[AusNOG] Filtering services and odd things

Pete Mundy pete at fiberphone.co.nz
Tue Feb 16 11:02:04 EST 2016


Heya Tristram

I won't pass comment on the technical or political appropriateness of the approach, but I can pass comment in regard to your question about anyone else coming across that type of service before.

I've saw it widely deployed in New Zealand schools in the pre-N4L days. I'm sure there are still some out there using it now (possibly many). The NZ Ministry of Education funded said ISP (who I am guessing is the same one you've come across, only because I haven't seen it done by anyone else) to provide a web-filtering service to the schools and this was how it was implemented if the school had a connection through a different ISP. Most (not necessarily all) of their outbound port 80 and port 443 traffic traversed said tunnel (naked GRE was an alternative tunnelling option).

It reminded me of the days way back when we had an iHug 'Ultra' satellite connection which used a 33k6 dialup modem for the upstream path. As soon as 'Jetstream' (128K DSL) service became available we re-routed our upstream traffic over the DSL which in turn meant much better TCP throughput on the satellite downstream. iHug were none the wiser and the DSL provider obviously wasn't filtering on source IP back then or it would have never worked.

Anyway just thought I'd chime in and say it was quite common on NZ school connections just a year or two ago. The schools perceived it to be a 'free service' since it was centrally funded rather than coming out of their operational budgets.

Pete


> On 16/02/2016, at 12:38 pm, Tristram Cheer <t at uber.co.nz> wrote:
> 
> Hi All,
>  
> I came across a client on our network that is using a filtering service where the client installs a device that sends all of their upload traffic over an IPSec tunnel to a 3rd party network for inspection before that network then sends the request on with  the “spoofed” IP of the client’s public IP so that the download stream returns directly to the client. This way the filtering service doesn’t have to deal with the download traffic volumes. Initially It seemed ok but the more I thought about it the more it didn’t sit right with me.
>  
> Has anyone else come across this type of service before? Have you run into problems with what is in effect one way traffic from a SME/Residential connection? It seems to me that BCP38 would knock this service out and if the ISP was doing any sort of inspection that would require both up and down streams it may break their connection/degrade it. Whilst it’s technically ok it just seems a little off for a non-enterprise connection to potentially be acting “odd”. Not looking at the pro’s and con’s of filtering but just thought I’d put it to the list to see what everyone’s thoughts are on it J
>  
>  
> Cheers
>  
>  
> TRISTRAM CHEER
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160216/39d2d34a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4118 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160216/39d2d34a/attachment.bin>


More information about the AusNOG mailing list