@Home Stops Allowing VPNs 517
cwilson writes: "I just got a message from my cable modem provider, Comcast@Home (a member of the Excite@Home network) that the terms of service were being changed. The interesting bit: Section 6. Prohibited Uses of the Service. This section specifies that use of the Service in conjunction with a VPN (Virtual Private Network) or a VPN Tunneling Protocol is a prohibited use of the Service. See for yourself here in section 6." Apparently @Home is looking for the little bit of extra revenue they can get by selling additional IPs to people (like me) who have more than one computer. This might not be so bad if @Home provided
reliable e-mail and DNS servers and other "basic" services one expects from an ISP, which they don't. This is just another piece of woe for those of us whose only broadband choice is @Home. Bah! Update: 08/14 14:16 by michael : Yes, Robin confused NAT and VPN. TLA's are a PIA.
Re:Here's a hypothetical situation... (Score:2)
I understand what you are saying - but the fact is that people are going to want to do VPN someday at home. One could argue at one time that no one would ever set up a home network, that was just a business thing - but people are now doing it.
I tend to wonder if many of these things are just business imposing artificial scarcity on a "resource". In other words, would home networking have happened faster if the cards were cheap(er) to begin with? Maybe, maybe not (of course, the counter argument would be that the computers weren't cheap enough to have multiple machines at home).
So now are we left with a business telling us that we can't do VPN, because it is a business thing only - when I have already outlined several personal uses of such technology for home use?
Like I said before, just give us the pipe, and leave us alone (home, business, who cares).
I support the EFF [eff.org] - do you?
FTP? True, but... (Score:2)
However, none of these things is secure. Nor will an FTP server allow for easy access to that MP3 collection at the cabin.
A well set up VPN would be much more secure, and more flexible - because it would simply be an encrypted tunnel between two seperate private networks. I am sure right now people are doing exactly as you suggest, setting up multiple FTP servers and sharing files with family - and I am sure people are doing the Windows sharing thing as well (at least within a particular subnet - maybe with their neighbor or something). However, these people will be in for a rude "suprise" when someone "comes in" and takes a bunch of stuff not meant for them, or places something nasty on the machines, or for that matter, reformats the drive, etc (I am assuming Windows boxes).
Of course, if people are doing this, one could argue about how could we expect them to properly set up a VPN, when they don't even try to firewall their boxes - a good question indeed...
I support the EFF [eff.org] - do you?
One other thing... (Score:2)
Give us more tiers, and charge accordingly! That way consumers get what they want, and businesses can get theirs. DSL works this way, telephone works this way - why can't cable (and don't get me started on cable TV - I hate sports channels, but I am forced to get them, even though I don't watch them, at all - why?)...
I support the EFF [eff.org] - do you?
DSL is set under phone company tarrifs (Score:2)
Question... (Score:2)
Enlist the help of your city/count gov't (Score:2)
1) It's anti-telecommuting, so write a nice letter to your county gov't official that is most sensitive to growth and road paving issues. Might be your district official, might be a transportation committee chair. Let them know that your cable company (granted it's monopoly by the county) opposes telecommuting by its AUP.
2) It's abuse of monopoly, so write another nice letter to your county official that periodically reviews the cable company's franchise. Every few years, 3-7 or so, depending on where you live, the franchise has to be renewed. Most counties have staff to forward complaints from county residents to the cable company, and track the cable company's performance on fixing them. Use this channel, it's powerful!
Re:IPSec is the standard. (Score:2)
@Home customers who use any of the dozens of other operating systems capable of performing this feat.
Or did you think SSH and PPP were Linux things?
--
But neither will sell a home user a static IP. (Score:2)
You can run a server on Bell's HSE. The only thing is they don't offer support for it.
43. If I have a domain name, is it possible to get the IP address associated with that name?
The Bell Sympatico High Speed Edition service does not allow for the hosting of domain names other than the sympatico.ca domain.
That was from their FAQ. [sympatico.ca] I suspect their problem with users hosting their own domains is the following:
41. Can I have a static IP address with the Bell Sympatico High Speed Edition service?
The Bell Sympatico High Speed Edition service uses dynamic IP address allocation only. In the Internet environment where demand is growing at a fast pace, dynamic IP addressing allows for optimum usage of IP addresses.
Funny. dsl.ca [www.dsl.ca] lets me rent a static IP for an extra $5/mo.
Now, Bell's service agreement has softened up about servers, because when I did initially look into HSE as an alternative to @Home, they did specifically indicate that you were not allowed to use servers at all. Currently, this is the situation:
Without limiting the foregoing, you agree not to use the Service or any equipment provided in connection with the Service, for operation of an Internet Service Provider's business nor for any other non-residential purpose.
Their Agreement [sympatico.ca].
That's a lot better than it was when I looked, but one could argue that webserving at home is a non-residential use. (The same way that I like working on cars, but actually working on them at your residence is actually technically illegal in Toronto's zoning laws.) dsl.ca specifically covers "home office" options, perhaps allowing the use of their high speed connection for tasks associated with their small business or self-employment, without having to pay for expensive business-grade DSL.
Again, dsl.ca isn't perfect. But they're a lot more geek-friendly than the other two (three, if you count look.ca's unidirectional service) broadband options.
Re:One other thing... (Score:2)
That's why all those phone companies market on 'shows up on your normal bill'. You and I aren't 'normal' people to market researchers, so our opinions aren't valid. Remember, this is a market-based society, not a democratic one.
:-)
Re:Here's a hypothetical situation... (Score:2)
Note: I E-mailed @Home at one point and pointed out that I ran Linux and had SSHD2 running on my machine to transfer files from home to work and to access my home Email while at work. They told me that was fine, and put a flag on my account.
If you have a problem with a company's policies, ask them about it politely, don't make a big case out of it.
Re:A home network is not a VPN! (Score:2)
According to section 6 of the Comcast Online Subscriber Agreement,
I would be inclined to consider your home LAN would be a non-Comcast LAN.
Re:Are you confusing VPN's and ip masquerading? (Score:2)
I plan on using a VPN, however, to provide a small number of real, routable addresses to my home machines while using the single random DHCP address I get from the cable modem providers.
-M
---- ----
Re:More than one computer....? (Score:2)
I have to say that I was totally confused for a moment as to why diallowing VPNs would affect your ability to setup more than one computer on the Net. If anyone is interested, Wingate [deerfield.com] is pretty good proxy software for MS Windows, and Tucows [tucows.com] has a nuber of other. *nix of course has internal support for this knid of stuff.
Detecting VPNs (shutting off SSL POP3 and SMTP?) (Score:4)
I suspect that @Home will now start monitoring connections for encryption (think SSL and TLS), then look at traffic patterns to determine whether it's a secure Web browser or "something else". That means that you might be shut off for using SSL-encapsulated FTP or SSL-encapsulated SMTP (for secure mail transfer). Indeed, I can see where people regularly using PGP encryption on mail content may get a little note from the company.
Hmmm...there is very little difference between a VPN and SSL encrypted services. Could it be that we are seeing something caused by the FBI demands to snoop on mail? A VPN is one way to block Carnivore and ISP monitoring from capturing e-mail traffic. Another way is to use STARTTLS-enabled mail clients to talk directly to STARTTLS-enabled mail transfer agents.
Perhaps it isn't just a bid for money...but then again, I admit I'm paranoid.
Re:Read the entire agreement!!! (Score:4)
without limiting the generality of the foregoing, the service is for personal and non-commercial use only and [the] customer agrees not to use the service for operation as an internet service provider, a server site for ftp, telnet, rlogin, e-mail hosting, "web hosting" or other similar applications, for any business enterprise including, but not limited to, those in competition with the service, or as an end-point on a non-comcast local area network or wide area network, or in conjunction with a vpn (virtual private network) or a vpn tunneling protocol;
That said, it's probably wise to just ignore the policy. I would suspect fully 100% of @home subscribers are breaking at least two of the rules mentioned there; if they're not, they're wasting their money. It seems that @home (at least in my part of the world) only gets annoyed when you start using up obscene amounts of bandwidth (e.g. around 1GB/day regularly/constantly).
Re:data security (Score:4)
Re:VPN's are NOT masquerading firewalls (Score:2)
I'm sure there is also a motivation to try and get people to pay for extra IPs, but I suspect that support issues are the main motivation.
Re:Are you confusing VPN's and ip masquerading? (Score:3)
But apart from this, how does Comcast think to actually enforce this ? I mean, come on, everybody with some knowledge of ipchains, squid, and maybe a generic ip proxy will be able to masquerade that he/shes masquerading his/her traffic. Out of the box masquerading is easily detectable (who seriously uses ports upwards of 60000 ?), but with some precaution you can make it seem to be one computer, running MSIE if you want.
Oh, and how the heck would they tell a VPN protocol from http, provided one uses a sufficiently encrypted connection (ssh will do, so will any ssl-based app). Everybody who runs VPNs without encryption should be shot on the spot anyway. Or take out the P from VPN.
Can you believe the "Deutsche Telekom" (the phone company in Germany holding the monopoly to local lines and thus flatrates) actually prohibits this exact same behavior on even analog connections ? As if that would make any difference at all (they dont sell you IPs, theyre dynamic anyway), but what do you expect from monopolies.
Comcast Clarification of VPN (Score:5)
It is not the intent of this text to prohibit customers from establishing a connection for residential purposes. Activities such as online banking, online trading and making purchases online are not considered in violation of the Subscriber Agreement.
The Comcast Online residential service is not intended for those that attempt to host a VPN connection or for those persons attempting to establish a VPN connection with their workplace.
Thank you for choosing Comcast@Home!
Not just Comcast (Score:3)
From the Cox@Home User Agreement:
8. Prohibited Uses of the Service; Indemnity.
Customer shall not use the Equipment or the Service directly or indirectly to:
m. use a VPN (virtual private network) or VPN tunneling protocol;
Here's [cox.com] the link to it.
However; I looked at the @Home Acceptable Use Policy [home.com] and they didn't have anything specific about VPNs.
I've liked my service so far, but if they try and enforce this, I'll have to switch to DSL (Man I HATE Southwestern Bell) because I have to be able to VPN into work. I really think they are shooting themselves in the foot with this, although it may end up being something they never enforce. I'm not going to start worrying about it untill they do. And if/when they do enforce it, then that will be $40/mo less revenue for them from me.
Re:VPN != IP Masquerading / NAT (Score:2)
It is not the intent of this text to prohibit customers from establishing a connection for residential purposes. Activities such as online banking, online trading and making purchases online are not considered in violation of the Subscriber Agreement.
The Comcast Online residential service is not intended for those that attempt to host a VPN connection or for those persons attempting to establish a VPN connection with their workplace.
Thank you for choosing Comcast@Home!
The AUP is not really clear, but... (Score:3)
...it probably should be passed in front of a tech-savvy legal expert.
There are two possible interpretations of Section 6(b)(vii):
Comcast needs to clarify this quickly. If they are banning VPNs of any kind, well, that kills their telecommuter business immediately, which I can't see them doing (telecommuters are good for the service - they use the network at an otherwise low-use period and are not any more of a strain on the network than an ordinary user). I suspect that the intent was to prevent businesses from using @home as a channel to set up remote office VPNs and/or to prevent people from setting up clandestine Internet servers (i.e. ones that don't serve out from the @home IP, but do on another IP, and are undetectible by @home).
I'd call Comcast and make this point. I suspect that they aren't going after the telecommuter, but instead have a badly-worded AUP addition, and should change that.
-Erik
they'll use @work... (Score:2)
They'll pay twice as much for @Work.
--
Re:Detecting VPNs *NOT* detecting encryption. (Score:2)
Disallowing most VPNs would be as simple as blocking IP protocol 47 at their gateway router. Trivial. "gre deny any any" in Cisco's IOS parlance.
As a reminder (and not really related to the post I'm replying to), VPN != Masquerading, although many sites could "detect" masqueraded traffic simply by watching for a higher-than-normal use of ports over 60,000. Most network providers - even companies and schools - have network monitoring hardware. I've learned how to configure Netscout [netscout.com] probes and software to show me information very similar to this.
IPsec is also used, but I'm not as familiar with the details of that.
-Jeff
Re:VPN is a strange thing to forbid (Score:5)
Re:No more secure working from home with @Home? (Score:3)
It is not the intent of this text to prohibit customers from establishing a connection for residential purposes. Activities such as online banking, online trading and making purchases online are not considered in violation of the Subscriber Agreement.
The Comcast Online residential service is not intended for those that attempt to host a VPN connection or for those persons attempting to establish a VPN connection with their workplace.
Thank you for choosing Comcast@Home!
Re:Can they detect it? (Score:2)
Detecting IPSec is easy (Score:4)
This is a terrible precident because long term it prevents the use of ubiquitous point-point Transport Mode IPSec, which is the whole point behind the IPSec standard. Sure, it's neat to make tunnels to work, but in the long term the IPSec community wants to create a mechanism to secure ALL IP traffic. This blows that goal right out of the water.
Also, are they going to start limiting SSH service to my employer? Can I telnet to my employer? Where do they draw the line between "personal use" and "business use"? If my cable modem provider pulls these tricks they'll lose a customer.
Do they portscan (Score:2)
I'm getting hooked up this week (after waiting 2 months in vain for Bell Altantic to hook up my DSL) and fully intend to run ftp, http and email servers for personal use.
Re:Question... (Score:2)
IMNSHO you should use masqing or at *least* a decent firewall on xDSL or cable modem simply because you really don't want your documents, pr0n or private mail being snooped by your neighbors or even the @HOME people.
The only reason I'd use the multiple IPs is to set up a separate web/mail/whatever server on a DMZ for myself. Of course, you're not allowed to set up a webserver right? Well, a little ipchains magic to block the scanning address
Re:Missing out on the V in VPN? (Score:2)
It is not the intent of this text to prohibit customers from establishing a connection for residential purposes. Activities such as online banking, online trading and making purchases online are not considered in violation of the Subscriber Agreement.
The Comcast Online residential service is not intended for those that attempt to host a VPN connection or for those persons attempting to establish a VPN connection with their workplace.
Thank you for choosing Comcast@Home!
Re:Make your own (Score:2)
I use 256Kbps ADSL from US Qwest in the same market, and I typically see 32KBps on the upstream side and between 32 and 60KBps on the downstream side. 32KBps is approximately 256Kbps. I haven't noticed problems with latency.
One possible difference is that while I use US Qwest for the wire part of the service, I use a different ISP for the Internet part.
I know of some other AT&T @Home subscribers in the area that aren't quite so happy either. One guy in particular was complaining that at certain times of the day he was getting bandwidth about like a 14.4 modem. He probably has some warez kiddies in his neighborhood or something.
Re:Oh yeah (Score:2)
Re:Yes, poster was confused (Score:2)
I'm not sure whether similar constraints apply to ADSL.
Re:Question... (Score:2)
Sharing the Comcast Equipment (Score:2)
Re:Broadband (Score:3)
Although I do have broadband (Cox@home), I do remember not having access to broadband, and it sucked. People whine about @home, RoadRunner, or DSL, but try a 56K modem then go back to broadband and they won't complain anymore.
I am one @home customer that is greatful to be able to download at 100K/sec+ and have 40ms Quake3 ping times.
Re:Make your own (Score:2)
Since I can *only* get ADSL in my hood in Toronto, I'll give you my perspective:
downloads are fine, speed is consistent, uploads are slow (which isn't that big a deal to me), and more importantly to me: the USENET servers have been upgraded a couple of times in the past year, so News if really great. From what I've heard, the @Home News servers really bite and @Home couldn't care less.
Downside: the PPPoE servers occasionally go down,so you can't get a connection. Sometimes, my speed drops from 70K/s to 30K/s for a few hours.
Personally, I'm happy with the service because it's way better than a modem. I don't expect 100% on time, full-speed connections because I know better: judging by the amount of bitching I hear about all the different broadband options, it appears that most people have forgotten that nothing is 100% perfect EVER, especially when it comes to computers!
Pope
Freedom is Slavery! Ignorance is Strength! Monopolies offer Choice!
Re:ISP Monopoly (Score:2)
Sad thing is that AOHell is/will be a cable ISP monopoly after the acquisition of Time Warner - If you can't beat 'em, buy 'em out, I guess. I'm just waiting for my RR speeds to go down the toilet.
At that point I'll try to find a decent DSL provider. Anyone have good luck with one? Concentric seems to be running a $50/month DSL bit with no equipment or setup charges - which sounds REALLY good, but I'd like to hear from someone who has it first, before I ditch my cable connection.
VPN, Internet Connection Sharing, etc. (Score:2)
AT&T's policy [att.com] is that you cannot run any servers, i.e. FTP, Telnet, News, etc. including VPN servers. They could care less whether or not I connect to work or elsewhere through VPN. The Terms of Service also say nothing about hosting a personal web site. It goes along with the upstream bandwidth limits, they want you to subscribe to their business services (which just happen to be significantly more expensive).
As far as sharing the internet connection goes (this is what I was told by the installation guy), the policy "we don't support home networks" really means "we're not going to set one up for you." I personally use a 2000 server configured as an internet router to share my connection. But he said he'd seen quite a few people with linux boxes or hardware routers. The companies just want you to buy more IP addresses from them (at $4-5 a month per IP address, it adds up).
Confusion (Score:2)
What they are trying to prevent is people using @home to VPN in to their office networks, and this should REALLY DISTURB PEOPLE.
It should *NOT* be @HOME's place to tell us what kind of traffic is acceptable, other than network abuse itself. If they want to up bandwidth fees, that's fine.
Hmm. I wonder why @home is so insistant on forcing people to web surf and email only... could it be they are tracking statistics?
Two points. (Score:2)
2) This is not an @home change, only a comcast@home change.. specific, it appears, to comcast, as it doesn't appear in any other cable provider's network. I believe individual providers are allowed to add their own restrictions if they wish.
Re:Broadband Monopoly (Score:2)
I live in Ontario (Canada, not California!) working remotely for the Colorado office of a San Jose based company. I wouldn't be able to do this without a VPN.
My DSL internet access from Sympatico (Bell) costs Cdn$40/month (including $10 modem rental). The equivalent business service (identical in all forms) from Bell itself costs about $80. Faster services start at $150 quickly rising to $450/month, but they are all business only. The only alternative is Rogers@Home (some alternative, eh?). Banning VPN would force me to switch to a corporate plan, which would mean paying through the nose
VPN's, @Home, and cable networks (Score:3)
Second, whilst the "stated" aim is to prevent the customer from using @Home as a means to compete -with- @Home, the effect is to essentially make @Home largely pointless. There is no purpose in being connected 100% of the time, if you can't make -some- use of the unused bandwidth that you (after all) -ARE- paying for.
IMHO, if they had said -commercial- web server, or -commercial- VPN, then @Home would have a point. It would also make some kind of "legal" sense, due to US zoning laws.
On the other hand, blanket bans, where what is being banned is not clearly stated or described, sounds more like a means to sue anyone they happen to feel like, on some kind of ill-defined pretext.
I thought King John had ended this kind of practice. Obviously not. Maybe we need another uprising, to remind people that "authority" is NOT about power but responsibility.
OTOH, if some Grey Hats could, umm, find a few billion to rewire the US with 3 terrabit Optic Fibre running to everyone's house, then @Home's TOS would be quite redundant.
BellAtlantic DSL (Score:2)
Toronto DSL vs. Cable - @Home, Bell Atlantic (Score:2)
Yeah. Most of the people I know in Toronto and Ottawa who are on either Shaw@Home or Rogers@Home are very happy with their service. Friends in Niagara Falls NY on Adelphia's unidirectional cable system love that, too, even piped into their LAN. It's worth noting that one of those friends actually works as a sales rep for Bell Atlantic DSL.
And, @Home sucks. Is ADSL any better?Okay. Well, I've never had cable internet service.
My decision went as follows:
dsl.ca [www.dsl.ca] is a division of Velocet. They offer their DSL service only in Toronto at the moment. $34.95/mo + $5/mo modem rental (okay, no cheaper than Sympatico). But for an extra $5/mo, they'll rent a static IP. Installation went like a million bucks. PPPoE is the only downside, but even so, Roaring Penguin's PPPoE solution [roaringpenguin.com] is great.
Many people complain about the stability of DSL connections. I have no concerns:
2:37pm up 20 days, 14:21, 1 user, load average: 0.13, 0.03, 0.0155 processes: 54 sleeping, 1 running, 0 zombie, 0 stopped
CPU states: 0.7% user, 1.3% system, 0.0% nice, 97.8% idle
My PPPoE-based DSL connection is started up when my computer starts up. Most of that CPU load is actually top, then there's a bit from the PPPoE client. Even with all 5 computers on my home LAN streaming Real Video from the Big Brother website, the PPPoE client never gets about 2.5% or so CPU useage. (Pentium 133 with 32 megs RAM.)
If you're in Toronto, look into dsl.ca if you want a cable/Sympatico alternative. I love these guys.
Re:Yes, poster was confused (Score:2)
VPN: They would restrict this if they wanted to charge you BUSINESS rates for telecommuting.
I can't speak about comcast, but I've been using AT&T@Home (formerly TCI) for a couple years now, and have been running pretty much all of the "forbidden" services on my box. Granted, the daemons don't account for a great deal of traffic, but certainly enough to be detectable if they were looking.
My gut feeling is that running these services is "forbidden" simply to relieve their tech support staff from having to answer questions, and from complaints like "my users are getting horrible download speeds from my ftp site." Other than that, they really have no reason to care what you run on your machines, especially with the upstream bandwidth caps they've recently put in place.
As much hype as there has been about these restrictions, I don't think I've heard of even one case of somebody getting their service terminated for running an ftp or http server.
Why kill VPN? (Score:2)
Quick. Lets get out our conspiracy hats. Its either money or power. Corporate greed or government subversion of our privacy. Which could it be?
rc-flyer [slashdot.org] was nice enough to call up the Comcast folks and get clarification. Encryption for consumer use such as shopping and banking? OK. Telecommuters? No way.
Aha. While it might be more exciting to strain for the sounds of black helicopters and carnivorous black boxes, greed wins out. A look at the @Work [home.net] site gushus:
It would seem that telecommuters are finding it easy to do their own "@Work" solution and aren't interested in the undoubtfully higher price tag of @Work over @Home service.Re:Make your own (Score:2)
And, @Home sucks. Is ADSL any better?
Running PPPoE on Sympatico HSE ADSL, I see pings to the most local Q3 demo servers in the range 30-50ms. Download speeds up to 102Kbytes/second, particularly to the Helixcode Akamai server, so I'm pretty happy with it. Performance under Linux is good and gets connected faster than on Windows when using the RP PPPoE client so I'm happy. Especially as the reason for getting the ADSL in the first place was VPN connectivity.
Cheers,
Toby Haynes
Re:Clarifying the confusion (maybe) (Score:2)
Re:How would they know... (Score:2)
ISPs can get away with outrageous bullshit if they like...most usage agreements, no matter how innocuous, contain a clause allowing them to modify the terms of service at any time, for any reason. Business users get a bit more slack, but they pay through the nose for it. Personally, I'm sick of it, but there's no public, open alternative to the ISP oligopolies.
Yes they portscan... (Score:2)
Rogers@home isn't overly anal (at the moment anyhow) about this sort of thing although the one thing they will portscan and hunt you down for is an open newsfeed. This is in response to the whole usenet @home blackhole fiasco of some time ago. I've noticed that they don't even mind if you have an ftp server up so long as it's not anon access and you don't cause trouble (you would never get an @home rep to say this on record tho so take it for what it's worth).
Oh yeah (Score:2)
Re:VPN is a strange thing to forbid (Score:2)
I like the fact that they have a typo in their graphic on that page... 'Corporat' and 'Corporate' both appear... you think they could at least be consistent...
--
WRONG! (Score:3)
@work may be the answer (Score:2)
Re:Read the entire agreement!!! (Score:2)
How could they tell? Doesn't a VPN just look like one computer doing a whole lot of network activity?
I called them up to find out, here's what I got. (Score:2)
My reading of this however did not make it clear that VPN was tied to this "Business Use". So I called up their tech support folks. Who didn't really understand what I was even asking, so they went to their boss. What I wanted to know is if it was ok for me to do VPN to work because that's how I access my systems remotely.
Their response,....
NO!
If I was to do so I would recieve a warning and if I continued I would be kicked off the sytem.
This really, really bugs me! It also makes me wonder exactly what they mean by VPN, does connecting with any encrypted method count (SSL web pages)? What about remote access with SSH? What about port forwarding with SSH? From what I'm hearing from them, I'm not allowed to access anything in a secure manner.
It looks like they want to totally kill of the work from home user.
It's time to make some noise about this.
Are you confusing VPN's and ip masquerading? (Score:5)
Perhaps you meant to mention the previous clause in the contract, where they prohibit you from being an endpoint for a lan, which is what you need to do if your sharing an internet connection with IP masquerading.
So? Anyone reading /. is already in violation (Score:2)
Big whoop. The @Home AUP [home.com] already prohibits connecting any servers to their network, and they go to considerable pain to make it clear that they're not just talking web, ftp, etc. If any of your computers are listening to any TCP ports you're in violation.
Since they don't (can't?) enforce this most people aren't bothered by it in the least. A few of us have hangups about making agreements with the intent to violate the terms, so we avoid @Home. Not that there aren't plenty of reasons to avoid them without ethical excuses...
How it should be (Score:2)
--
Looks to be Comcast, not @home doing this (Score:4)
Remember, Comcast (and AT&T) use @Home services and can set their own user agreements seperate from @Home.
Looks like Comcast sucks, but not all @Home providers are quite this bad.
No VPN? How to make your life interesting (Score:2)
So what I am saying is that you could try to contact your local government. They would take a deep interest in this sort of thing. Since comcasts billing of cable customers has to be approved by the county, the county has leverage over them.
Also, another question is how would they know? The only way to know is by checking the contents of a packet. Doesn't this violate wire-tapping laws in your state?
Oh, IANAL, but just some things to consider.
W
Re:Make your own (Score:2)
Ok, compiling things on my firewall sucks, but I don't do that often :/
Bill - aka taniwha
--
VPN is a strange thing to forbid (Score:3)
Re:I'm only going to pay for a pipe... (Score:2)
What do you expect from a cable company?
They are used to a world where they control the content and everyone has to pay rates based on perceived value, not cost. You are just another set of eyeballs, a passive consumer of product.
data security (Score:2)
The only bad reason I can think of for them to bring in this change is that they don't like people using their service because that means they need more real bandwidth, so instead they are just banning anything you could possibly want to use it for other than surfing and email (and even email they are not generous about) because if they banned these they wouldn't be able to convince anyone that it was a good deal
Re:Question... (Score:3)
So the agreement essentially says: you may not put a LAN or a WAN at the end of your line and you may not join another LAN or WAN via an encrypted channel. Kind of interesting...
VPN != IP Masquerading / NAT (Score:2)
Still the interesting question is, what would they have against VPN tunnels... I use them all the time to create encrypted links to the servers I administer... hmm... what would a huge ISP have against encrypted VPN links.. encrypted...
Could it be that encrypted tunnels would prevent them fromm sniffing your packets and thus participating in echelon or court ordered wiretaps? Nahh.....
Re:Do they portscan (Score:2)
Re:How would they know... (Score:2)
How enforcable is this? (Score:2)
Is such a policy enforcable by any practical means?
Re:they will have you think (Score:2)
As with you, I've only ever seen them scanning nntp, though I've had several attempted connections for smb/nmb (probably windows types trying to see what's out there). I'm actually a bit worried because I haven't seen anything in my logs since the beginning of the month.
Bill - aka taniwha
--
Re:Detecting IPSec is easy (Score:2)
Download Porn Faster! (TM) (Score:4)
As for the telecommuting issue - I read my @Home AUP, and I actually kicked out the US Worst DSL for non-preformance, and I understand that both organizations strongly downplay the telecommuting aspect because they don't want to catch the flak when people can't work. Worse, a particularly clueless drone once suggested that I "just go into the office" those days when the connection is flaky, not comprehending that as an independent consultant my home *is* my office on some projects.
The fastest way to change this attitude, in my experience, is to ask them if they think the sole reason people order this service is so they can download porn faster. (Esp. since the TV ads always show someone downloading images on a web browser, not downloading source tarballs.) This always seems to force them to reevaluate what's left after they make life unbearable for independent workers and telecommuters.
Re:Toronto DSL vs. Cable - @Home, Bell Atlantic (Score:2)
LOL Nothing directly, of course.
The DSL connection is made when Linux boots.
The DSL connection is not automatically reconnected if it goes down. (I just haven't gotten around to creating the scripts.)
I haven't paid the extra $5/mo for a static IP yet, mostly because I still want the ability to log off and get a new IP address if I think someone has cracked my box. (I'm not new to using a *NIX system, just new to being root.)
The uptime display there came from telnetting (bad, I know, but I never do it as root, and my passwords are all huge and ugly) into my box, and using copy and paste to put it into a message. The DSL connection must still be up for that to work, and has been up since the computer was last booted. No interruptions, and, in fact, no IP changes, either.
Of course, I could just type "adsl-start" to restart my DSL connection if it went down, but I doubt that would work through telnet... you'll have to take my word for this (note, of course, that my IP address and username are hidden):
Last login: Mon Aug 14 15:12:32 from mail1.litton-marine.comYou have mail.
[*****@proxy *****]$ uptime
5:07pm up 20 days, 16:52, 1 user, load average: 0.00, 0.00, 0.00
[*****@proxy *****]$ cd
[*****@proxy
adsl-status: Link is up and running on interface ppp0
ppp0 Link encap:Point-to-Point Protocol
inet addr:204.138.***.*** P-t-P:204.138.***.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1450 Metric:1
RX packets:1666960 errors:0 dropped:0 overruns:0 frame:0
TX packets:1175240 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
[*****@proxy
Confusion? (Score:2)
I don't get Roblimo's comment. What do VPNs have to do with NAT or IP Masquerading?
---
Re:WRONG! (Score:2)
VPN's are NOT masquerading firewalls (Score:2)
The cited portion of the @home contract is not preventing users from running a masquerading (aka NAT in the non-Linux world) firewalls. VPN's are a way of tunneling network traffic over a non-secure network in a secure fashion (using encrypted connections/packets) and provide the illusion that many, spatially distant computers are communicating over a common LAN, rather than over the open internet.
There may well be a section of the @home contract that forbids masquerading/NAT firewalls, I know that such clauses were popular a year or so back (mostly specifying that only a single computer could be hooked up to the service, which pretty much forbids masquerading/NAT firewalls) but the cited section is dealing with something else entirely.
Bye Bye HEAT.net and MPlayer.com (Score:3)
I've written (email) the following letter to @home to see if they have a clue:
------------------------------------
I am a current @Home subscriber. The future of you providing my service
rests on the following questions:
Pertaining to section 6 d:
'OR IN CONJUNCTION WITH A VPN (VIRTUAL PRIVATE NETWORK) OR A VPN TUNNELING PROTOCOL'
I wish to clarify that you do indeed mean VPN and not NAT.
Question 1a) Do you really mean VPN?
1b) How does @home define a VPN?
A VPN may be implemented over HTTP or other already allowed protocols.
Question 1c) Does this also deny such a VPN?
Question 2) Do you really mean NAT?
While a NAT (Network Address Translation) computer would cut into the $6.95 it costs for additional IP address, it us unclear why you would ban use of a Virtual Private Network (VPN), because it would not cut into profits. These two items are not related, but may be used in conjunction (but usually are not.) A VPN provides secure networking between computers over the Internet.
Question 3) Why would @home ban VPN? Note: 'Because' is not sufficient. Please explain in detail why this restriction was chosen to
be amended to the agreement. Please include any examples or relevant material.
Section 9 A: You cover eavesdropping and how it is a risk. A VPN is the solution to such risk.
Question 4) Do you still wish to ban VPN?
My friends an I (All @home subscribers (for now)) wish to run a VPN. Provided that the VPN is in accordance with US and local authorities:
Question 5a) Is this permitted by @home?
5b) If so, are there any restrictions? 5c) what are those restrictions?
Question 6) What measures will @home take to prevent/and/or detect VPNs?
Question 7) If a VPN is discovered, through legal means, what measures
will @home take?
Question 8a) Is packet encapsulation considered VPN? If so it will dis-allow services like heat.net and mplayer.com to not function, since
these services encapsulate IPX over IP. What about for IPv6? Also, AOL ould be affected.
Question 8b) Are you aware of these ramifications?
Please note that an answer such as 'whatever is deemed necessary' is vague. Please elaborate as much as possible. Answers will be taken with consideration as to the notion of 'progress' and 'advancement' of the service. Also please place the answer to each question below that
question. Please answer each question. If answer is 'unknown', then please state 'unknown' and refer me to the appropriate person inside @home who would know.
Thank You for your time,
A current subscriber.
Re:@Home (Score:2)
--
Re:Clarifying the confusion (maybe) (Score:2)
Demanding Decryption Rights? (Score:2)
Privacy and cryptography are intimately linked in Virtual Private Networks; it's the cryptography that makes people willing to use the link at all.
So, from that I have to ask a simple question: Does @Home plan to monitor my traffic for information they can't decrypt? Is @Home saying that if I would use an unencrypted link to my work email, they'd have no problem with my working from home?
Can you imagine if a *telephone* company tried to specify who you were and weren't allowed to call, and what you were allowed to say, and that they needed to be able to understand every word you spoke?
What part of "Common Carrier" doesn't @Home understand?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Read the entire agreement!!! (Score:3)
ROBLIMO!!! Please read the links of the articles before posting them.
resell the service or otherwise charge others to use the service, in whole or in part, directly or indirectly, or on a bundled or ununbundled basis. the service is to be used solely in a private residence; living quarters in a hotel, hospital, dorm, sorority or fraternity house, or boarding house; or the residential portion of a premises which is used for both business and residential purposes. without limiting the generality of the foregoing, the service is for personal and non-commercial use only and customer agrees not to use the service for operation as an internet service provider, a server site for ftp, telnet, rlogin, e-mail hosting, "web hosting" or other similar applications, for any business enterprise including, but not limited to, those in competition with the service, or as an end-point on a non-comcast local area network or wide area network, or in conjunction with a vpn (virtual private network) or a vpn tunneling protocol; or
Note: I had to use Lotus Wordpro to switch this to lower case, because /.'s unintelligent bastardized lameness filter stopped me. *smile*
All it is saying, is that you cannot resell @HOME services. What is wrong with that? I think it's perfectly fine. If you want to use it commercially, you pay for such access.
But seriously. Can Slashdot posters PLEASE read links, it might reduce the amount of FUD which gets passed through.
Just throwin' my $0.02 in.. (Score:2)
For one I personally do not think Telephone or Cable companies should be in the internet business as they can't provide reliable service for their primary business let alone a secondary... Some may wish to argue this but if you think about it long enuf you can find the rationale behind this...
Next I always try to find a local or regional provider before I look at any large company... This thread in and of itself is a good case in point... My ADSL service provider is a local company... I've gotten to know the company employees and have openly discuss'd with them my actual usage of the line... They know I run Linux (In fact they even offer tech support) and that I also have host'd web sites and a co-located box or two online as well... All of which I am paid for hosting... I've also got a complete subnet of valid IPs and could have another block in a short period of time should I need it... The point is if you find a smaller local company you generally can get on better terms with them... I'll add that the relationship I have with my provider has also been great when I've had hack attempts made on my equipment as they are as responsive as if it were their own equipment... Honestly I feel you get better quality service in the long run... My only outages have been the result of the Telco who carries the "last mile" of copper performing unscheduled maintaince on the DSLAM that they fail to inform the customer or the ISP offerin ADSL service...
On the topic of the VPN... It's relatively easy for them to block IPSec VPN traffic as it uses standard ports and protocols... All you actually need to do is block the ESP (50) and AH (51) protocols along with the IKE (500) port on UDP (17).
Is it me (Score:2)
----------------------------
Re:VPN is a strange thing to forbid (Score:2)
Idea: Maybe the reason they do this is that VPN is sort of like the ultimate portscan-proof blocks-almost-everyone firewall. If people use tunnelling, they can set up any imaginable type of server (including servers prohibited by the TOS) without there being any means to detect it. Put up a web server or something, and have it only accessible through the tunnel, and their portscanners won't see it.
Of course, by its very nature, I would think that using a VPN would mean that the overall .. uh .. "audience" for the server would probably be rather small, perhaps among a group of friends or whatever, so it wouldn't really be contrary to the spirit of the ISP's TOS. Perhaps I'm not thinking deviously enough.
Ultimately, I think that an ISP controlling how its customers use their bandwidth makes about as much sense as a movie producer trying to control how its customers play their DVDs. And it'll be about as effective too.
---
Trick them - use something other than PPTP (Score:3)
Just trick them? Use one of the other less well known vpn solutions, like VPND [sunsite.auc.dk]. I've been using vpnd for well over a year now, and it works wonderfully. Just pick a non-standard port, and they'll never even know to look for it.
Re:Yes, poster was confused (Score:3)
They can't possibly detect ip-masq.
Unless you patch your kernel, Linux uses ports 61000 and up as the source port for masqueraded connections. A lot of traffic originating from that port range makes it at least suspicious that masquerading is used, but indeed they can never be 100% certain.
--
FWIW (Score:2)
I've written a little program [quatramaran.ens.fr] that will use the Linux ethernet tap device to take ethernet frames, optionally encrypt them using blowfish, and encapsulate them in UDP datagrams that are sent to a certain list of peers (either fixed or dynamically updated). So, in effect, it performs the task of a VPN; the advantage, though is that the datagrams are standard UDP datagrams, which are not distinguished by their protocol number (only their port number, but that can be changed at run time), thus essentially impossible to filter from "legit" packets (there isn't even a recognizable application level header, because all is encrypted using blowfish and transmited "as is"; changing the blowfish key could produce just about any content in the datagram). This could be useful in getting around any kind of filtering mechanism of this sort (unless they decide to completely disallow UDP, but that would be a bit fascist even for most ISPs).
I use it, together with a UDP bouncer program [quatramaran.ens.fr], to get around a fascist firewall. I used to do it on TCP, but I had all sorts of nasty resonance problems between the two TCP windows, so I dropped that (the advantage of TCP, though, is that it never lost any frames as UDP does).
Program is GPL'd. Your mileage may vary. Use at your own risk. Standard disclaimers apply.
Re:Just set up firewall to refuse packets from @ho (Score:2)
ADSL is better (Score:3)
Thus, I come to the conclusion that DSL is a better deal, provided you can find a good ISP (I strongly recommend speakeasy, they even fully support linux).
I really wouldn't worry.. (Score:3)
How do I know this? Well, I was at a conference in DC last spring called Spam Summit. Basically, everyone involved with blocking spam, or opt-in (real opt-in, like MyPoints) advertising systems got together and talked about the technology. @Home did a big presentation on anti-spam things which happened to include some talking about their policies on people running servers.
The fact of the matter is that @Home just doesn't enforce the policy. The exec from @Home giving the presentation said very clearly that they don't routinely check for servers (excepting NNTP proxies, since they had that little problem with the UDP this past winter), and they really don't care if people run them as long as they are not causing problems. He defined problems as taking up too much bandwidth, or causing a security problem for @Home itself.
So I really don't think this is a cause for concern. I doubt they're gonna bother checking for these things (they'd have to sniff the network constantly... VPNs operate on arbitrary ports, and it's not like they can check for a server, since @Home users are gonna be VPN clients (for the most part).
-Todd
---
Yes, poster was confused (Score:3)
The reasons for restricting VPN traffic and restricting ip-masq are completely different.
ip-masq: They would restrict this if they wanted to sell you more IP numbers.
VPN: They would restrict this if they wanted to charge you BUSINESS rates for telecommuting.
They can't possibly detect ip-masq. They could only detect VPN with a lot of effort.
So don't even sweat it, just ignore this policy.
VPN != NAT (Score:3)
Using, say, masquerading for many machines inside your home or buisness to seem to be coming from the one IP your ISP gives you is NAT (network address translation[I prefer masquerading, it is more descriptive, more obvious to the novice])
VPN, or (virtual private networking), is when you tunnel IP over something else, so it's sort of like you have a PPP link [across the net] to some other host... and it is usually encrypted so that you can have the effect of a WAN or a dedicated private leased line, but using the public internet infrastructure instead. [Except for cpu lost in crypt [Still much cheaper
--sanemind
man signature
All Tunnels aren't IPSec (Score:3)
IPSeq (service 50) are not the only way to establish a VPN. For instance, you can use IP inside IP (Using either the kernel-based 'ipip.o' module, or a user-space ipip driver), or do as I do, create a PPP tunnel inside an SSH connection.
Here is how:From your machine inside a firewalled LAN (e.g. work), use the following `pppd' options file (under Debian, create it in /etc/ppp/peers, e.g. /etc/ppp/peers/my-home):
/usr/sbin/pppd noauth ipparam 172.16.0.0/16"
# This link is over a SSH network connection
pty "ssh -t -enone -C yourhost.home.net
# IP Addresses to use for this link
192.168.0.1:192.168.0.2
# Let the remote host start the conversation
silent
# We trust each other
noauth
# Keep modem up even if connection fails
persist
Here, replace 172.16.0.0/16 with your company network. This will be used as argument for the PPP 'if-up' script on your home computer.
Make sure the root user on your work machine can SSH to your home machine (as root) without being prompted for password. If neccessary, run 'ssh-keygen', and copy the '/root/.ssh/identity.pub' file from work to '/root/.ssh/authorized_keys' at home.
At home, create an if-up script, as follows:
The script should contain:
#!/bin/bash
#################################################
### FILE:
### PURPOSE: Add routes after bringing up PPP link
#################################################
### The following two lines are only needed with RedHat;
### Debian supplies these from the master ip-up script.
### $6 contains remote network/netmask (e.g. 172.16.0.0/16)
[ "$PPP_IFACE" ] || PPP_IFACE=$1
[ "$PPP_IPPARAM" ] || PPP_IPPARAM=$6
### Configure the route
if [ "$PPP_IPPARAM" ]
then
fi
Edit root's crontab on your work machine (crontab -e), to start this PPP link. Under Debian, it will look as follows:
/etc/ppp/peers).
*/20 * * * * netstat -rn | grep -qs ^192.168.0.2 || pon my-home
(replace 'my-home' with the name of the PPP options file in
Using this, you now have a PPP over SSH tunnel to/from your home. If it breaks, it is immediately brought back up (hence "persist" above); and if too many retries have passes and PPP gives up, a new connection is retried every 20 minutes (or whatever you set the crontab line to).
Undetectable. :-)
Hodwash.. (Score:3)
OR AS AN END-POINT ON A NON-COMCAST LOCAL AREA NETWORK OR WIDE AREA NETWORK, OR IN CONJUNCTION WITH A VPN (VIRTUAL PRIVATE NETWORK) OR A VPN TUNNELING PROTOCOL;
So basically, you *CANNOT* surf the net. The Net, after all, is basically a WAN connecting many LANs together, and hence, while using the net, you are breaking the service agreement. Personally, I'd sue them like no tommorow, becouse they are placing a stipulation in the agreement that disallows the service to be used for what you're actually paying it to do..
Make your own (Score:3)
I'm in the Kingston area, on COGEGO@Home, living in a student house. We have six computers sharing a cablemodem connection using a linux box running the Linux Router Project [linuxrouter.org]. Very nice. It has no HD, no fan, and does its job quietly and well. A hub and two shitty network cards were all we had to buy.
The cable guys who installed the modem were very understanding about it too... I pretended that my computer was the only one being connected, but strangely enough they ended up leaving behind enough free coax cable so that we could run it into the closet... :)
Bottom line, I have lots of friends who are running LANs behind the scenes, and, at least in the Kingston area, none of them have been hassled.
And, @Home sucks. Is ADSL any better?
Stealing addresses is technically bad. (Score:3)
Bandwidth and transfer limit checking - some cable systems are equipped for it, some aren't, some have rate-limiting hardware, some don't. To a certain extent, the obnoxious acceptable use policies against anything resembling a server are to make up for the lack of bandwidth-limiter equipment and accounting systems - otherwise they'd be happy to bill you for it, just like the other part of the cable system is happy to bill you for pay-per-view. Gradually they'll get newer equipment deployed, especially as they roll out DOCSIS, but it'll take a while to get obnoxious policies changed.
Here's a hypothetical situation... (Score:3)
How long do they think this can last? I can imagine a normal family, in the very near future, who want to share all the resources of their family network, via VPN connections. Maybe mom and dad have @Home, the son is in college, lives off-campus and has @Home, the daughter and new husband lives across town and has @Home, and maybe the family (the mom and dad) also own a cabin by the lake, and they get @Home there as well.
They want to share their files, so they each set up a fileserver, at each node: at mom and dad's, the son in his apartment, as well as the daughter (and husband). After setting these fileservers up, they probably want to access (and share) files anywhere in the network - their personal, home-use only files, nothing business related. They each are paying for their IP's. The only way to let them do what they want, securely, is via VPN connections, right? What if mom wants to print a recipie for her daughter? She could email it, or print it through the VPN connected printer at her daughter's house. Or maybe they want to set up a VPN'd family recipe book (of course, accessed via a mod'ed iOpenner in the kitchen)? Or maybe they want to setup a private family email "ring", or "list" (wedding announcements, family get-togethers, etc)? Here's an angle: What about those MP3s (of CD's they own, of course) stored on the home server, that the family wants to stream to the cabin, while on vacation (this is fair use, right - or at least, domain shifting)?
@Home doesn't get it - they really don't get broadband, and the possibilities it opens for the sharing of data amongst people (or maybe they do, and are running scared, perhaps?). This hypothetical VPN use I've outlined doesn't warrant an @Work setup - it is a private VPN.
If it isn't happenning already, it will - private VPN's will be the next "thing" in private home networking - and @Home is shooting themselves in the foot for disallowing this...
I wish @Home would just give us the pipe, and let US decide what to do with it!
I support the EFF [eff.org] - do you?