Deadpool
Go Sens Go
Premium,VIP
join:2001-03-29
Canada
 ·Bell Sympatico
| reply to Guspaz
Re: Setup Multiple VPN servors to combat Bell Throttle?
said by Guspaz  :Reports are that VPNs are throttled too. Deadpool says they're not supposed to be, but then we have tests that show SCP is being throttled. It's likely that any solution will have to masquerade as HTTP. We'll be investigating possible options once the throttling hits Montreal. Hopefully it won't come to that, hopefully the League of Independent ISPs (a name I made up) will get an injunction. Historically what we've seen with Sympatico customers is that their VPN/SSL/SSH/encrypted data would be impacted if they were to use a non-standard port for those applications.
For example, using Port 50,001 for SFTP (official port is 22). This causes confusion and ends up being affected as a "better safe then sorry" type rule.
--
Leafs lead season series 4-3  ...GO SENS GO  |
|
Guspaz
Guspaz
Premium,MVM
join:2001-11-05
Montreal, QC
·Colbanet
| said by Deadpool :Historically what we've seen with Sympatico customers is that their VPN/SSL/SSH/encrypted data would be impacted if they were to use a non-standard port for those applications. For example, using Port 50,001 for SFTP (official port is 22). This causes confusion and ends up being affected as a "better safe then sorry" type rule. That's the problem with relying on the test results of others; you often lack all the details. The one user who is throttled and had unfettered SCP did show his entire commandline, which lets us verify that he's on the standard port (22). The other people posting results, I don't believe they confirmed which port they use.
I must admit, the "better safe than sorry" policy is a bit worrying. It implies that all existing (but not yet classified) or new protocols will be throttled until Bell decides to whitelist them.
That said, I'll be happy enough if VPN/SSL/SSH/etc connections are, when used in a standard way, not throttled. Writing HTTP tunneling applications to be able to get an NX remote desktop connection to my server might be fun, but a waste of time :P |
|
excaliber
join:2007-04-18
Laval, QC | reply to Deadpool
What does Bell consider to be the "official" standard ports for various services? I use RealVNC on port 5900, would this be allowed? |
|
Guspaz
Guspaz
Premium,MVM
join:2001-11-05
Montreal, QC | As long as SSH on port 22 isn't throttled, worst case is you tunnel VNC  |
|
excaliber
join:2007-04-18
Laval, QC
1 edit | The whole point of buying the realvnc enterprise edition is to not have to use something else to create a tunnel. If it gets throttled then the major selling point of the product is worthless. |
|
Guspaz
Guspaz
Premium,MVM
join:2001-11-05
Montreal, QC
1 edit | I don't see anything that particularly would avoid the use of a tunnel. Regardless, I'm merely pointing out a potential workaround. While the throttling sucks, we've got to deal with it until it's gone. |
|
Deadpool
Go Sens Go
Premium,VIP
join:2001-03-29
Canada
·Bell Sympatico
| reply to excaliber
said by excaliber :What does Bell consider to be the "official" standard ports for various services? I use RealVNC on port 5900, would this be allowed? It's not so much what Bell considers "official" moreso then what's been defined as "official" by the IANA (Internet Assigned Numbers Authority).
See here: »en.wikipedia.org/wiki/List_of_TC···_numbers
And here:
»www.iana.org/assignments/port-numbers
--
Leafs lead season series 4-3 ...GO SENS GO |
|
Guspaz
Guspaz
Premium,MVM
join:2001-11-05
Montreal, QC | Neither list has anything but 5900 for VNC, while VNC setups sometimes use the ports 590x where x is the display number (display 1 is port 5901, display 2 is 5902, etc). |
|
Deadpool
Go Sens Go
Premium,VIP
join:2001-03-29
Canada
·Bell Sympatico
| If the VNC developpers haven't applied for the new assignments, then that's a problem (and this list was last updated 2 days ago).
Or maybe they have, but it hasn't been "approved" yet?
According to the IANA:
"The Registered Ports are those from 1024 through 49151
DCCP Registered ports SHOULD NOT be used without IANA registration.
The registration procedure is defined in [RFC4340], Section 19.9."
--
Leafs lead season series 4-3 ...GO SENS GO |
|
mazhurg
Premium
join:2004-05-02
Portage La Prairie, MB
·TekSavvy Solutions..
·MTS
| reply to Deadpool
said by Deadpool :said by excaliber :What does Bell consider to be the "official" standard ports for various services? I use RealVNC on port 5900, would this be allowed? It's not so much what Bell considers "official" moreso then what's been defined as "official" by the IANA (Internet Assigned Numbers Authority). See here: » en.wikipedia.org/wiki/List_of_TC···_numbersAnd here: » www.iana.org/assignments/port-numbers So... I create a killer c/s app that uses non standard port(s), but can't implement it as it will be throttled as I have to wait for IANA to approve and includes it in the "official" list so that it can be whitelisted?
He, where do I buy my shares of Bellsoft?
 |
|
Guspaz
Guspaz
Premium,MVM
join:2001-11-05
Montreal, QC | reply to Deadpool
The use of the 590x ports may be a convention rather than a standard, but it's a convention that the server software officially supports. |
|
non_standard
@videotron.ca
| reply to Guspaz
said by Guspaz :Neither list has anything but 5900 for VNC, while VNC setups sometimes use the ports 590x where x is the display number (display 1 is port 5901, display 2 is 5902, etc). I never use default ports. They always get hammered by brute force attempts or other lame attempts.
Bell should be aware of this and/or their flukey hardware patched.
Thats like telling everyone ftp HAS to be port 21. |
|
Name96
join:2008-03-28
| reply to Guspaz
said by Guspaz :As long as SSH on port 22 isn't throttled, worst case is you tunnel VNC Even if SCP passes unmolested, there is no guarantee that SSH port forwarding will work. Unlike all other SSH operations, port forwarding requires a separate connection that has no cleartext headers and will be initiated on a port pair that will be unknown to BellNexxia. It is highly likely that port forwarding operations will be disrupted as there is no way to whitelist them.
Using SSH for tunneling would involve a little custom engineering to send forwarded traffic over the main SCP connection.
Alternately one could modify OpenVPN to generate something that looks like an SSH negotiation at the beginning of every TCP session. An established TCP OpenVPN connection will be indistinguishable from an established SSH connection, so creating a fake negotiation should be enough to fool Nexxia. |
|
DSL_Ricer
Premium
join:2007-07-22
1 edit | said by Name96 : Unlike all other SSH operations, port forwarding requires a separate connection No it doesn't create another connection. I just tried.
Edit: using OpenSSH_4.3p2 |
|
Name96
join:2008-03-28 | Looks like I misread the RFC, then. I don't use SSH routinely and haven't really looked at it in detail.
Now we just need to find some way to tunnel VPN traffic over an SSH port forward. |
|
Guspaz
Guspaz
Premium,MVM
join:2001-11-05
Montreal, QC | reply to Name96
SSH tunneling only uses the one connection. That's sort of the point... Otherwise it would be useless beyond encrypting/compressing stuff. |
|
Deadpool
Go Sens Go
Premium,VIP
join:2001-03-29
Canada
·Bell Sympatico
| reply to non_standard
said by non_standard :said by Guspaz :Neither list has anything but 5900 for VNC, while VNC setups sometimes use the ports 590x where x is the display number (display 1 is port 5901, display 2 is 5902, etc). I never use default ports. They always get hammered by brute force attempts or other lame attempts. Bell should be aware of this and/or their flukey hardware patched. Thats like telling everyone ftp HAS to be port 21. No, but you don't HAVE to use another port either. It's a choice you make. And truth be told, if someone sets up an FTP on any other port it's to hide. Companies around the world that do business on Internet have no choice but to rely on the already established RFC's, or else it would be a crapshoot and a complete mess.
That being said, if you choose to use FTP on a different port, that's fine, since it won't be impacted (non-ssl apps haven't proven to have any problems to date).
--
Leafs lead season series 4-3 ...GO SENS GO |
|
Name96
join:2008-03-28
| said by Deadpool :(non-ssl apps haven't proven to have any problems to date). Would that include non-SSL protocols such as RDP, SIP/RTP VOIP and VNC?
None of these are esoteric or P2P related. None of them work.
The problem isn't a lack of signatures. The problem is that Bell is cheating its customers. |
|
Deadpool
Go Sens Go
Premium,VIP
join:2001-03-29
Canada
·Bell Sympatico
| said by Name96 :said by Deadpool :(non-ssl apps haven't proven to have any problems to date). Would that include non-SSL protocols such as RDP, SIP/RTP VOIP and VNC? None of these are esoteric or P2P related. None of them work. The problem isn't a lack of signatures. The problem is that Bell is cheating its customers. Can we NOT get into a a right vs wrong debate? I thought this thread was intelligent and informative without the likes of that type of post.
RDP: first I've heard (personally);
SIP/RTP VOIP: Ventrillo was an issue as first since it uses a P2P type protocol, combined with the fact that the box didn't have a signature for it caused that issue (fixed now and has been for some time); I pesonally haven't heard of others being impacted (there is a Vonage thread here, however others who have Vonage are NOT seeing a problem - however those people haven't changed anything in regards to the default config either);
VNC: Although we've talked about it in this thread, I haven't seen any complaint that VNC doesn't work.
And if there are complaints buried somewhere within the thousands of posts in another thread, then I suggest a new thread be created listing the problematic applications. That way Rocky and company can take it to Bell to get it fixed.
--
Leafs lead season series 4-3 ...GO SENS GO |
|
