Forgot your password?
typodupeerror
The Almighty Buck

@Home Stops Allowing VPNs 517

Posted by Roblimo
from the support-cable-access-for-all-ISPs! dept.
cwilson writes: "I just got a message from my cable modem provider, Comcast@Home (a member of the Excite@Home network) that the terms of service were being changed. The interesting bit: Section 6. Prohibited Uses of the Service. This section specifies that use of the Service in conjunction with a VPN (Virtual Private Network) or a VPN Tunneling Protocol is a prohibited use of the Service. See for yourself here in section 6." Apparently @Home is looking for the little bit of extra revenue they can get by selling additional IPs to people (like me) who have more than one computer. This might not be so bad if @Home provided reliable e-mail and DNS servers and other "basic" services one expects from an ISP, which they don't. This is just another piece of woe for those of us whose only broadband choice is @Home. Bah! Update: 08/14 14:16 by michael : Yes, Robin confused NAT and VPN. TLA's are a PIA.
This discussion has been archived. No new comments can be posted.

@Home Stops Allowing VPNs

Comments Filter:
  • @Home simply takes a certain set of services and says 'off limits' to non-business clients so they have something to sell to business clients.

    I understand what you are saying - but the fact is that people are going to want to do VPN someday at home. One could argue at one time that no one would ever set up a home network, that was just a business thing - but people are now doing it.

    I tend to wonder if many of these things are just business imposing artificial scarcity on a "resource". In other words, would home networking have happened faster if the cards were cheap(er) to begin with? Maybe, maybe not (of course, the counter argument would be that the computers weren't cheap enough to have multiple machines at home).

    So now are we left with a business telling us that we can't do VPN, because it is a business thing only - when I have already outlined several personal uses of such technology for home use?

    Like I said before, just give us the pipe, and leave us alone (home, business, who cares).

    I support the EFF [eff.org] - do you?
  • Yeah, they could - or they could (in a Windows case), just turn on sharing, etc - and drag and drop.

    However, none of these things is secure. Nor will an FTP server allow for easy access to that MP3 collection at the cabin.

    A well set up VPN would be much more secure, and more flexible - because it would simply be an encrypted tunnel between two seperate private networks. I am sure right now people are doing exactly as you suggest, setting up multiple FTP servers and sharing files with family - and I am sure people are doing the Windows sharing thing as well (at least within a particular subnet - maybe with their neighbor or something). However, these people will be in for a rude "suprise" when someone "comes in" and takes a bunch of stuff not meant for them, or places something nasty on the machines, or for that matter, reformats the drive, etc (I am assuming Windows boxes).

    Of course, if people are doing this, one could argue about how could we expect them to properly set up a VPN, when they don't even try to firewall their boxes - a good question indeed...

    I support the EFF [eff.org] - do you?
  • If they are charging at the "break even point", why don't they allow @Home users the ability to get some of the services from @Work - in other words, instead of having a two-tier approach, with two radically different pricing levels (I know - I looked into getting @Work for my home), why don't they have more of an "a la carte" setup, where one could pick and choose bandwidth and services based on what they want or need, with the option to add or subtract bandwidth and services whenever they wish (or every 3 months, or whatever).

    Give us more tiers, and charge accordingly! That way consumers get what they want, and businesses can get theirs. DSL works this way, telephone works this way - why can't cable (and don't get me started on cable TV - I hate sports channels, but I am forced to get them, even though I don't watch them, at all - why?)...

    I support the EFF [eff.org] - do you?
  • which operated under tight access regulations as defined in your state tarrifs for telephone service. Go to your local department of public utilities and look up phone company tarrifs, you'll see that they BY LAW cannot regulate what you do with your telephone (and by extension, your DSL connection) after the demark point in your house. Cable companies are NOT subject to these regulations.
  • does using microsoft internet connection sharing qualify as a vpn...because i'm planning on switching on over to att@home because i just can't stand the shoddy adsl service ameritech provides in my area.
  • Two things to do that will apply the hurt to a cable company that tries this.

    1) It's anti-telecommuting, so write a nice letter to your county gov't official that is most sensitive to growth and road paving issues. Might be your district official, might be a transportation committee chair. Let them know that your cable company (granted it's monopoly by the county) opposes telecommuting by its AUP.

    2) It's abuse of monopoly, so write another nice letter to your county official that periodically reviews the cable company's franchise. Every few years, 3-7 or so, depending on where you live, the franchise has to be renewed. Most counties have staff to forward complaints from county residents to the cable company, and track the cable company's performance on fixing them. Use this channel, it's powerful!
  • Sure you can. But who else (except a few Linux users) cares?

    @Home customers who use any of the dozens of other operating systems capable of performing this feat.

    Or did you think SSH and PPP were Linux things?

    --
  • You can run a server on Bell's HSE. The only thing is they don't offer support for it.

    43. If I have a domain name, is it possible to get the IP address associated with that name?
    The Bell Sympatico High Speed Edition service does not allow for the hosting of domain names other than the sympatico.ca domain.

    That was from their FAQ. [sympatico.ca] I suspect their problem with users hosting their own domains is the following:

    41. Can I have a static IP address with the Bell Sympatico High Speed Edition service?
    The Bell Sympatico High Speed Edition service uses dynamic IP address allocation only. In the Internet environment where demand is growing at a fast pace, dynamic IP addressing allows for optimum usage of IP addresses.

    Funny. dsl.ca [www.dsl.ca] lets me rent a static IP for an extra $5/mo.

    Now, Bell's service agreement has softened up about servers, because when I did initially look into HSE as an alternative to @Home, they did specifically indicate that you were not allowed to use servers at all. Currently, this is the situation:

    Without limiting the foregoing, you agree not to use the Service or any equipment provided in connection with the Service, for operation of an Internet Service Provider's business nor for any other non-residential purpose.

    Their Agreement [sympatico.ca].

    That's a lot better than it was when I looked, but one could argue that webserving at home is a non-residential use. (The same way that I like working on cars, but actually working on them at your residence is actually technically illegal in Toronto's zoning laws.) dsl.ca specifically covers "home office" options, perhaps allowing the use of their high speed connection for tasks associated with their small business or self-employment, without having to pay for expensive business-grade DSL.

    Again, dsl.ca isn't perfect. But they're a lot more geek-friendly than the other two (three, if you count look.ca's unidirectional service) broadband options.

  • This would make perfect sense if their market research didn't (probably) show that users pick companies with simple options and a single price point.

    That's why all those phone companies market on 'shows up on your normal bill'. You and I aren't 'normal' people to market researchers, so our opinions aren't valid. Remember, this is a market-based society, not a democratic one.

    :-)
  • If you want the pipe, and to be left alone, call up your local fibre supplier and pay the $500/mo for it. They won't care what you do with it. Ditto for ISDN or several other 'mainstream' subscriber systems. Sure, cable is excessively fast, but the only reason you're getting it at the price point its at is because they limit your use of it (especially upstream).

    Note: I E-mailed @Home at one point and pointed out that I ran Linux and had SSHD2 running on my machine to transfer files from home to work and to access my home Email while at work. They told me that was fine, and put a flag on my account.

    If you have a problem with a company's policies, ask them about it politely, don't make a big case out of it.
  • While its true that a home network is not a VPN, it is a LAN. In the agreement linked to the article, I don't see anything prohibiting connecting a home LAN to the service.

    According to section 6 of the Comcast Online Subscriber Agreement,

    CUSTOMER AGREES NOT TO USE THE SERVICE ... AS AN END-POINT ON A NON-COMCAST LOCAL AREA NETWORK OR WIDE AREA NETWORK...

    I would be inclined to consider your home LAN would be a non-Comcast LAN.
  • I can't see how they would know you're doing maquerading.

    I plan on using a VPN, however, to provide a small number of real, routable addresses to my home machines while using the single random DHCP address I get from the cable modem providers.

    -M

    ---- ----
  • I have to say that I was totally confused for a moment as to why diallowing VPNs would affect your ability to setup more than one computer on the Net. If anyone is interested, Wingate [deerfield.com] is pretty good proxy software for MS Windows, and Tucows [tucows.com] has a nuber of other. *nix of course has internal support for this knid of stuff.

  • I suspect that @Home will now start monitoring connections for encryption (think SSL and TLS), then look at traffic patterns to determine whether it's a secure Web browser or "something else". That means that you might be shut off for using SSL-encapsulated FTP or SSL-encapsulated SMTP (for secure mail transfer). Indeed, I can see where people regularly using PGP encryption on mail content may get a little note from the company.

    Hmmm...there is very little difference between a VPN and SSL encrypted services. Could it be that we are seeing something caused by the FBI demands to snoop on mail? A VPN is one way to block Carnivore and ISP monitoring from capturing e-mail traffic. Another way is to use STARTTLS-enabled mail clients to talk directly to STARTTLS-enabled mail transfer agents.

    Perhaps it isn't just a bid for money...but then again, I admit I'm paranoid.

  • by mikpos (2397) on Monday August 14, 2000 @07:45AM (#856765) Homepage
    The part about "reselling" is completely orthogonal to the part of VPNs. Here what you want:

    without limiting the generality of the foregoing, the service is for personal and non-commercial use only and [the] customer agrees not to use the service for operation as an internet service provider, a server site for ftp, telnet, rlogin, e-mail hosting, "web hosting" or other similar applications, for any business enterprise including, but not limited to, those in competition with the service, or as an end-point on a non-comcast local area network or wide area network, or in conjunction with a vpn (virtual private network) or a vpn tunneling protocol;

    That said, it's probably wise to just ignore the policy. I would suspect fully 100% of @home subscribers are breaking at least two of the rules mentioned there; if they're not, they're wasting their money. It seems that @home (at least in my part of the world) only gets annoyed when you start using up obscene amounts of bandwidth (e.g. around 1GB/day regularly/constantly).

  • by nellardo (68657) on Monday August 14, 2000 @07:46AM (#856766) Homepage Journal
    The only "good" reason I can think of for them to bring in this change is that they don't like not being able to sniff all the information on your/their connections.
    Even this doesn't make much sense to me. If they start sniffing everything, they open themselves up to huge liability problems (of course, they can and do hire lots of lawyers to deal with this). It's the difference between being a common carrier like a telco (who is not responsible for what is said over their wires) and a newspaper (who is responsible for everything said in their pages). Slashdot skims this line - Slashdot is liable for the stories, but not for the comments (since they never get deleted or edited, Slashdot can reasonably claim common carrier status) (ObDisclaimer - I ain't no steeekin' Lawyer)
    The only bad reason I can think of for them to bring in this change is that they don't like people using their service because that means they need more real bandwidth....
    No, I think they have higher rates for @Work. If you can't put a LAN on @Home, you can't really use it in a business environment. So you're forced to use the more expensive commercial service, rather than the residential one. In some sense, this is a very crude way of doing usage-based metering (about as much as minimum age requirements "guarantee" responsibility in drinking, smoking, voting, or driving). IMNSHO, these kinds of policies are going to eventually change as home networks become more and more prevalent. No one will sit still for paying more for a cable modem connection just because their "set-top box" happens to be made by Sony and thus has a 1394 connection that happens to be capable of running TCP/IP. I mean, really. That would be like charging someone different phone rates based on having a y-jack for their phone.

  • The masqueradiong/NAT prohibiting clauses are mostly intended to ensure that the service provider can't be liable for running your network. If you do something in trying to set up a IPMasq/NAT LAN behind the cable modem, and find out that you can't get it to work, they don't want to be in the position to have to support your setup. To do so would be unreasonable. This way, when you set up masq/NAT and can't get it to work, crying to @Home will only get you a big "See? It's prohibited by the TOS."

    I'm sure there is also a motivation to try and get people to pay for extra IPs, but I suspect that support issues are the main motivation.
  • by mxs (42717) on Monday August 14, 2000 @07:49AM (#856775)
    He probably is ...

    But apart from this, how does Comcast think to actually enforce this ? I mean, come on, everybody with some knowledge of ipchains, squid, and maybe a generic ip proxy will be able to masquerade that he/shes masquerading his/her traffic. Out of the box masquerading is easily detectable (who seriously uses ports upwards of 60000 ?), but with some precaution you can make it seem to be one computer, running MSIE if you want.

    Oh, and how the heck would they tell a VPN protocol from http, provided one uses a sufficiently encrypted connection (ssh will do, so will any ssl-based app). Everybody who runs VPNs without encryption should be shot on the spot anyway. Or take out the P from VPN.

    Can you believe the "Deutsche Telekom" (the phone company in Germany holding the monopoly to local lines and thus flatrates) actually prohibits this exact same behavior on even analog connections ? As if that would make any difference at all (they dont sell you IPs, theyre dynamic anyway), but what do you expect from monopolies.
  • by rc-flyer (20492) on Monday August 14, 2000 @07:51AM (#856784)
    I sent them a question asking for clarification about the VPN paragraph. This is their reply:

    It is not the intent of this text to prohibit customers from establishing a connection for residential purposes. Activities such as online banking, online trading and making purchases online are not considered in violation of the Subscriber Agreement.

    The Comcast Online residential service is not intended for those that attempt to host a VPN connection or for those persons attempting to establish a VPN connection with their workplace.

    Thank you for choosing Comcast@Home!

  • by Dor (93468) on Monday August 14, 2000 @08:13AM (#856785)
    I use Cox@Home and they also have this provision.

    From the Cox@Home User Agreement:

    8. Prohibited Uses of the Service; Indemnity.
    Customer shall not use the Equipment or the Service directly or indirectly to:

    m. use a VPN (virtual private network) or VPN tunneling protocol;

    Here's [cox.com] the link to it.

    However; I looked at the @Home Acceptable Use Policy [home.com] and they didn't have anything specific about VPNs.

    I've liked my service so far, but if they try and enforce this, I'll have to switch to DSL (Man I HATE Southwestern Bell) because I have to be able to VPN into work. I really think they are shooting themselves in the foot with this, although it may end up being something they never enforce. I'm not going to start worrying about it untill they do. And if/when they do enforce it, then that will be $40/mo less revenue for them from me.
  • I think they have a bandwidth problem, and don't want people using it for business. Here is a clarification I received from them:

    It is not the intent of this text to prohibit customers from establishing a connection for residential purposes. Activities such as online banking, online trading and making purchases online are not considered in violation of the Subscriber Agreement.

    The Comcast Online residential service is not intended for those that attempt to host a VPN connection or for those persons attempting to establish a VPN connection with their workplace.

    Thank you for choosing Comcast@Home!

  • by trims (10010) on Monday August 14, 2000 @07:54AM (#856796) Homepage

    ...it probably should be passed in front of a tech-savvy legal expert.

    There are two possible interpretations of Section 6(b)(vii):

    1. (restrictive version): you are forbidden from running a VPN between your @home computer and a business (actually, between any computers) for any reason whatsoever. Period.
    2. (more open version): you cannot run a VPN between your @home computer and a business IF you intend to operate business-related services on the @home side of the VPN. Using a VPN if you are only doing client-side stuff on the @Home side is fine.

    Comcast needs to clarify this quickly. If they are banning VPNs of any kind, well, that kills their telecommuter business immediately, which I can't see them doing (telecommuters are good for the service - they use the network at an otherwise low-use period and are not any more of a strain on the network than an ordinary user). I suspect that the intent was to prevent businesses from using @home as a channel to set up remote office VPNs and/or to prevent people from setting up clandestine Internet servers (i.e. ones that don't serve out from the @home IP, but do on another IP, and are undetectible by @home).

    I'd call Comcast and make this point. I suspect that they aren't going after the telecommuter, but instead have a badly-worded AUP addition, and should change that.

    -Erik

  • Here's the real question: What are businesses going to say if their @Home-connected employees can't VPN to work anymore?


    They'll pay twice as much for @Work.

    --
  • Most VPN software packages aren't running over TCP/IP. From what I've seen, everything from Cisco-Cisco router tunnelling all the way to MS VPN software uses IP Protocol 47. (GRE/IP [roxen.com]) In the case of MS's they also use a TCP/IP port (17xx something) to provide authentication.

    Disallowing most VPNs would be as simple as blocking IP protocol 47 at their gateway router. Trivial. "gre deny any any" in Cisco's IOS parlance.

    As a reminder (and not really related to the post I'm replying to), VPN != Masquerading, although many sites could "detect" masqueraded traffic simply by watching for a higher-than-normal use of ports over 60,000. Most network providers - even companies and schools - have network monitoring hardware. I've learned how to configure Netscout [netscout.com] probes and software to show me information very similar to this.

    IPsec is also used, but I'm not as familiar with the details of that.

    -Jeff
  • by cwilson (45570) on Monday August 14, 2000 @08:18AM (#856809)
    I never assumed that "it means creating a home network". I know the difference between NAT and VPN. Roblimo deleted my commentary on the news and added his own, and forgot to put closing quotation marks to end my part of the story. Roblimo said,
    Apparently @Home is looking for the little bit of extra revenue they can get by selling additional IPs to people (like me) who have more than one computer. This might not be so bad if @Home provided reliable e-mail and DNS servers and other "basic" services one expects from an ISP, which they don't. This is just another piece of woe for those of us whose only broadband choice is @Home. Bah!
    So, blame Roblimo, NOT me, for the ensuing confusion in almost EVERY BLASTED message in this thread, where people are mixing up NAT and VPN. My original commentary was something along the lines of
    What possible reason could Comcast have for dissallowing this service? Are they just trying to insist on being able to snoop on my traffic, and don't want any encryption? What's next -- no outgoing ssh client connections to external ssh servers?
    GASP: Could ssh itself be considered a VPN Tunneling Protocol?
    That's not a completely accurate quotation of my original comments; I can't seem to access my story as originally posted, but Roblimo probably can. Anyway, that's about what I was thinking when I wrote it. FWIW, here is the email I sent to my provider last night:

    While most of the revisions specified seem reasonable, I would like to know your rationale for the apparently arbitrary decision to disallow the use of VPN Tunneling Protocol. While I do not currently use a VPN, I have always considered the *possibility* of hooking up to my company's VPN one of the main benefits of a fast, always-on connection.

    WHY are you disallowing this use of the service for which I am paying? Is it because you don't like it when your customers encrypt their packets? For the life of me, I can't imagine what possible detriment VPN could have on your infrastructure or other users.

  • by rc-flyer (20492) on Monday August 14, 2000 @07:57AM (#856810)
    Yes, you are. Here is a clarification I received from them about this:

    It is not the intent of this text to prohibit customers from establishing a connection for residential purposes. Activities such as online banking, online trading and making purchases online are not considered in violation of the Subscriber Agreement.

    The Comcast Online residential service is not intended for those that attempt to host a VPN connection or for those persons attempting to establish a VPN connection with their workplace.

    Thank you for choosing Comcast@Home!

  • VPNs that use IPsec (instead of a proprietary protocol) use not TCP/UDP packet types, thus blaring to the world that they are VPN. However, if you run PPPd over SSH (or SSL) on port 443 (HTTPS), they probably won't know the difference, especially since several client-server applications hijack port 443 to make long term connections through corporate firewalls (almost all of which support the CONNECT method on port 443 to open a completely transparent connection)
  • The reasons for restricting VPN traffic and restricting ip-masq are completely different.

    ip-masq: They would restrict this if they wanted to sell you more IP numbers.

    VPN: They would restrict this if they wanted to charge you BUSINESS rates for telecommuting.

    They can't possibly detect ip-masq. They could only detect VPN with a lot of effort.
    You're absolutely right that the reason for this is to charge extra for "business" uses of the connection. However, detecting IPSec is a snap. All the need do is enact a filter for protocol 50 in the IP header of any inbound or outbound packet and discard. Bye bye IPSec connection.

    This is a terrible precident because long term it prevents the use of ubiquitous point-point Transport Mode IPSec, which is the whole point behind the IPSec standard. Sure, it's neat to make tunnels to work, but in the long term the IPSec community wants to create a mechanism to secure ALL IP traffic. This blows that goal right out of the water.

    Also, are they going to start limiting SSH service to my employer? Can I telnet to my employer? Where do they draw the line between "personal use" and "business use"? If my cable modem provider pulls these tricks they'll lose a customer.

  • Can any Comcast customers tell me if they perform regular portscans for servers? If so what address do the scans come from?

    I'm getting hooked up this week (after waiting 2 months in vain for Bell Altantic to hook up my DSL) and fully intend to run ftp, http and email servers for personal use.
  • Personally I'd use IPMasq regardless of the # of IPs I get. Right now I'm on Telus's ADSL with one DHCP address which is masqing 4 (though with lan parties that jumps up considerabley) addresses inside.

    IMNSHO you should use masqing or at *least* a decent firewall on xDSL or cable modem simply because you really don't want your documents, pr0n or private mail being snooped by your neighbors or even the @HOME people.

    The only reason I'd use the multiple IPs is to set up a separate web/mail/whatever server on a DMZ for myself. Of course, you're not allowed to set up a webserver right? Well, a little ipchains magic to block the scanning address :)
  • You are absolutely correct. Here is a clarification I received from them about this:

    It is not the intent of this text to prohibit customers from establishing a connection for residential purposes. Activities such as online banking, online trading and making purchases online are not considered in violation of the Subscriber Agreement.

    The Comcast Online residential service is not intended for those that attempt to host a VPN connection or for those persons attempting to establish a VPN connection with their workplace.

    Thank you for choosing Comcast@Home!

  • I was paying for a 256Kbps link, and was seeing roughly 30Kbps throughput.

    I use 256Kbps ADSL from US Qwest in the same market, and I typically see 32KBps on the upstream side and between 32 and 60KBps on the downstream side. 32KBps is approximately 256Kbps. I haven't noticed problems with latency.

    One possible difference is that while I use US Qwest for the wire part of the service, I use a different ISP for the Internet part.

    I know of some other AT&T @Home subscribers in the area that aren't quite so happy either. One guy in particular was complaining that at certain times of the day he was getting bandwidth about like a 14.4 modem. He probably has some warez kiddies in his neighborhood or something.

  • T1s are hideously overpriced in most areas. Modern technology has made them much cheaper to provision but the rates have not dropped to reflect the lower costs. We will never have cheap bandwidth while the telephone companies control the market for high speed data lines.
  • Its also a traffic issue. Cable modem lines are shared between houses on the same street, using a CSMA/CD system like ethernet. I you're running slashdot on your cable modem box, you're reducing the quality of service for your neighbours.

    I'm not sure whether similar constraints apply to ADSL.
  • Snooping the outgoing packets isn't the issue here. Most people, including most "professional" installers for cable modems or xDSL, throw a nic into the computer, set up TCP/IP and viola, you're on the net. Trouble is, the net is also onto you. I've seen @Home installations where you could browse the hard drives of half your neighbors in Network Neighborhood. Even if you don't have loose shares just hanging out, cracking the typical home computer is trivial. A firewall and/or IP masquerading makes things a bit more difficult. If they're set up properly, it should make things difficult enough that the average script kiddie will go find easier prey.
  • I see that others (including Roblimo himself) are parsing the exact meaning of the Service Agreement. Rather than get into that, I'd like to recommend that, if the goal is just to share the cable modem (oops, I mean "Comcast Equipment"), you ought to just buy an inexpensive Linksys router and hook it between the Comcast Equipment and other computers (perhaps using a 10/100 hub to hook the machines themselves together, since I don't think the Linksys router provides 100 MBps Ethernet). They'll be unable to tell, short of physical inspection, how many machines you have on the line. Nor should it be any of their business anyway, IMO, no matter what their Service Agreement document says. You also get the additional benefit of a hardware firewall between you and the hordes who seem to be constantly trying to find an open port on my @Home machine.
  • by Mullen (14656) on Monday August 14, 2000 @08:02AM (#856849)
    Here here!
    Although I do have broadband (Cox@home), I do remember not having access to broadband, and it sucked. People whine about @home, RoadRunner, or DSL, but try a 56K modem then go back to broadband and they won't complain anymore.

    I am one @home customer that is greatful to be able to download at 100K/sec+ and have 40ms Quake3 ping times.

  • And, @Home sucks. Is ADSL any better?
    Since I can *only* get ADSL in my hood in Toronto, I'll give you my perspective:
    downloads are fine, speed is consistent, uploads are slow (which isn't that big a deal to me), and more importantly to me: the USENET servers have been upgraded a couple of times in the past year, so News if really great. From what I've heard, the @Home News servers really bite and @Home couldn't care less.
    Downside: the PPPoE servers occasionally go down,so you can't get a connection. Sometimes, my speed drops from 70K/s to 30K/s for a few hours.

    Personally, I'm happy with the service because it's way better than a modem. I don't expect 100% on time, full-speed connections because I know better: judging by the amount of bitching I hear about all the different broadband options, it appears that most people have forgotten that nothing is 100% perfect EVER, especially when it comes to computers!

    Pope

    Freedom is Slavery! Ignorance is Strength! Monopolies offer Choice!
  • LOL

    Sad thing is that AOHell is/will be a cable ISP monopoly after the acquisition of Time Warner - If you can't beat 'em, buy 'em out, I guess. I'm just waiting for my RR speeds to go down the toilet.

    At that point I'll try to find a decent DSL provider. Anyone have good luck with one? Concentric seems to be running a $50/month DSL bit with no equipment or setup charges - which sounds REALLY good, but I'd like to hear from someone who has it first, before I ditch my cable connection.
  • I subscribe to ATT@Home, and it's not bad. The speed could be more consistant, but I haven't experienced any downtime so far and overall I'm happy. After looking at the Comcast@Home Subscriber Agreement, I certainly hope that AT&T doesn't start making policy changes using Comcast as a model.

    AT&T's policy [att.com] is that you cannot run any servers, i.e. FTP, Telnet, News, etc. including VPN servers. They could care less whether or not I connect to work or elsewhere through VPN. The Terms of Service also say nothing about hosting a personal web site. It goes along with the upstream bandwidth limits, they want you to subscribe to their business services (which just happen to be significantly more expensive).

    As far as sharing the internet connection goes (this is what I was told by the installation guy), the policy "we don't support home networks" really means "we're not going to set one up for you." I personally use a 2000 server configured as an internet router to share my connection. But he said he'd seen quite a few people with linux boxes or hardware routers. The companies just want you to buy more IP addresses from them (at $4-5 a month per IP address, it adds up).
  • VPN has nothing to do with NAT & local networks. They are not saying 'you must get additional IPs from us', they don't care. the IPs are there if you want; firewall off your own privat network if you want.

    What they are trying to prevent is people using @home to VPN in to their office networks, and this should REALLY DISTURB PEOPLE.

    It should *NOT* be @HOME's place to tell us what kind of traffic is acceptable, other than network abuse itself. If they want to up bandwidth fees, that's fine.

    Hmm. I wonder why @home is so insistant on forcing people to web surf and email only... could it be they are tracking statistics?
  • 1) VPN != Private network. These changes have nothing whatsoever to do with 'multiple IP addresses' or 'running a private firewalled network' at home. They don't care one iota about this. A VPN is when a secure tunneling protocol is used to create virtual network connections to remote private networks, ie: your office network.

    2) This is not an @home change, only a comcast@home change.. specific, it appears, to comcast, as it doesn't appear in any other cable provider's network. I believe individual providers are allowed to add their own restrictions if they wish.
  • That was exactly my reaction.

    I live in Ontario (Canada, not California!) working remotely for the Colorado office of a San Jose based company. I wouldn't be able to do this without a VPN.

    My DSL internet access from Sympatico (Bell) costs Cdn$40/month (including $10 modem rental). The equivalent business service (identical in all forms) from Bell itself costs about $80. Faster services start at $150 quickly rising to $450/month, but they are all business only. The only alternative is Rogers@Home (some alternative, eh?). Banning VPN would force me to switch to a corporate plan, which would mean paying through the nose :(
  • First, it sounds like the TOS for @Home are now (deliberately?) vague and open to a lot of interpretation.

    Second, whilst the "stated" aim is to prevent the customer from using @Home as a means to compete -with- @Home, the effect is to essentially make @Home largely pointless. There is no purpose in being connected 100% of the time, if you can't make -some- use of the unused bandwidth that you (after all) -ARE- paying for.

    IMHO, if they had said -commercial- web server, or -commercial- VPN, then @Home would have a point. It would also make some kind of "legal" sense, due to US zoning laws.

    On the other hand, blanket bans, where what is being banned is not clearly stated or described, sounds more like a means to sue anyone they happen to feel like, on some kind of ill-defined pretext.

    I thought King John had ended this kind of practice. Obviously not. Maybe we need another uprising, to remind people that "authority" is NOT about power but responsibility.

    OTOH, if some Grey Hats could, umm, find a few billion to rewire the US with 3 terrabit Optic Fibre running to everyone's house, then @Home's TOS would be quite redundant.

  • I suppose it's Verizon now, but when they started offering DSL service they would tie their service directly to your MAC address (they provided the modems etc...). After a few months, and the numerous crashes this authentication caused on their end, they stopped. However, the explanation they gave me for this when I called and asked was to try to stop me from using their service from more than one computer; I was told that I would have to purchase another DSL if I wanted to have another hookup in my house. While this was easy to work around, I was still surprised that they would try this.
  • Bottom line, I have lots of friends who are running LANs behind the scenes, and, at least in the Kingston area, none of them have been hassled.

    Yeah. Most of the people I know in Toronto and Ottawa who are on either Shaw@Home or Rogers@Home are very happy with their service. Friends in Niagara Falls NY on Adelphia's unidirectional cable system love that, too, even piped into their LAN. It's worth noting that one of those friends actually works as a sales rep for Bell Atlantic DSL.

    And, @Home sucks. Is ADSL any better?

    Okay. Well, I've never had cable internet service.

    My decision went as follows:

    • Price. Cable is $50/mo if you don't subscribe to cable TV.
    • Quality. Bell Canada's Sympatico HSE service is considered to be absolute junk, at $40/mo. (I use Bell long distance, so I don't have to pay the $10/mo grab.)
    • Server-Friendly? I wanted the option of a static IP, with an ISP that didn't care if I wanted to run a webserver in my home. Neither @Home or Symatico HSE offered that. And then, I lucked into something...
    • dsl.ca [www.dsl.ca] is a division of Velocet. They offer their DSL service only in Toronto at the moment. $34.95/mo + $5/mo modem rental (okay, no cheaper than Sympatico). But for an extra $5/mo, they'll rent a static IP. Installation went like a million bucks. PPPoE is the only downside, but even so, Roaring Penguin's PPPoE solution [roaringpenguin.com] is great.

      Many people complain about the stability of DSL connections. I have no concerns:

      2:37pm up 20 days, 14:21, 1 user, load average: 0.13, 0.03, 0.01
      55 processes: 54 sleeping, 1 running, 0 zombie, 0 stopped
      CPU states: 0.7% user, 1.3% system, 0.0% nice, 97.8% idle

      My PPPoE-based DSL connection is started up when my computer starts up. Most of that CPU load is actually top, then there's a bit from the PPPoE client. Even with all 5 computers on my home LAN streaming Real Video from the Big Brother website, the PPPoE client never gets about 2.5% or so CPU useage. (Pentium 133 with 32 megs RAM.)

      If you're in Toronto, look into dsl.ca if you want a cable/Sympatico alternative. I love these guys.

  • ip-masq: They would restrict this if they wanted to sell you more IP numbers.

    VPN: They would restrict this if they wanted to charge you BUSINESS rates for telecommuting.


    I can't speak about comcast, but I've been using AT&T@Home (formerly TCI) for a couple years now, and have been running pretty much all of the "forbidden" services on my box. Granted, the daemons don't account for a great deal of traffic, but certainly enough to be detectable if they were looking.

    My gut feeling is that running these services is "forbidden" simply to relieve their tech support staff from having to answer questions, and from complaints like "my users are getting horrible download speeds from my ftp site." Other than that, they really have no reason to care what you run on your machines, especially with the upstream bandwidth caps they've recently put in place.

    As much hype as there has been about these restrictions, I don't think I've heard of even one case of somebody getting their service terminated for running an ftp or http server.
  • So we've established that a VPN isn't NAT. It isn't a home network. Its an encrypted connection often used by telecommuters. So why ban it?

    Quick. Lets get out our conspiracy hats. Its either money or power. Corporate greed or government subversion of our privacy. Which could it be?

    rc-flyer [slashdot.org] was nice enough to call up the Comcast folks and get clarification. Encryption for consumer use such as shopping and banking? OK. Telecommuters? No way.

    Aha. While it might be more exciting to strain for the sounds of black helicopters and carnivorous black boxes, greed wins out. A look at the @Work [home.net] site gushus:

    End-To-End Security
    @Work Remote eliminates the risks associated with sending critical information over the Internet by providing the privacy of a secured data network via encrypted "tunnels." In addition, our 5Gbps fiber-optic IP network is continuously monitored by the @Work Network Operations Center, and managed at the most secure level possible using a combination of cryptographic techniques, packet filters, passwords, and secure configurations. @Work provides subscriber PC security options for remote users, as well as gateway security for the corporate connection.
    It would seem that telecommuters are finding it easy to do their own "@Work" solution and aren't interested in the undoubtfully higher price tag of @Work over @Home service.
  • And, @Home sucks. Is ADSL any better?

    Running PPPoE on Sympatico HSE ADSL, I see pings to the most local Q3 demo servers in the range 30-50ms. Download speeds up to 102Kbytes/second, particularly to the Helixcode Akamai server, so I'm pretty happy with it. Performance under Linux is good and gets connected faster than on Windows when using the RP PPPoE client so I'm happy. Especially as the reason for getting the ADSL in the first place was VPN connectivity.

    Cheers,

    Toby Haynes

  • There is no 'standard' VPN protocol. All you would see is an encrypted datastream.
  • Claiming unlawful search and seizure might work, except for the clauses higher-up in the agreement, which gives Comcast the right to enter your home to check, change, or shut down the service. Like most ISPs, they've covered their asses, and probably wouldn't have to explain jack if they wanted to cut you off -- they'd just pull the plug at their end, and send you a letter a week later.

    ISPs can get away with outrageous bullshit if they like...most usage agreements, no matter how innocuous, contain a clause allowing them to modify the terms of service at any time, for any reason. Business users get a bit more slack, but they pay through the nose for it. Personally, I'm sick of it, but there's no public, open alternative to the ISP oligopolies.

  • ...to varying degrees. Some of the cable co's seem to take rather draconian measures in portscanning/enforcing their AUPs.

    Rogers@home isn't overly anal (at the moment anyhow) about this sort of thing although the one thing they will portscan and hunt you down for is an open newsfeed. This is in response to the whole usenet @home blackhole fiasco of some time ago. I've noticed that they don't even mind if you have an ftp server up so long as it's not anon access and you don't cause trouble (you would never get an @home rep to say this on record tho so take it for what it's worth).
  • gettings cable and cablemodem services up at school, + the equipment rental costs about half as much as my RENT for my APPARTMENT with ALL OF THE UTILITIES INCLUDED. This is OBSCENE.

  • >The most likely the reason why they are banning VPN's from @home is to sell their @work remote access service [LINK].

    I like the fact that they have a typo in their graphic on that page... 'Corporat' and 'Corporate' both appear... you think they could at least be consistent...

    --
  • by zTTTz (176815) on Monday August 14, 2000 @08:32AM (#856918)
    @Home frequently runs portscans on their domains to "Make sure their client's aren't running any services they where not aware of." If the scanner finds one it will auto-mail you. This is more political then anything. All my services run above port 40000 and you have to connect to a triger port 500 ms before (which is in the low 1000's) and that fundamentally kills @Home's portscans (as well as the other million portscans I get and failed ftp login attemps with user/pass:warez). If they do find a way to block you, try setting up an SSH tunnel to that port. Use the Linux VPN howto as a template on how to pull this off. Not rocket science.
  • I haven't read their service agreement lately (they seem to change once a month), but the last time I checked the Cox@Home one, you could do things like run servers, VPNs, upload scads of data, etc. by becoming an @Work user. Same hardware hookup, but they remove those restrictions, plus they don't cap the data rates. So, while it might be true that you're stuck with your provider, it's not technically true that you're without recourse for obtaining these services. You just have to be willing to pay the additional money, a question best left up to you as to whether it's worth it.

  • How could they tell? Doesn't a VPN just look like one computer doing a whole lot of network activity?

  • I'm signed up to start this service soon. So I went and read this section of the service agreement. Like you I noticed that the is wording in there that may indicate that these things can not be done in relation to "Business Use".

    My reading of this however did not make it clear that VPN was tied to this "Business Use". So I called up their tech support folks. Who didn't really understand what I was even asking, so they went to their boss. What I wanted to know is if it was ok for me to do VPN to work because that's how I access my systems remotely.

    Their response,....

    NO!

    If I was to do so I would recieve a warning and if I continued I would be kicked off the sytem.

    This really, really bugs me! It also makes me wonder exactly what they mean by VPN, does connecting with any encrypted method count (SSL web pages)? What about remote access with SSH? What about port forwarding with SSH? From what I'm hearing from them, I'm not allowed to access anything in a secure manner.

    It looks like they want to totally kill of the work from home user.

    It's time to make some noise about this.

  • I thought a VPN was a simulated private network across the internet, which I supposed you could use to connect two of your computers, but only if they were physically far apart, using a VPN to connect two computers in the same room sounds insane.

    Perhaps you meant to mention the previous clause in the contract, where they prohibit you from being an endpoint for a lan, which is what you need to do if your sharing an internet connection with IP masquerading.
  • Big whoop. The @Home AUP [home.com] already prohibits connecting any servers to their network, and they go to considerable pain to make it clear that they're not just talking web, ftp, etc. If any of your computers are listening to any TCP ports you're in violation.

    Since they don't (can't?) enforce this most people aren't bothered by it in the least. A few of us have hangups about making agreements with the intent to violate the terms, so we avoid @Home. Not that there aren't plenty of reasons to avoid them without ethical excuses...

  • I don't think ISP's should restrict you at all, other than capping your bandwidth. Once they give you the pipe, anything else is unenforcible if the user has enough time on their hands.
    --
  • by RocketJeff (46275) on Monday August 14, 2000 @07:27AM (#856945) Homepage
    I was interested in hearing about this since I use AT&T/@Home. It appears that this is only the Comcast user agreement and not the @Home agreement.
    Remember, Comcast (and AT&T) use @Home services and can set their own user agreements seperate from @Home.
    Looks like Comcast sucks, but not all @Home providers are quite this bad.
  • Comcast, being a cable provider, usually operates in accordance with local, county, city, or municipality governments. They have a licensed monopoly from the local government. Comcast MAY have presented @Home as a service in many ways, including offering an easy way for consumers to telecomute. This is of interest to the government because telecomuting appears to be a cheap way to lighten trafic loads.

    So what I am saying is that you could try to contact your local government. They would take a deep interest in this sort of thing. Since comcasts billing of cable customers has to be approved by the county, the county has leverage over them.

    Also, another question is how would they know? The only way to know is by checking the contents of a packet. Doesn't this violate wire-tapping laws in your state?

    Oh, IANAL, but just some things to consider.

    W
  • even 100Mhz is (IMHO) overkill. My ipchains firewall is a 386-33 which very happily pumps 300k/s through it (330 is the highest I've seen yet, but I've managed to get 700k/s out of the box using ftp (as a host)). And yes, that's 300 kilobytes/s (2.4-3Mbps).

    Ok, compiling things on my firewall sucks, but I don't do that often :/

    Bill - aka taniwha
    --

  • by wa1hco (37574) on Monday August 14, 2000 @07:28AM (#856957)
    VPN usually means creating an encrypted IP in IP tunnel, for example between home and office, to allow secure connections. So, we have a difference of interpretation here that hard to understand. cwilson assumes it means creating a home network, probably with ipmasquerading. But I've never seen "VPN" used in that context. On the other hand, what does it mean for @home to forbid encrypted tunnels. Do they mean you can't encrypt? What about SSL? Do they mean you can't create a site that allows others to VPN in from the internet? Mysterious.
  • They are providing no additional benefit but think they are entitled to additional money.

    What do you expect from a cable company?

    They are used to a world where they control the content and everyone has to pay rates based on perceived value, not cost. You are just another set of eyeballs, a passive consumer of product.

  • The only "good" reason I can think of for them to bring in this change is that they don't like not being able to sniff all the information on your/their connections.
    The only bad reason I can think of for them to bring in this change is that they don't like people using their service because that means they need more real bandwidth, so instead they are just banning anything you could possibly want to use it for other than surfing and email (and even email they are not generous about) because if they banned these they wouldn't be able to convince anyone that it was a good deal :-)
  • by hoefkens (16698) on Monday August 14, 2000 @07:28AM (#856964) Homepage
    No it doesn't. But that part wis also forbidden by the Subscriber Agreement (it says ...OR AS AN END-POINT ON A NON-COMCAST LOCAL AREA NETWORK OR WIDE AREA NETWORK).

    So the agreement essentially says: you may not put a LAN or a WAN at the end of your line and you may not join another LAN or WAN via an encrypted channel. Kind of interesting...
  • First of all, the poster's interpretation of what this clause means is incorrect and what the term "VPN" means is incorrect. VPN is a way of securely connecting two networks over an insecure network and doesn't necessarily have anything to do with IP Masquerading / NAT.

    Still the interesting question is, what would they have against VPN tunnels... I use them all the time to create encrypted links to the servers I administer... hmm... what would a huge ISP have against encrypted VPN links.. encrypted...

    Could it be that encrypted tunnels would prevent them fromm sniffing your packets and thus participating in echelon or court ordered wiretaps? Nahh.....
  • Can you supply a URL for this doc?
  • Read the AUP linked from the original article -- they do indeed reserve the right to enter your home, with prior notice, to check, modify, or remove the equipment. It's not illegal if you sign a contract (or agree to an AUP) giving them that right.
  • After all, they have to hack through my proxy before they can see my other machines, and that makes them guilty of computer crimes....

    Is such a policy enforcable by any practical means?
  • Apperently, another reason for the terms of use is spam. Here in Calgary, Shaw@Home doesn't seem to mind you running a mail server so long as it doesn't relay. I'm not sure about http, but for ftp they don't care so long as it's non anonymous (uploads?). Basicly, it seems they don't want you getting them blackholed or chewing up all their bandwidth :).

    As with you, I've only ever seen them scanning nntp, though I've had several attempted connections for smb/nmb (probably windows types trying to see what's out there). I'm actually a bit worried because I haven't seen anything in my logs since the beginning of the month.

    Bill - aka taniwha
    --

  • Can't you tunnel your VPN traffic over ssh or something? Tell ssh to forward port 50 on the local machine to port 50 on some remote machine, and the remote machine then continues the VPNing.
  • by coyote-san (38515) on Monday August 14, 2000 @09:22AM (#857007)
    Not every area has both @Home and @Work. My area (Boulder, Colo) just got a few weeks ago, and we only have @Home with "casual, residential use" guarantees. Reading between the line: I can't complain if I can't telecommute because the system is down for hours while they continue rebuilding the system.

    As for the telecommuting issue - I read my @Home AUP, and I actually kicked out the US Worst DSL for non-preformance, and I understand that both organizations strongly downplay the telecommuting aspect because they don't want to catch the flak when people can't work. Worse, a particularly clueless drone once suggested that I "just go into the office" those days when the connection is flaky, not comprehending that as an independent consultant my home *is* my office on some projects.

    The fastest way to change this attitude, in my experience, is to ask them if they think the sole reason people order this service is so they can download porn faster. (Esp. since the TV ads always show someone downloading images on a web browser, not downloading source tarballs.) This always seems to force them to reevaluate what's left after they make life unbearable for independent workers and telecommuters.
  • I may be missing someting, but what does system uptimte have to do with DSL stability?

    LOL Nothing directly, of course.

    The DSL connection is made when Linux boots.

    The DSL connection is not automatically reconnected if it goes down. (I just haven't gotten around to creating the scripts.)

    I haven't paid the extra $5/mo for a static IP yet, mostly because I still want the ability to log off and get a new IP address if I think someone has cracked my box. (I'm not new to using a *NIX system, just new to being root.)

    The uptime display there came from telnetting (bad, I know, but I never do it as root, and my passwords are all huge and ugly) into my box, and using copy and paste to put it into a message. The DSL connection must still be up for that to work, and has been up since the computer was last booted. No interruptions, and, in fact, no IP changes, either.

    Of course, I could just type "adsl-start" to restart my DSL connection if it went down, but I doubt that would work through telnet... you'll have to take my word for this (note, of course, that my IP address and username are hidden):

    Last login: Mon Aug 14 15:12:32 from mail1.litton-marine.com
    You have mail.
    [*****@proxy *****]$ uptime
    5:07pm up 20 days, 16:52, 1 user, load average: 0.00, 0.00, 0.00
    [*****@proxy *****]$ cd /
    [*****@proxy /]$ ./usr/sbin/adsl-status
    adsl-status: Link is up and running on interface ppp0
    ppp0 Link encap:Point-to-Point Protocol
    inet addr:204.138.***.*** P-t-P:204.138.***.1 Mask:255.255.255.255
    UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1450 Metric:1
    RX packets:1666960 errors:0 dropped:0 overruns:0 frame:0
    TX packets:1175240 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:10

    [*****@proxy /]$
  • I don't get Roblimo's comment. What do VPNs have to do with NAT or IP Masquerading?


    ---
  • Why not just block them all together with IPChains? 966120470 - 08/12/2000 15:47:50 Host: authorized-scan.security.home.net/24.0.94.130 Port: 119 TCP Blocked I've been doing that on 10 machines (all different cities) ever since they started scanning their hosts, and I run a full set of services on each machine. Haven't been bothered yet.
  • The cited portion of the @home contract is not preventing users from running a masquerading (aka NAT in the non-Linux world) firewalls. VPN's are a way of tunneling network traffic over a non-secure network in a secure fashion (using encrypted connections/packets) and provide the illusion that many, spatially distant computers are communicating over a common LAN, rather than over the open internet.

    There may well be a section of the @home contract that forbids masquerading/NAT firewalls, I know that such clauses were popular a year or so back (mostly specifying that only a single computer could be hooked up to the service, which pretty much forbids masquerading/NAT firewalls) but the cited section is dealing with something else entirely.

  • by Hynman (67328) on Monday August 14, 2000 @09:24AM (#857020) Homepage
    Couldn't it be construed that packet encapsulation all together is a VPN and HEAT and MPlayer will be fuct? If that is allowed then can they stop IPv6? And... drum roll please... IPv6 features encryption, even user defined encryption. So in thoery you could do IPv6 under the same principals that HEAT and MPlayer are allowed.

    I've written (email) the following letter to @home to see if they have a clue:
    ------------------------------------
    I am a current @Home subscriber. The future of you providing my service
    rests on the following questions:

    Pertaining to section 6 d:
    'OR IN CONJUNCTION WITH A VPN (VIRTUAL PRIVATE NETWORK) OR A VPN TUNNELING PROTOCOL'

    I wish to clarify that you do indeed mean VPN and not NAT.

    Question 1a) Do you really mean VPN?
    1b) How does @home define a VPN?

    A VPN may be implemented over HTTP or other already allowed protocols.

    Question 1c) Does this also deny such a VPN?

    Question 2) Do you really mean NAT?

    While a NAT (Network Address Translation) computer would cut into the $6.95 it costs for additional IP address, it us unclear why you would ban use of a Virtual Private Network (VPN), because it would not cut into profits. These two items are not related, but may be used in conjunction (but usually are not.) A VPN provides secure networking between computers over the Internet.

    Question 3) Why would @home ban VPN? Note: 'Because' is not sufficient. Please explain in detail why this restriction was chosen to
    be amended to the agreement. Please include any examples or relevant material.

    Section 9 A: You cover eavesdropping and how it is a risk. A VPN is the solution to such risk.

    Question 4) Do you still wish to ban VPN?

    My friends an I (All @home subscribers (for now)) wish to run a VPN. Provided that the VPN is in accordance with US and local authorities:

    Question 5a) Is this permitted by @home?
    5b) If so, are there any restrictions? 5c) what are those restrictions?

    Question 6) What measures will @home take to prevent/and/or detect VPNs?

    Question 7) If a VPN is discovered, through legal means, what measures
    will @home take?

    Question 8a) Is packet encapsulation considered VPN? If so it will dis-allow services like heat.net and mplayer.com to not function, since
    these services encapsulate IPX over IP. What about for IPv6? Also, AOL ould be affected.

    Question 8b) Are you aware of these ramifications?

    Please note that an answer such as 'whatever is deemed necessary' is vague. Please elaborate as much as possible. Answers will be taken with consideration as to the notion of 'progress' and 'advancement' of the service. Also please place the answer to each question below that
    question. Please answer each question. If answer is 'unknown', then please state 'unknown' and refer me to the appropriate person inside @home who would know.

    Thank You for your time,
    A current subscriber.
  • by drix (4602)
    Oh they are not outrageous - c'mon. I can remember back to a time when the mere thought of getting 2.5mbps of bandwidth for $40 a month would have made me soil myself. It's time to gain a little perspective here. You have no idea what a good deal you are getting; before you go whining about pricing perhaps you should check out the going rates for a modem connection in most parts of Europe, which is still priced per minute of usage, and where DSL is almost nonexistant. @Home is providing you with an extraordinarily high level of service for your money, and the fact of the matter is that they don't charge too much for what they offer already. What they offer is T1 level service for a little more than a dollar a day. If you really think they charge to much, I'd invite you to make a few phone calls and verify the price of a full-blown T1 line.

    --
  • Sure. All they would need to do is block IP traffic type 47 - GRE traffic. They could block pptp traffic as well but once the pptp initial connection is made, it switches over to GRE anyway so it would fail.
  • The "Private" context of a VPN is much more important than the virtualized network presence of a transferred network link.

    Privacy and cryptography are intimately linked in Virtual Private Networks; it's the cryptography that makes people willing to use the link at all.

    So, from that I have to ask a simple question: Does @Home plan to monitor my traffic for information they can't decrypt? Is @Home saying that if I would use an unencrypted link to my work email, they'd have no problem with my working from home?

    Can you imagine if a *telephone* company tried to specify who you were and weren't allowed to call, and what you were allowed to say, and that they needed to be able to understand every word you spoke?

    What part of "Common Carrier" doesn't @Home understand?

    Yours Truly,

    Dan Kaminsky
    DoxPara Research
    http://www.doxpara.com
  • by nharmon (97591) on Monday August 14, 2000 @07:33AM (#857034) Homepage

    ROBLIMO!!! Please read the links of the articles before posting them.

    resell the service or otherwise charge others to use the service, in whole or in part, directly or indirectly, or on a bundled or ununbundled basis. the service is to be used solely in a private residence; living quarters in a hotel, hospital, dorm, sorority or fraternity house, or boarding house; or the residential portion of a premises which is used for both business and residential purposes. without limiting the generality of the foregoing, the service is for personal and non-commercial use only and customer agrees not to use the service for operation as an internet service provider, a server site for ftp, telnet, rlogin, e-mail hosting, "web hosting" or other similar applications, for any business enterprise including, but not limited to, those in competition with the service, or as an end-point on a non-comcast local area network or wide area network, or in conjunction with a vpn (virtual private network) or a vpn tunneling protocol; or

    Note: I had to use Lotus Wordpro to switch this to lower case, because /.'s unintelligent bastardized lameness filter stopped me. *smile*

    All it is saying, is that you cannot resell @HOME services. What is wrong with that? I think it's perfectly fine. If you want to use it commercially, you pay for such access.

    But seriously. Can Slashdot posters PLEASE read links, it might reduce the amount of FUD which gets passed through.

  • After reading a good deal of the posts on this thread I figured I'd toss in a few bits of wisdom I've pick'd up...

    For one I personally do not think Telephone or Cable companies should be in the internet business as they can't provide reliable service for their primary business let alone a secondary... Some may wish to argue this but if you think about it long enuf you can find the rationale behind this...

    Next I always try to find a local or regional provider before I look at any large company... This thread in and of itself is a good case in point... My ADSL service provider is a local company... I've gotten to know the company employees and have openly discuss'd with them my actual usage of the line... They know I run Linux (In fact they even offer tech support) and that I also have host'd web sites and a co-located box or two online as well... All of which I am paid for hosting... I've also got a complete subnet of valid IPs and could have another block in a short period of time should I need it... The point is if you find a smaller local company you generally can get on better terms with them... I'll add that the relationship I have with my provider has also been great when I've had hack attempts made on my equipment as they are as responsive as if it were their own equipment... Honestly I feel you get better quality service in the long run... My only outages have been the result of the Telco who carries the "last mile" of copper performing unscheduled maintaince on the DSLAM that they fail to inform the customer or the ISP offerin ADSL service...

    On the topic of the VPN... It's relatively easy for them to block IPSec VPN traffic as it uses standard ports and protocols... All you actually need to do is block the ESP (50) and AH (51) protocols along with the IKE (500) port on UDP (17).

  • by mosch (204)
    or does this mean that comcast @home customers can't use a vpn to get into their corporate networks anymore. bye-bye telecommuting.
    ----------------------------
  • Idea: Maybe the reason they do this is that VPN is sort of like the ultimate portscan-proof blocks-almost-everyone firewall. If people use tunnelling, they can set up any imaginable type of server (including servers prohibited by the TOS) without there being any means to detect it. Put up a web server or something, and have it only accessible through the tunnel, and their portscanners won't see it.

    Of course, by its very nature, I would think that using a VPN would mean that the overall .. uh .. "audience" for the server would probably be rather small, perhaps among a group of friends or whatever, so it wouldn't really be contrary to the spirit of the ISP's TOS. Perhaps I'm not thinking deviously enough.

    Ultimately, I think that an ISP controlling how its customers use their bandwidth makes about as much sense as a movie producer trying to control how its customers play their DVDs. And it'll be about as effective too.


    ---
  • by bgarcia (33222) on Monday August 14, 2000 @09:29AM (#857053) Homepage Journal
    I think it's pretty safe to assume that if they're going to stop people from establishing vpn's to work, that they'll be looking for the most common ones. In a word, they'll be looking for Microsoft PPTP connections.

    Just trick them? Use one of the other less well known vpn solutions, like VPND [sunsite.auc.dk]. I've been using vpnd for well over a year now, and it works wonderfully. Just pick a non-standard port, and they'll never even know to look for it.

  • by ruud (7631) on Monday August 14, 2000 @09:30AM (#857058) Homepage

    They can't possibly detect ip-masq.

    Unless you patch your kernel, Linux uses ports 61000 and up as the source port for masqueraded connections. A lot of traffic originating from that port range makes it at least suspicious that masquerading is used, but indeed they can never be 100% certain.


    --
  • I've written a little program [quatramaran.ens.fr] that will use the Linux ethernet tap device to take ethernet frames, optionally encrypt them using blowfish, and encapsulate them in UDP datagrams that are sent to a certain list of peers (either fixed or dynamically updated). So, in effect, it performs the task of a VPN; the advantage, though is that the datagrams are standard UDP datagrams, which are not distinguished by their protocol number (only their port number, but that can be changed at run time), thus essentially impossible to filter from "legit" packets (there isn't even a recognizable application level header, because all is encrypted using blowfish and transmited "as is"; changing the blowfish key could produce just about any content in the datagram). This could be useful in getting around any kind of filtering mechanism of this sort (unless they decide to completely disallow UDP, but that would be a bit fascist even for most ISPs).

    I use it, together with a UDP bouncer program [quatramaran.ens.fr], to get around a fascist firewall. I used to do it on TCP, but I had all sorts of nasty resonance problems between the two TCP windows, so I dropped that (the advantage of TCP, though, is that it never lost any frames as UDP does).

    Program is GPL'd. Your mileage may vary. Use at your own risk. Standard disclaimers apply.

  • Don't forget that cable modem hanging off that copper is a full-fledged router/monitoring device. The hardware in a DOCSIS (the standard) cable modem is truly impressive. It contains the logic to function as a router with plenty of monitoring tools built-in. A proxy or NAT style router/firewall is still the safest (and highest performing) method of placing multiple computers on a cable or DSL connection. There is (almost) no way of detecting multiple machines behind a NAT router or something similar.
  • by spinfire (148920) <dpn@isomerica.net> on Monday August 14, 2000 @07:35AM (#857073) Homepage
    I have ADSL service from Speakeasy.net [speakeasy.net] and they are incredibly flexible. They allow whole networks on residential circuits and i run a mail/web/ftp server on mine.

    Thus, I come to the conclusion that DSL is a better deal, provided you can find a good ISP (I strongly recommend speakeasy, they even fully support linux).

  • by signe (64498) on Monday August 14, 2000 @12:35PM (#857074) Homepage
    Personally, I'd just ignore this little change, like many people ignore the "don't run servers" rule. Why? @Home doesn't care.

    How do I know this? Well, I was at a conference in DC last spring called Spam Summit. Basically, everyone involved with blocking spam, or opt-in (real opt-in, like MyPoints) advertising systems got together and talked about the technology. @Home did a big presentation on anti-spam things which happened to include some talking about their policies on people running servers.

    The fact of the matter is that @Home just doesn't enforce the policy. The exec from @Home giving the presentation said very clearly that they don't routinely check for servers (excepting NNTP proxies, since they had that little problem with the UDP this past winter), and they really don't care if people run them as long as they are not causing problems. He defined problems as taking up too much bandwidth, or causing a security problem for @Home itself.

    So I really don't think this is a cause for concern. I doubt they're gonna bother checking for these things (they'd have to sniff the network constantly... VPNs operate on arbitrary ports, and it's not like they can check for a server, since @Home users are gonna be VPN clients (for the most part).

    -Todd

    ---
  • by mojotooth (53330) <mojotoothNO@SPAMgmail.com> on Monday August 14, 2000 @07:35AM (#857085) Journal
    The original poster was indeed confused.

    The reasons for restricting VPN traffic and restricting ip-masq are completely different.

    ip-masq: They would restrict this if they wanted to sell you more IP numbers.

    VPN: They would restrict this if they wanted to charge you BUSINESS rates for telecommuting.

    They can't possibly detect ip-masq. They could only detect VPN with a lot of effort.

    So don't even sweat it, just ignore this policy.
  • by sanemind (155251) on Monday August 14, 2000 @07:36AM (#857089) Homepage
    You people are confusing VPN's with NAT!

    Using, say, masquerading for many machines inside your home or buisness to seem to be coming from the one IP your ISP gives you is NAT (network address translation[I prefer masquerading, it is more descriptive, more obvious to the novice])

    VPN, or (virtual private networking), is when you tunnel IP over something else, so it's sort of like you have a PPP link [across the net] to some other host... and it is usually encrypted so that you can have the effect of a WAN or a dedicated private leased line, but using the public internet infrastructure instead. [Except for cpu lost in crypt [Still much cheaper ;) ]

    --sanemind

    man signature
  • by Tor (2685) on Monday August 14, 2000 @12:46PM (#857107) Homepage

    IPSeq (service 50) are not the only way to establish a VPN. For instance, you can use IP inside IP (Using either the kernel-based 'ipip.o' module, or a user-space ipip driver), or do as I do, create a PPP tunnel inside an SSH connection.

    Here is how:
    • From your machine inside a firewalled LAN (e.g. work), use the following `pppd' options file (under Debian, create it in /etc/ppp/peers, e.g. /etc/ppp/peers/my-home):

      # This link is over a SSH network connection
      pty "ssh -t -enone -C yourhost.home.net /usr/sbin/pppd noauth ipparam 172.16.0.0/16"

      # IP Addresses to use for this link
      192.168.0.1:192.168.0.2

      # Let the remote host start the conversation
      silent

      # We trust each other
      noauth

      # Keep modem up even if connection fails
      persist

      Here, replace 172.16.0.0/16 with your company network. This will be used as argument for the PPP 'if-up' script on your home computer.

    • Make sure the root user on your work machine can SSH to your home machine (as root) without being prompted for password. If neccessary, run 'ssh-keygen', and copy the '/root/.ssh/identity.pub' file from work to '/root/.ssh/authorized_keys' at home.

    • At home, create an if-up script, as follows:

      • Under Debian, create /etc/ppp/ip-up.d/vpn
      • Under RedHat, create or add to /etc/ppp/ip-up.local

      The script should contain:

      #!/bin/bash
      ################################################## ######################
      ### FILE: /etc/ppp/ip-up.d/vpn
      ### PURPOSE: Add routes after bringing up PPP link
      ################################################## ######################

      ### The following two lines are only needed with RedHat;
      ### Debian supplies these from the master ip-up script.
      ### $6 contains remote network/netmask (e.g. 172.16.0.0/16)
      [ "$PPP_IFACE" ] || PPP_IFACE=$1
      [ "$PPP_IPPARAM" ] || PPP_IPPARAM=$6


      ### Configure the route
      if [ "$PPP_IPPARAM" ]
      then
      /sbin/route add -net $PPP_IPPARAM dev $PPP_IFACE metric 1
      /sbin/ipchains -I input -j ACCEPT -i $PPP_IFACE
      /sbin/ipchains -I forward -j MASQ -s 192.168.1.0/24 -i $PPP_IFACE
      /sbin/ipchains -I output -j ACCEPT -i $PPP_IFACE
      fi
    • Edit root's crontab on your work machine (crontab -e), to start this PPP link. Under Debian, it will look as follows:

      */20 * * * * netstat -rn | grep -qs ^192.168.0.2 || pon my-home

      (replace 'my-home' with the name of the PPP options file in /etc/ppp/peers).

    Using this, you now have a PPP over SSH tunnel to/from your home. If it breaks, it is immediately brought back up (hence "persist" above); and if too many retries have passes and PPP gives up, a new connection is retried every 20 minutes (or whatever you set the crontab line to).

    Undetectable. :-)

  • by Thomas Charron (1485) <twaffle@gmail. c o m> on Monday August 14, 2000 @07:38AM (#857127) Homepage
    Apperently their lawyers should take some classes on basic WAN networking. You see, the issue here is, according to ComCast:

    OR AS AN END-POINT ON A NON-COMCAST LOCAL AREA NETWORK OR WIDE AREA NETWORK, OR IN CONJUNCTION WITH A VPN (VIRTUAL PRIVATE NETWORK) OR A VPN TUNNELING PROTOCOL;

    So basically, you *CANNOT* surf the net. The Net, after all, is basically a WAN connecting many LANs together, and hence, while using the net, you are breaking the service agreement. Personally, I'd sue them like no tommorow, becouse they are placing a stipulation in the agreement that disallows the service to be used for what you're actually paying it to do..
  • by MrEd (60684) <tonedog.hailmail@net> on Monday August 14, 2000 @07:41AM (#857184)
    You don't need to shell out for a router! Make your own!

    I'm in the Kingston area, on COGEGO@Home, living in a student house. We have six computers sharing a cablemodem connection using a linux box running the Linux Router Project [linuxrouter.org]. Very nice. It has no HD, no fan, and does its job quietly and well. A hub and two shitty network cards were all we had to buy.

    The cable guys who installed the modem were very understanding about it too... I pretended that my computer was the only one being connected, but strangely enough they ended up leaving behind enough free coax cable so that we could run it into the closet... :)

    Bottom line, I have lots of friends who are running LANs behind the scenes, and, at least in the Kingston area, none of them have been hassled.

    And, @Home sucks. Is ADSL any better?

  • by billstewart (78916) on Monday August 14, 2000 @01:31PM (#857200) Journal
    OK, so you've been lucky so far recycling a DHCP address you got once as if it were a static address. That's because most of the machines in your DHCP domain keep renewing the same addresses. But as long as you don't have your machine configured for DHCP, it won't go periodically renewing the lease, so there's a risk that the next time there's a new customer on your block or an existing customer add a new machine, the DHCP server may give the address you're squatting to them. Then there will be a "two machines trying to use the same IP address" conflict, and if they've got any competence at debugging, they will hunt you down like a dog. Be a good neighbor and go back to using IPmasq or equivalent.

    Bandwidth and transfer limit checking - some cable systems are equipped for it, some aren't, some have rate-limiting hardware, some don't. To a certain extent, the obnoxious acceptable use policies against anything resembling a server are to make up for the lack of bandwidth-limiter equipment and accounting systems - otherwise they'd be happy to bill you for it, just like the other part of the cable system is happy to bill you for pay-per-view. Gradually they'll get newer equipment deployed, especially as they roll out DOCSIS, but it'll take a while to get obnoxious policies changed.

  • by cr0sh (43134) on Monday August 14, 2000 @11:15AM (#857212) Homepage
    @Home is prohibiting VPN's, and obviously wants to relegate you setting one up as a business thing, as an @Work option. IE - they want you to pay more...

    How long do they think this can last? I can imagine a normal family, in the very near future, who want to share all the resources of their family network, via VPN connections. Maybe mom and dad have @Home, the son is in college, lives off-campus and has @Home, the daughter and new husband lives across town and has @Home, and maybe the family (the mom and dad) also own a cabin by the lake, and they get @Home there as well.

    They want to share their files, so they each set up a fileserver, at each node: at mom and dad's, the son in his apartment, as well as the daughter (and husband). After setting these fileservers up, they probably want to access (and share) files anywhere in the network - their personal, home-use only files, nothing business related. They each are paying for their IP's. The only way to let them do what they want, securely, is via VPN connections, right? What if mom wants to print a recipie for her daughter? She could email it, or print it through the VPN connected printer at her daughter's house. Or maybe they want to set up a VPN'd family recipe book (of course, accessed via a mod'ed iOpenner in the kitchen)? Or maybe they want to setup a private family email "ring", or "list" (wedding announcements, family get-togethers, etc)? Here's an angle: What about those MP3s (of CD's they own, of course) stored on the home server, that the family wants to stream to the cabin, while on vacation (this is fair use, right - or at least, domain shifting)?

    @Home doesn't get it - they really don't get broadband, and the possibilities it opens for the sharing of data amongst people (or maybe they do, and are running scared, perhaps?). This hypothetical VPN use I've outlined doesn't warrant an @Work setup - it is a private VPN.

    If it isn't happenning already, it will - private VPN's will be the next "thing" in private home networking - and @Home is shooting themselves in the foot for disallowing this...

    I wish @Home would just give us the pipe, and let US decide what to do with it!

    I support the EFF [eff.org] - do you?

"A great many people think they are thinking when they are merely rearranging their prejudices." -- William James

Working...