untill they do. And if/when they do enforce it, then that will be $40/mo less revenue for them from me.

The AUP is not really clear, but...

...it probably should be passed in front of a tech-savvy legal expert.

There are two possible interpretations of Section 6(b)(vii):

1. (restrictive version): you are forbidden from running a VPN between your @home computer and a business (actually, between any computers) for any reason whatsoever. Period.
2. (more open version): you cannot run a VPN between your @home computer and a business IF you intend to operate business-related services on the @home side of the VPN. Using a VPN if you are only doing client-side stuff on the @Home side is fine.

Comcast needs to clarify this quickly. If they are banning VPNs of any kind, well, that kills their telecommuter business immediately, which I can't see them doing (telecommuters are good for the service - they use the network at an otherwise low-use period and are not any more of a strain on the network than an ordinary user). I suspect that the intent was to prevent businesses from using @home as a channel to set up remote office VPNs and/or to prevent people from setting up clandestine Internet servers (i.e. ones that don't serve out from the @home IP, but do on another IP, and are undetectible by @home).

I'd call Comcast and make this point. I suspect that they aren't going after the telecommuter, but instead have a badly-worded AUP addition, and should change that.

-Erik

Re:VPN is a strange thing to forbid

I never assumed that "it means creating a home network". I know the difference between NAT and VPN. Roblimo deleted my commentary on the news and added his own, and forgot to put closing quotation marks to end my part of the story. Roblimo said,

Apparently @Home is looking for the little bit of extra revenue they can get by selling additional IPs to people (like me) who have more than one computer. This might not be so bad if @Home provided reliable e-mail and DNS servers and other "basic" services one expects from an ISP, which they don't. This is just another piece of woe for those of us whose only broadband choice is @Home. Bah!

So, blame Roblimo, NOT me, for the ensuing confusion in almost EVERY BLASTED message in this thread, where people are mixing up NAT and VPN. My original commentary was something along the lines of

What possible reason could Comcast have for dissallowing this service? Are they just trying to insist on being able to snoop on my traffic, and don't want any encryption? What's next -- no outgoing ssh client connections to external ssh servers?

GASP: Could ssh itself be considered a VPN Tunneling Protocol?

That's not a completely accurate quotation of my original comments; I can't seem to access my story as originally posted, but Roblimo probably can. Anyway, that's about what I was thinking when I wrote it. FWIW, here is the email I sent to my provider last night:

While most of the revisions specified seem reasonable, I would like to know your rationale for the apparently arbitrary decision to disallow the use of VPN Tunneling Protocol. While I do not currently use a VPN, I have always considered the *possibility* of hooking up to my company's VPN one of the main benefits of a fast, always-on connection.

WHY are you disallowing this use of the service for which I am paying? Is it because you don't like it when your customers encrypt their packets? For the life of me, I can't imagine what possible detriment VPN could have on your infrastructure or other users.

Re:No more secure working from home with @Home?

Yes, you are. Here is a clarification I received from them about this:

It is not the intent of this text to prohibit customers from establishing a connection for residential purposes. Activities such as online banking, online trading and making purchases online are not considered in violation of the Subscriber Agreement.

The Comcast Online residential service is not intended for those that attempt to host a VPN connection or for those persons attempting to establish a VPN connection with their workplace.

Thank you for choosing Comcast@Home!

Detecting IPSec is easy

The reasons for restricting VPN traffic and restricting ip-masq are completely different.

ip-masq: They would restrict this if they wanted to sell you more IP numbers.

VPN: They would restrict this if they wanted to charge you BUSINESS rates for telecommuting.

They can't possibly detect ip-masq. They could only detect VPN with a lot of effort.

You're absolutely right that the reason for this is to charge extra for "business" uses of the connection. However, detecting IPSec is a snap. All the need do is enact a filter for protocol 50 in the IP header of any inbound or outbound packet and discard. Bye bye IPSec connection.

This is a terrible precident because long term it prevents the use of ubiquitous point-point Transport Mode IPSec, which is the whole point behind the IPSec standard. Sure, it's neat to make tunnels to work, but in the long term the IPSec community wants to create a mechanism to secure ALL IP traffic. This blows that goal right out of the water.

Also, are they going to start limiting SSH service to my employer? Can I telnet to my employer? Where do they draw the line between "personal use" and "business use"? If my cable modem provider pulls these tricks they'll lose a customer.

Re:Broadband

Here here!
Although I do have broadband (Cox@home), I do remember not having access to broadband, and it sucked. People whine about @home, RoadRunner, or DSL, but try a 56K modem then go back to broadband and they won't complain anymore.

I am one @home customer that is greatful to be able to download at 100K/sec+ and have 40ms Quake3 ping times.

VPN's, @Home, and cable networks

First, it sounds like the TOS for @Home are now (deliberately?) vague and open to a lot of interpretation.

Second, whilst the "stated" aim is to prevent the customer from using @Home as a means to compete -with- @Home, the effect is to essentially make @Home largely pointless. There is no purpose in being connected 100% of the time, if you can't make -some- use of the unused bandwidth that you (after all) -ARE- paying for.

IMHO, if they had said -commercial- web server, or -commercial- VPN, then @Home would have a point. It would also make some kind of "legal" sense, due to US zoning laws.

On the other hand, blanket bans, where what is being banned is not clearly stated or described, sounds more like a means to sue anyone they happen to feel like, on some kind of ill-defined pretext.

I thought King John had ended this kind of practice. Obviously not. Maybe we need another uprising, to remind people that "authority" is NOT about power but responsibility.

OTOH, if some Grey Hats could, umm, find a few billion to rewire the US with 3 terrabit Optic Fibre running to everyone's house, then @Home's TOS would be quite redundant.

WRONG!

@Home frequently runs portscans on their domains to "Make sure their client's aren't running any services they where not aware of." If the scanner finds one it will auto-mail you. This is more political then anything. All my services run above port 40000 and you have to connect to a triger port 500 ms before (which is in the low 1000's) and that fundamentally kills @Home's portscans (as well as the other million portscans I get and failed ftp login attemps with user/pass:warez). If they do find a way to block you, try setting up an SSH tunnel to that port. Use the Linux VPN howto as a template on how to pull this off. Not rocket science.

Are you confusing VPN's and ip masquerading?

I thought a VPN was a simulated private network across the internet, which I supposed you could use to connect two of your computers, but only if they were physically far apart, using a VPN to connect two computers in the same room sounds insane.

Perhaps you meant to mention the previous clause in the contract, where they prohibit you from being an endpoint for a lan, which is what you need to do if your sharing an internet connection with IP masquerading.

Looks to be Comcast, not @home doing this

I was interested in hearing about this since I use AT&T/@Home. It appears that this is only the Comcast user agreement and not the @Home agreement.
Remember, Comcast (and AT&T) use @Home services and can set their own user agreements seperate from @Home.
Looks like Comcast sucks, but not all @Home providers are quite this bad.

VPN is a strange thing to forbid

VPN usually means creating an encrypted IP in IP tunnel, for example between home and office, to allow secure connections. So, we have a difference of interpretation here that hard to understand. cwilson assumes it means creating a home network, probably with ipmasquerading. But I've never seen "VPN" used in that context. On the other hand, what does it mean for @home to forbid encrypted tunnels. Do they mean you can't encrypt? What about SSL? Do they mean you can't create a site that allows others to VPN in from the internet? Mysterious.

Re:Question...

No it doesn't. But that part wis also forbidden by the Subscriber Agreement (it says ...OR AS AN END-POINT ON A NON-COMCAST LOCAL AREA NETWORK OR WIDE AREA NETWORK).

So the agreement essentially says: you may not put a LAN or a WAN at the end of your line and you may not join another LAN or WAN via an encrypted channel. Kind of interesting...

Download Porn Faster! (TM)

Not every area has both @Home and @Work. My area (Boulder, Colo) just got a few weeks ago, and we only have @Home with "casual, residential use" guarantees. Reading between the line: I can't complain if I can't telecommute because the system is down for hours while they continue rebuilding the system.

As for the telecommuting issue - I read my @Home AUP, and I actually kicked out the US Worst DSL for non-preformance, and I understand that both organizations strongly downplay the telecommuting aspect because they don't want to catch the flak when people can't work. Worse, a particularly clueless drone once suggested that I "just go into the office" those days when the connection is flaky, not comprehending that as an independent consultant my home *is* my office on some projects.

The fastest way to change this attitude, in my experience, is to ask them if they think the sole reason people order this service is so they can download porn faster. (Esp. since the TV ads always show someone downloading images on a web browser, not downloading source tarballs.) This always seems to force them to reevaluate what's left after they make life unbearable for independent workers and telecommuters.

Bye Bye HEAT.net and MPlayer.com

Couldn't it be construed that packet encapsulation all together is a VPN and HEAT and MPlayer will be fuct? If that is allowed then can they stop IPv6? And... drum roll please... IPv6 features encryption, even user defined encryption. So in thoery you could do IPv6 under the same principals that HEAT and MPlayer are allowed.

I've written (email) the following letter to @home to see if they have a clue:
------------------------------------
I am a current @Home subscriber. The future of you providing my service
rests on the following questions:

Pertaining to section 6 d:
'OR IN CONJUNCTION WITH A VPN (VIRTUAL PRIVATE NETWORK) OR A VPN TUNNELING PROTOCOL'

I wish to clarify that you do indeed mean VPN and not NAT.

Question 1a) Do you really mean VPN?
1b) How does @home define a VPN?

A VPN may be implemented over HTTP or other already allowed protocols.

Question 1c) Does this also deny such a VPN?

Question 2) Do you really mean NAT?

While a NAT (Network Address Translation) computer would cut into the $6.95 it costs for additional IP address, it us unclear why you would ban use of a Virtual Private Network (VPN), because it would not cut into profits. These two items are not related, but may be used in conjunction (but usually are not.) A VPN provides secure networking between computers over the Internet.

Question 3) Why would @home ban VPN? Note: 'Because' is not sufficient. Please explain in detail why this restriction was chosen to
be amended to the agreement. Please include any examples or relevant material.

Section 9 A: You cover eavesdropping and how it is a risk. A VPN is the solution to such risk.

Question 4) Do you still wish to ban VPN?

My friends an I (All @home subscribers (for now)) wish to run a VPN. Provided that the VPN is in accordance with US and local authorities:

Question 5a) Is this permitted by @home?
5b) If so, are there any restrictions? 5c) what are those restrictions?

Question 6) What measures will @home take to prevent/and/or detect VPNs?

Question 7) If a VPN is discovered, through legal means, what measures
will @home take?

Question 8a) Is packet encapsulation considered VPN? If so it will dis-allow services like heat.net and mplayer.com to not function, since
these services encapsulate IPX over IP. What about for IPv6? Also, AOL ould be affected.

Question 8b) Are you aware of these ramifications?

Please note that an answer such as 'whatever is deemed necessary' is vague. Please elaborate as much as possible. Answers will be taken with consideration as to the notion of 'progress' and 'advancement' of the service. Also please place the answer to each question below that
question. Please answer each question. If answer is 'unknown', then please state 'unknown' and refer me to the appropriate person inside @home who would know.

Thank You for your time,
A current subscriber.

Read the entire agreement!!!

ROBLIMO!!! Please read the links of the articles before posting them.

resell the service or otherwise charge others to use the service, in whole or in part, directly or indirectly, or on a bundled or ununbundled basis. the service is to be used solely in a private residence; living quarters in a hotel, hospital, dorm, sorority or fraternity house, or boarding house; or the residential portion of a premises which is used for both business and residential purposes. without limiting the generality of the foregoing, the service is for personal and non-commercial use only and customer agrees not to use the service for operation as an internet service provider, a server site for ftp, telnet, rlogin, e-mail hosting, "web hosting" or other similar applications, for any business enterprise including, but not limited to, those in competition with the service, or as an end-point on a non-comcast local area network or wide area network, or in conjunction with a vpn (virtual private network) or a vpn tunneling protocol; or

Note: I had to use Lotus Wordpro to switch this to lower case, because /.'s unintelligent bastardized lameness filter stopped me. *smile*

All it is saying, is that you cannot resell @HOME services. What is wrong with that? I think it's perfectly fine. If you want to use it commercially, you pay for such access.

But seriously. Can Slashdot posters PLEASE read links, it might reduce the amount of FUD which gets passed through.

Trick them - use something other than PPTP

I think it's pretty safe to assume that if they're going to stop people from establishing vpn's to work, that they'll be looking for the most common ones. In a word, they'll be looking for Microsoft PPTP connections.

Just trick them? Use one of the other less well known vpn solutions, like VPND [sunsite.auc.dk]. I've been using vpnd for well over a year now, and it works wonderfully. Just pick a non-standard port, and they'll never even know to look for it.

Re:Yes, poster was confused

They can't possibly detect ip-masq.

Unless you patch your kernel, Linux uses ports 61000 and up as the source port for masqueraded connections. A lot of traffic originating from that port range makes it at least suspicious that masquerading is used, but indeed they can never be 100% certain.

--

ADSL is better

I have ADSL service from Speakeasy.net [speakeasy.net] and they are incredibly flexible. They allow whole networks on residential circuits and i run a mail/web/ftp server on mine.

Thus, I come to the conclusion that DSL is a better deal, provided you can find a good ISP (I strongly recommend speakeasy, they even fully support linux).

I really wouldn't worry..

Personally, I'd just ignore this little change, like many people ignore the "don't run servers" rule. Why? @Home doesn't care.

How do I know this? Well, I was at a conference in DC last spring called Spam Summit. Basically, everyone involved with blocking spam, or opt-in (real opt-in, like MyPoints) advertising systems got together and talked about the technology. @Home did a big presentation on anti-spam things which happened to include some talking about their policies on people running servers.

The fact of the matter is that @Home just doesn't enforce the policy. The exec from @Home giving the presentation said very clearly that they don't routinely check for servers (excepting NNTP proxies, since they had that little problem with the UDP this past winter), and they really don't care if people run them as long as they are not causing problems. He defined problems as taking up too much bandwidth, or causing a security problem for @Home itself.

So I really don't think this is a cause for concern. I doubt they're gonna bother checking for these things (they'd have to sniff the network constantly... VPNs operate on arbitrary ports, and it's not like they can check for a server, since @Home users are gonna be VPN clients (for the most part).

-Todd

---

Yes, poster was confused

The original poster was indeed confused.

The reasons for restricting VPN traffic and restricting ip-masq are completely different.

ip-masq: They would restrict this if they wanted to sell you more IP numbers.

VPN: They would restrict this if they wanted to charge you BUSINESS rates for telecommuting.

They can't possibly detect ip-masq. They could only detect VPN with a lot of effort.

So don't even sweat it, just ignore this policy.

VPN != NAT

You people are confusing VPN's with NAT!

Using, say, masquerading for many machines inside your home or buisness to seem to be coming from the one IP your ISP gives you is NAT (network address translation[I prefer masquerading, it is more descriptive, more obvious to the novice])

VPN, or (virtual private networking), is when you tunnel IP over something else, so it's sort of like you have a PPP link [across the net] to some other host... and it is usually encrypted so that you can have the effect of a WAN or a dedicated private leased line, but using the public internet infrastructure instead. [Except for cpu lost in crypt [Still much cheaper ;) ]

--sanemind

man signature

All Tunnels aren't IPSec

IPSeq (service 50) are not the only way to establish a VPN. For instance, you can use IP inside IP (Using either the kernel-based 'ipip.o' module, or a user-space ipip driver), or do as I do, create a PPP tunnel inside an SSH connection.

Here is how:

• From your machine inside a firewalled LAN (e.g. work), use the following `pppd' options file (under Debian, create it in /etc/ppp/peers, e.g. /etc/ppp/peers/my-home):
  
  # This link is over a SSH network connection
  pty "ssh -t -enone -C yourhost.home.net /usr/sbin/pppd noauth ipparam 172.16.0.0/16"
  
  # IP Addresses to use for this link
  192.168.0.1:192.168.0.2
  
  # Let the remote host start the conversation
  silent
  
  # We trust each other
  noauth
  
  # Keep modem up even if connection fails
  persist
  
  Here, replace 172.16.0.0/16 with your company network. This will be used as argument for the PPP 'if-up' script on your home computer.

• Make sure the root user on your work machine can SSH to your home machine (as root) without being prompted for password. If neccessary, run 'ssh-keygen', and copy the '/root/.ssh/identity.pub' file from work to '/root/.ssh/authorized_keys' at home.

• At home, create an if-up script, as follows:

  • Under Debian, create /etc/ppp/ip-up.d/vpn
  • Under RedHat, create or add to /etc/ppp/ip-up.local
  
  The script should contain:
  
  #!/bin/bash
  ################################################## ######################
  ### FILE: /etc/ppp/ip-up.d/vpn
  ### PURPOSE: Add routes after bringing up PPP link
  ################################################## ######################
  
  ### The following two lines are only needed with RedHat;
  ### Debian supplies these from the master ip-up script.
  ### $6 contains remote network/netmask (e.g. 172.16.0.0/16)
  [ "$PPP_IFACE" ] || PPP_IFACE=$1
  [ "$PPP_IPPARAM" ] || PPP_IPPARAM=$6
  
  
  ### Configure the route
  if [ "$PPP_IPPARAM" ]
  then
  /sbin/route add -net $PPP_IPPARAM dev $PPP_IFACE metric 1
  /sbin/ipchains -I input -j ACCEPT -i $PPP_IFACE
  /sbin/ipchains -I forward -j MASQ -s 192.168.1.0/24 -i $PPP_IFACE
  /sbin/ipchains -I output -j ACCEPT -i $PPP_IFACE
  fi
  

• Edit root's crontab on your work machine (crontab -e), to start this PPP link. Under Debian, it will look as follows:
  
  */20 * * * * netstat -rn | grep -qs ^192.168.0.2 || pon my-home
  
  (replace 'my-home' with the name of the PPP options file in /etc/ppp/peers).

Using this, you now have a PPP over SSH tunnel to/from your home. If it breaks, it is immediately brought back up (hence "persist" above); and if too many retries have passes and PPP gives up, a new connection is retried every 20 minutes (or whatever you set the crontab line to).

Undetectable. :-)

Hodwash..

Apperently their lawyers should take some classes on basic WAN networking. You see, the issue here is, according to ComCast:

OR AS AN END-POINT ON A NON-COMCAST LOCAL AREA NETWORK OR WIDE AREA NETWORK, OR IN CONJUNCTION WITH A VPN (VIRTUAL PRIVATE NETWORK) OR A VPN TUNNELING PROTOCOL;

So basically, you *CANNOT* surf the net. The Net, after all, is basically a WAN connecting many LANs together, and hence, while using the net, you are breaking the service agreement. Personally, I'd sue them like no tommorow, becouse they are placing a stipulation in the agreement that disallows the service to be used for what you're actually paying it to do..

Make your own

You don't need to shell out for a router! Make your own!

I'm in the Kingston area, on COGEGO@Home, living in a student house. We have six computers sharing a cablemodem connection using a linux box running the Linux Router Project [linuxrouter.org]. Very nice. It has no HD, no fan, and does its job quietly and well. A hub and two shitty network cards were all we had to buy.

The cable guys who installed the modem were very understanding about it too... I pretended that my computer was the only one being connected, but strangely enough they ended up leaving behind enough free coax cable so that we could run it into the closet... :)

Bottom line, I have lots of friends who are running LANs behind the scenes, and, at least in the Kingston area, none of them have been hassled.

And, @Home sucks. Is ADSL any better?

Stealing addresses is technically bad.

OK, so you've been lucky so far recycling a DHCP address you got once as if it were a static address. That's because most of the machines in your DHCP domain keep renewing the same addresses. But as long as you don't have your machine configured for DHCP, it won't go periodically renewing the lease, so there's a risk that the next time there's a new customer on your block or an existing customer add a new machine, the DHCP server may give the address you're squatting to them. Then there will be a "two machines trying to use the same IP address" conflict, and if they've got any competence at debugging, they will hunt you down like a dog. Be a good neighbor and go back to using IPmasq or equivalent.

Bandwidth and transfer limit checking - some cable systems are equipped for it, some aren't, some have rate-limiting hardware, some don't. To a certain extent, the obnoxious acceptable use policies against anything resembling a server are to make up for the lack of bandwidth-limiter equipment and accounting systems - otherwise they'd be happy to bill you for it, just like the other part of the cable system is happy to bill you for pay-per-view. Gradually they'll get newer equipment deployed, especially as they roll out DOCSIS, but it'll take a while to get obnoxious policies changed.

Here's a hypothetical situation...

@Home is prohibiting VPN's, and obviously wants to relegate you setting one up as a business thing, as an @Work option. IE - they want you to pay more...

How long do they think this can last? I can imagine a normal family, in the very near future, who want to share all the resources of their family network, via VPN connections. Maybe mom and dad have @Home, the son is in college, lives off-campus and has @Home, the daughter and new husband lives across town and has @Home, and maybe the family (the mom and dad) also own a cabin by the lake, and they get @Home there as well.

They want to share their files, so they each set up a fileserver, at each node: at mom and dad's, the son in his apartment, as well as the daughter (and husband). After setting these fileservers up, they probably want to access (and share) files anywhere in the network - their personal, home-use only files, nothing business related. They each are paying for their IP's. The only way to let them do what they want, securely, is via VPN connections, right? What if mom wants to print a recipie for her daughter? She could email it, or print it through the VPN connected printer at her daughter's house. Or maybe they want to set up a VPN'd family recipe book (of course, accessed via a mod'ed iOpenner in the kitchen)? Or maybe they want to setup a private family email "ring", or "list" (wedding announcements, family get-togethers, etc)? Here's an angle: What about those MP3s (of CD's they own, of course) stored on the home server, that the family wants to stream to the cabin, while on vacation (this is fair use, right - or at least, domain shifting)?

@Home doesn't get it - they really don't get broadband, and the possibilities it opens for the sharing of data amongst people (or maybe they do, and are running scared, perhaps?). This hypothetical VPN use I've outlined doesn't warrant an @Work setup - it is a private VPN.

If it isn't happenning already, it will - private VPN's will be the next "thing" in private home networking - and @Home is shooting themselves in the foot for disallowing this...

I wish @Home would just give us the pipe, and let US decide what to do with it!

I support the EFF [eff.org] - do you?