Proxy Servers...

newer
Phishing reporting for Westpac or...

Steve Holdoway

7 Oct 2011 7 Oct '11

6 a.m.

Sorry if this is OT but my thinking is that if you don't know, then it's going to be a hard job finding one that does. For my broadband I have a boring old iHug - now Voda - ADSL connection. A lot of my work involves monitoring and managing remote websites. (Probably) since the new government legislation came into effect, my guess is that I am now behind a transparent proxy for web traffic. Now, I'm not *too* bothered by that ( well, except when it falls to pieces like one evening last week! ), but in final testing I often override DNS with a local host entry. This no longer works, and my SP sends me to the production one every time. This is a major problem. Does anyone know... a) whether this can be disabled? b) whether there is another provider out there who doesn't do this? I've got plenty of servers worldwide that I can route all my traffic through in an encrypted manner which would almost certainly circumvent this, but I shudder to think what can of worms that would open! Any suggestions?? Cheers, Steve -- Steve Holdoway BSc(Hons) MNZCS http://www.greengecko.co.nz MSN: steve(a)greengecko.co.nz Skype: sholdowa

Attachments:

smime.p7s (application/x-pkcs7-signature — 6.4 KB)

Show replies by date

Matthew Harrison

7 Oct 7 Oct

7:02 a.m.

We don't proxy anything, but you would need to be rural or in cbd, or bell block for a connection :) Regards, Matthew Harrison Managing Director PrimoWireless www.primowireless.co.nz Phone: 06 7566620 -----Original Message----- From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Steve Holdoway Sent: Saturday, 8 October 2011 1:01 p.m. To: nznog(a)list.waikato.ac.nz Subject: [nznog] Proxy Servers... Sorry if this is OT but my thinking is that if you don't know, then it's going to be a hard job finding one that does. For my broadband I have a boring old iHug - now Voda - ADSL connection. A lot of my work involves monitoring and managing remote websites. (Probably) since the new government legislation came into effect, my guess is that I am now behind a transparent proxy for web traffic. Now, I'm not *too* bothered by that ( well, except when it falls to pieces like one evening last week! ), but in final testing I often override DNS with a local host entry. This no longer works, and my SP sends me to the production one every time. This is a major problem. Does anyone know... a) whether this can be disabled? b) whether there is another provider out there who doesn't do this? I've got plenty of servers worldwide that I can route all my traffic through in an encrypted manner which would almost certainly circumvent this, but I shudder to think what can of worms that would open! Any suggestions?? Cheers, Steve -- Steve Holdoway BSc(Hons) MNZCS http://www.greengecko.co.nz MSN: steve(a)greengecko.co.nz Skype: sholdowa

Ragnor

7:43 a.m.

It does sounds like Vodafone are running a caching transparent http/web proxy now. These are all the rage again now with Telecom, Telstraclear, Slingshot and others running them. I believe there are still a number of ISP's not running one: Snap, Xnet, Orcon, Maxnet ICONZ, Actrix and probably more. You could also work around the problem by: 1: Using a different sub domain for beta, rather than changing your local dns. 2: Setup your own proxy on the non production server (eg: openSSH, sshd), then on the client/your PC (assuming Windows) use Putty to connect to the server proxy. This basically means you have your own direct secure connection to the server and you can use the FoxyProxy addon for Firefox to switch your web browser to use this connection. Your local dns entry should work then. On 8/10/2011 1:00 p.m., Steve Holdoway wrote:

...

Sorry if this is OT but my thinking is that if you don't know, then it's going to be a hard job finding one that does.

For my broadband I have a boring old iHug - now Voda - ADSL connection. A lot of my work involves monitoring and managing remote websites. (Probably) since the new government legislation came into effect, my guess is that I am now behind a transparent proxy for web traffic.

Now, I'm not *too* bothered by that ( well, except when it falls to pieces like one evening last week! ), but in final testing I often override DNS with a local host entry. This no longer works, and my SP sends me to the production one every time. This is a major problem.

Does anyone know...

a) whether this can be disabled? b) whether there is another provider out there who doesn't do this?

I've got plenty of servers worldwide that I can route all my traffic through in an encrypted manner which would almost certainly circumvent this, but I shudder to think what can of worms that would open!

Any suggestions??

Cheers,

Steve

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Alastair Johnson

7:45 a.m.

On 10/7/2011 6:43 PM, Ragnor wrote:

...

You could also work around the problem by:

1: Using a different sub domain for beta, rather than changing your local dns.

This is really the best way to handle it.

Simon Lyall

4:24 p.m.

On Sat, 8 Oct 2011, Ragnor wrote:

...

It does sounds like Vodafone are running a caching transparent http/web proxy now. These are all the rage again now with Telecom, Telstraclear, Slingshot and others running them.

I believe there are still a number of ISP's not running one: Snap, Xnet, Orcon, Maxnet ICONZ, Actrix and probably more.

Do these ISP level cache's actually work? I have long lived images with headers to indicate their age and long expire time and I get a fresh copy every time I request it from my XTRA DSL account. We certainly notice browser caches and the Corporate proxies (lots of IE6 users, proxy doesn't support http gzip compression, often bluecoat) especially when they break (usually by caching a corrupt element or no updating properly) but I don't get the impression ISP proxies are caching even my "highly cacheable" stuff. Is it because we are delivering bytes out of NZ? I can switch to delivering out of the US if it'll hit the "Free ISP CDN" :) -- Simon Lyall | Very Busy | Web: http://www.darkmere.gen.nz/ "To stay awake all night adds a day to your life" - Stilgar | eMT.

Philip D'Ath

8 Oct 8 Oct

1:39 a.m.

I'd be surprised if anyone is using a transparent cache for local content. Transparent caching only makes sense if it is going to save you money. Also you would need much bigger caching boxes to handle both national and international traffic, as opposed to just international. -----Original message----- From: Simon Lyall Sent: 08-10-2011, 23:24 To: nznog Subject: Re: [nznog] Proxy Servers... On Sat, 8 Oct 2011, Ragnor wrote:

...

It does sounds like Vodafone are running a caching transparent http/web proxy now. These are all the rage again now with Telecom, Telstraclear, Slingshot and others running them.

I believe there are still a number of ISP's not running one: Snap, Xnet, Orcon, Maxnet ICONZ, Actrix and probably more.

Josh Bailey

9 Oct 9 Oct

3:55 a.m.

Perhaps we should measure it. :) I'd be happy to look at the data if people had a moment to run a Glasnost test (http://www.measurementlab.net/measurement-lab-tools) - might be interesting to compare results across ISPs... On Sat, 8 Oct 2011, Philip D'Ath wrote:

...

I'd be surprised if anyone is using a transparent cache for local content.

Transparent caching only makes sense if it is going to save you money. Also you would need much bigger caching boxes to handle both national and international traffic, as opposed to just international.

-----Original message----- From: Simon Lyall Sent: 08-10-2011, 23:24 To: nznog Subject: Re: [nznog] Proxy Servers...

On Sat, 8 Oct 2011, Ragnor wrote:

...
It does sounds like Vodafone are running a caching transparent http/web proxy now. These are all the rage again now with Telecom, Telstraclear, Slingshot and others running them.

I believe there are still a number of ISP's not running one: Snap, Xnet, Orcon, Maxnet ICONZ, Actrix and probably more.

Do these ISP level cache's actually work? I have long lived images with headers to indicate their age and long expire time and I get a fresh copy every time I request it from my XTRA DSL account.

We certainly notice browser caches and the Corporate proxies (lots of IE6 users, proxy doesn't support http gzip compression, often bluecoat) especially when they break (usually by caching a corrupt element or no updating properly) but I don't get the impression ISP proxies are caching even my "highly cacheable" stuff.

Is it because we are delivering bytes out of NZ? I can switch to delivering out of the US if it'll hit the "Free ISP CDN" :)

-- Simon Lyall | Very Busy | Web: http://www.darkmere.gen.nz/ "To stay awake all night adds a day to your life" - Stilgar | eMT.

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

-- Josh Bailey

Paul Tinson

4:48 a.m.

Saving money on international bandwidth with HTTP proxy caches is somewhat dubious and I suspect (no hard facts just experience) that in the long run it wont save you anything. That all depends on your implementation of course. There are a number of reasons you may want to run transparent proxy caches, saving money is only one of them. There are providers that offer a 'secure browsing' solution, others tend to believe the story that it increases performance for customers as its local (this is possibly true if you build it right), or that you can do interesting things at layer7 as the packets pass through, some have used them for transcoding in mobile networks... However many transparent proxy cache installs suffer from high operational overhead, poor cache performance, high scale out costs and high impact on failure (many fail closed) and many have obscure failures that mean interruption to the customer while you work out why the magic black smoke escaped...and how to put it back in. I would be more than interested in peoples views on the hardware that is commonly used in these solutions. I know I have my own views on some of them, less than happy would be mild in some cases. Simon the xtra/telecom cache is purely international, so any of your content that is delivered over domestic routes will not go anywhere near it. Paul Random Thoughts Daily On 9/10/11 8:39 AM, "Philip D'Ath" wrote:

...

I'd be surprised if anyone is using a transparent cache for local content.

Transparent caching only makes sense if it is going to save you money. Also you would need much bigger caching boxes to handle both national and international traffic, as opposed to just international.

-----Original message----- From: Simon Lyall Sent: 08-10-2011, 23:24 To: nznog Subject: Re: [nznog] Proxy Servers...

On Sat, 8 Oct 2011, Ragnor wrote:

...
It does sounds like Vodafone are running a caching transparent http/web proxy now. These are all the rage again now with Telecom, Telstraclear, Slingshot and others running them.

I believe there are still a number of ISP's not running one: Snap, Xnet, Orcon, Maxnet ICONZ, Actrix and probably more.

Do these ISP level cache's actually work? I have long lived images with headers to indicate their age and long expire time and I get a fresh copy every time I request it from my XTRA DSL account.

We certainly notice browser caches and the Corporate proxies (lots of IE6 users, proxy doesn't support http gzip compression, often bluecoat) especially when they break (usually by caching a corrupt element or no updating properly) but I don't get the impression ISP proxies are caching even my "highly cacheable" stuff.

Is it because we are delivering bytes out of NZ? I can switch to delivering out of the US if it'll hit the "Free ISP CDN" :)

-- Simon Lyall | Very Busy | Web: http://www.darkmere.gen.nz/ "To stay awake all night adds a day to your life" - Stilgar | eMT.

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Pieter De Wit

5:13 a.m.

Hi List, I think more ISP's should implement proxies (can be OPT-OUT ?)and even extend it to something like the peering agreements that are in place. Everyone knows that int. bw costs quite a bit. Proxy solutions doesn't always have to be "built for purpose hardware", there are open source solutions that will do the job, with less overhead/admin and on common hardware, imho. I think things get tricky when solutions (any and all for that matter) are "overloaded" - Hey, Let's do L7 filtering along with deep packet inspection, cut the grass, iron the clothes etc - This is when things fall appart Cheers, Pieter On Sun, 9 Oct 2011, Paul Tinson wrote:

...

Saving money on international bandwidth with HTTP proxy caches is somewhat dubious and I suspect (no hard facts just experience) that in the long run it wont save you anything.

That all depends on your implementation of course.

There are a number of reasons you may want to run transparent proxy caches, saving money is only one of them. There are providers that offer a 'secure browsing' solution, others tend to believe the story that it increases performance for customers as its local (this is possibly true if you build it right), or that you can do interesting things at layer7 as the packets pass through, some have used them for transcoding in mobile networks...

However many transparent proxy cache installs suffer from high operational overhead, poor cache performance, high scale out costs and high impact on failure (many fail closed) and many have obscure failures that mean interruption to the customer while you work out why the magic black smoke escaped...and how to put it back in.

I would be more than interested in peoples views on the hardware that is commonly used in these solutions. I know I have my own views on some of them, less than happy would be mild in some cases.

Simon the xtra/telecom cache is purely international, so any of your content that is delivered over domestic routes will not go anywhere near it.

Paul Random Thoughts Daily

On 9/10/11 8:39 AM, "Philip D'Ath" wrote:

...
I'd be surprised if anyone is using a transparent cache for local content.

Transparent caching only makes sense if it is going to save you money. Also you would need much bigger caching boxes to handle both national and international traffic, as opposed to just international.

-----Original message----- From: Simon Lyall Sent: 08-10-2011, 23:24 To: nznog Subject: Re: [nznog] Proxy Servers...

On Sat, 8 Oct 2011, Ragnor wrote:

...
It does sounds like Vodafone are running a caching transparent http/web proxy now. These are all the rage again now with Telecom, Telstraclear, Slingshot and others running them.

I believe there are still a number of ISP's not running one: Snap, Xnet, Orcon, Maxnet ICONZ, Actrix and probably more.

Do these ISP level cache's actually work? I have long lived images with headers to indicate their age and long expire time and I get a fresh copy every time I request it from my XTRA DSL account.

We certainly notice browser caches and the Corporate proxies (lots of IE6 users, proxy doesn't support http gzip compression, often bluecoat) especially when they break (usually by caching a corrupt element or no updating properly) but I don't get the impression ISP proxies are caching even my "highly cacheable" stuff.

Is it because we are delivering bytes out of NZ? I can switch to delivering out of the US if it'll hit the "Free ISP CDN" :)

-- Simon Lyall | Very Busy | Web: http://www.darkmere.gen.nz/ "To stay awake all night adds a day to your life" - Stilgar | eMT.

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Paul Tinson

6:07 a.m.

Admin overhead doesn¹t reduce a whole lot with an open source solution. Many of the overheads are around cache tuning, purging stale objects, resolving oddball issues that occur and general systems management. <sarcasm> I have never seen an over blown solution, especially from designers who have never built anything </sarcasm> Very true there is many a toast making email system around, but just because its 'just' cacheing don¹t discount the useful ability to steer traffic any way you can. Do you mean caches run by the IX or inter cache communication as peering? I could see someone trying to offer a caching service to multiple ISP's, the try thing being able to cater for a wide range of bandwidth and interconnect requirements. I would imagine many an ISP would be basing what they would for pay such a service on what it can save it in any given month, and would expect to pay very little when it saves very little. Unless the proposition is based around add on services like making toast. paul On 10/10/11 12:13 PM, "Pieter De Wit" wrote:

...

Hi List,

I think more ISP's should implement proxies (can be OPT-OUT ?)and even extend it to something like the peering agreements that are in place. Everyone knows that int. bw costs quite a bit. Proxy solutions doesn't always have to be "built for purpose hardware", there are open source solutions that will do the job, with less overhead/admin and on common hardware, imho.

I think things get tricky when solutions (any and all for that matter) are "overloaded" - Hey, Let's do L7 filtering along with deep packet inspection, cut the grass, iron the clothes etc - This is when things fall appart

Cheers,

Pieter

On Sun, 9 Oct 2011, Paul Tinson wrote:

...
Saving money on international bandwidth with HTTP proxy caches is somewhat dubious and I suspect (no hard facts just experience) that in the long run it wont save you anything.

That all depends on your implementation of course.

There are a number of reasons you may want to run transparent proxy caches, saving money is only one of them. There are providers that offer a 'secure browsing' solution, others tend to believe the story that it increases performance for customers as its local (this is possibly true if you build it right), or that you can do interesting things at layer7 as the packets pass through, some have used them for transcoding in mobile networks...

However many transparent proxy cache installs suffer from high operational overhead, poor cache performance, high scale out costs and high impact on failure (many fail closed) and many have obscure failures that mean interruption to the customer while you work out why the magic black smoke escaped...and how to put it back in.

I would be more than interested in peoples views on the hardware that is commonly used in these solutions. I know I have my own views on some of them, less than happy would be mild in some cases.

Simon the xtra/telecom cache is purely international, so any of your content that is delivered over domestic routes will not go anywhere near it.

Paul Random Thoughts Daily

On 9/10/11 8:39 AM, "Philip D'Ath" wrote:

...
I'd be surprised if anyone is using a transparent cache for local content.

Transparent caching only makes sense if it is going to save you money. Also you would need much bigger caching boxes to handle both national and international traffic, as opposed to just international.

-----Original message----- From: Simon Lyall Sent: 08-10-2011, 23:24 To: nznog Subject: Re: [nznog] Proxy Servers...

On Sat, 8 Oct 2011, Ragnor wrote:

...
It does sounds like Vodafone are running a caching transparent http/web proxy now. These are all the rage again now with Telecom, Telstraclear, Slingshot and others running them.

I believe there are still a number of ISP's not running one: Snap, Xnet, Orcon, Maxnet ICONZ, Actrix and probably more.

Do these ISP level cache's actually work? I have long lived images with headers to indicate their age and long expire time and I get a fresh copy every time I request it from my XTRA DSL account.

We certainly notice browser caches and the Corporate proxies (lots of IE6 users, proxy doesn't support http gzip compression, often bluecoat) especially when they break (usually by caching a corrupt element or no updating properly) but I don't get the impression ISP proxies are caching even my "highly cacheable" stuff.

Is it because we are delivering bytes out of NZ? I can switch to delivering out of the US if it'll hit the "Free ISP CDN" :)

-- Simon Lyall | Very Busy | Web: http://www.darkmere.gen.nz/ "To stay awake all night adds a day to your life" - Stilgar | eMT.

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Pieter De Wit

6:56 a.m.

Hi List, The open source solution I was thinking of would add a "bit" of work to your current Linux/Unix admins. Getting the grips with an application is, imho, 100 times easier than learning something from scratch. The "peering" I had in mind was ISP's exchanging objects, rather than a cache at an IX. For you guys (and most ISP's I would assume) it's better to exchange objects over your APE/Direct link, compared to int. bw. This does not stop the IX's from having cache peers at the IX thou. As for the cost saving, it's a bit of a catch 22, BW costs are always heading down, the catch is transmission cost (from my understand at least). Implementing this in the days of good old Dial up would have made sense. Then again, with HTML5 and media rich content on the up take, who knows :) In a nutshell, each ISP will have to look at the cost to implement, unless someone wants to come up with a formula that will give an ISP an idea of cost per user/per megabit/per ? Thinking "out the box here" - what if it was to be implemented for certain sites only - like youtube/google maps/<insert high BW site> ? Cheers, Pieter On Mon, 10 Oct 2011, Paul Tinson wrote:

...

Admin overhead doesn¹t reduce a whole lot with an open source solution. Many of the overheads are around cache tuning, purging stale objects, resolving oddball issues that occur and general systems management.

<sarcasm> I have never seen an over blown solution, especially from designers who have never built anything </sarcasm> Very true there is many a toast making email system around, but just because its 'just' cacheing don¹t discount the useful ability to steer traffic any way you can.

Do you mean caches run by the IX or inter cache communication as peering? I could see someone trying to offer a caching service to multiple ISP's, the try thing being able to cater for a wide range of bandwidth and interconnect requirements.

I would imagine many an ISP would be basing what they would for pay such a service on what it can save it in any given month, and would expect to pay very little when it saves very little. Unless the proposition is based around add on services like making toast.

paul

On 10/10/11 12:13 PM, "Pieter De Wit" wrote:

...
Hi List,

I think more ISP's should implement proxies (can be OPT-OUT ?)and even extend it to something like the peering agreements that are in place. Everyone knows that int. bw costs quite a bit. Proxy solutions doesn't always have to be "built for purpose hardware", there are open source solutions that will do the job, with less overhead/admin and on common hardware, imho.

I think things get tricky when solutions (any and all for that matter) are "overloaded" - Hey, Let's do L7 filtering along with deep packet inspection, cut the grass, iron the clothes etc - This is when things fall appart

Cheers,

Pieter

On Sun, 9 Oct 2011, Paul Tinson wrote:

...
Saving money on international bandwidth with HTTP proxy caches is somewhat dubious and I suspect (no hard facts just experience) that in the long run it wont save you anything.

That all depends on your implementation of course.

There are a number of reasons you may want to run transparent proxy caches, saving money is only one of them. There are providers that offer a 'secure browsing' solution, others tend to believe the story that it increases performance for customers as its local (this is possibly true if you build it right), or that you can do interesting things at layer7 as the packets pass through, some have used them for transcoding in mobile networks...

However many transparent proxy cache installs suffer from high operational overhead, poor cache performance, high scale out costs and high impact on failure (many fail closed) and many have obscure failures that mean interruption to the customer while you work out why the magic black smoke escaped...and how to put it back in.

I would be more than interested in peoples views on the hardware that is commonly used in these solutions. I know I have my own views on some of them, less than happy would be mild in some cases.

Simon the xtra/telecom cache is purely international, so any of your content that is delivered over domestic routes will not go anywhere near it.

Paul Random Thoughts Daily

On 9/10/11 8:39 AM, "Philip D'Ath" wrote:

...
I'd be surprised if anyone is using a transparent cache for local content.

Transparent caching only makes sense if it is going to save you money. Also you would need much bigger caching boxes to handle both national and international traffic, as opposed to just international.

-----Original message----- From: Simon Lyall Sent: 08-10-2011, 23:24 To: nznog Subject: Re: [nznog] Proxy Servers...

On Sat, 8 Oct 2011, Ragnor wrote:

...
It does sounds like Vodafone are running a caching transparent http/web proxy now. These are all the rage again now with Telecom, Telstraclear, Slingshot and others running them.

I believe there are still a number of ISP's not running one: Snap, Xnet, Orcon, Maxnet ICONZ, Actrix and probably more.

Do these ISP level cache's actually work? I have long lived images with headers to indicate their age and long expire time and I get a fresh copy every time I request it from my XTRA DSL account.

We certainly notice browser caches and the Corporate proxies (lots of IE6 users, proxy doesn't support http gzip compression, often bluecoat) especially when they break (usually by caching a corrupt element or no updating properly) but I don't get the impression ISP proxies are caching even my "highly cacheable" stuff.

Is it because we are delivering bytes out of NZ? I can switch to delivering out of the US if it'll hit the "Free ISP CDN" :)

-- Simon Lyall | Very Busy | Web: http://www.darkmere.gen.nz/ "To stay awake all night adds a day to your life" - Stilgar | eMT.

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Michael Fincham

7:02 a.m.

On Mon, 10 Oct 2011 13:56:55 +1300 (NZDT), Pieter De Wit wrote:

...

The open source solution I was thinking of would add a "bit" of work to your current Linux/Unix admins. Getting the grips with an application is, imho, 100 times easier than learning something from scratch.

In a few words, what did you have in mind? I've looked at a few systems in the past and none of them really met my requirements for 'transparentness'. Squid w/ TPROXY support is close to OK, but it still does expectation-breaking things like returning squid-generated failure pages in some situations. I've definitely not come across anything with the kind of level of sophistication of say, TCL's transparent proxy which (correct me if I'm wrong) seems not to jump in unless it's pretty sure you're doing HTTP on port 80. Kudos to them for putting in a minimally invasive system. -- -Michael Fincham System Administrator, Unleash www.unleash.co.nz

Pieter De Wit

7:14 a.m.

I was aiming around something Squid related. Something like this: http://www.grape-info.com/doc/cisco/router/contents/example-tproxy.html might work depending on network. I would also not tie this down to a single host, I would load balance it over cheaper hardware (think Google here :) ) Cheers, Pieter On Mon, 10 Oct 2011, Michael Fincham wrote:

...

On Mon, 10 Oct 2011 13:56:55 +1300 (NZDT), Pieter De Wit wrote:

...
The open source solution I was thinking of would add a "bit" of work to your current Linux/Unix admins. Getting the grips with an application is, imho, 100 times easier than learning something from scratch.

In a few words, what did you have in mind? I've looked at a few systems in the past and none of them really met my requirements for 'transparentness'.

Squid w/ TPROXY support is close to OK, but it still does expectation-breaking things like returning squid-generated failure pages in some situations.

I've definitely not come across anything with the kind of level of sophistication of say, TCL's transparent proxy which (correct me if I'm wrong) seems not to jump in unless it's pretty sure you're doing HTTP on port 80. Kudos to them for putting in a minimally invasive system.

-- -Michael Fincham System Administrator, Unleash www.unleash.co.nz

Tim Price

7:18 a.m.

http://en.wikipedia.org/wiki/Web_Cache_Communication_Protocol#Redirect_from_ Router_to_Cache_Engine Nuf said. -----Original Message----- From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Pieter De Wit Sent: Monday, 10 October 2011 2:14 p.m. To: Michael Fincham Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] Proxy Servers... I was aiming around something Squid related. Something like this: http://www.grape-info.com/doc/cisco/router/contents/example-tproxy.html might work depending on network. I would also not tie this down to a single host, I would load balance it over cheaper hardware (think Google here :) ) Cheers, Pieter On Mon, 10 Oct 2011, Michael Fincham wrote:

...

On Mon, 10 Oct 2011 13:56:55 +1300 (NZDT), Pieter De Wit wrote:

...
The open source solution I was thinking of would add a "bit" of work to your current Linux/Unix admins. Getting the grips with an application is, imho, 100 times easier than learning something from scratch.

In a few words, what did you have in mind? I've looked at a few systems in the past and none of them really met my requirements for 'transparentness'.

Squid w/ TPROXY support is close to OK, but it still does expectation-breaking things like returning squid-generated failure pages in some situations.

I've definitely not come across anything with the kind of level of sophistication of say, TCL's transparent proxy which (correct me if I'm wrong) seems not to jump in unless it's pretty sure you're doing HTTP on port 80. Kudos to them for putting in a minimally invasive system.

-- -Michael Fincham System Administrator, Unleash www.unleash.co.nz

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Paul Tinson

7:26 a.m.

I know there was a reason we didn¹t do that @ telecom, I cant recall why though... On 10/10/11 2:18 PM, "Tim Price" wrote:

...

http://en.wikipedia.org/wiki/Web_Cache_Communication_Protocol#Redirect_fro m_ Router_to_Cache_Engine

Nuf said.

-----Original Message----- From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Pieter De Wit Sent: Monday, 10 October 2011 2:14 p.m. To: Michael Fincham Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] Proxy Servers...

I was aiming around something Squid related. Something like this:

http://www.grape-info.com/doc/cisco/router/contents/example-tproxy.html

might work depending on network.

I would also not tie this down to a single host, I would load balance it over cheaper hardware (think Google here :) )

Cheers,

Pieter

On Mon, 10 Oct 2011, Michael Fincham wrote:

...
On Mon, 10 Oct 2011 13:56:55 +1300 (NZDT), Pieter De Wit wrote:

...
The open source solution I was thinking of would add a "bit" of work to your current Linux/Unix admins. Getting the grips with an application is, imho, 100 times easier than learning something from scratch.

In a few words, what did you have in mind? I've looked at a few systems in the past and none of them really met my requirements for 'transparentness'.

Squid w/ TPROXY support is close to OK, but it still does expectation-breaking things like returning squid-generated failure pages in some situations.

I've definitely not come across anything with the kind of level of sophistication of say, TCL's transparent proxy which (correct me if I'm wrong) seems not to jump in unless it's pretty sure you're doing HTTP on port 80. Kudos to them for putting in a minimally invasive system.

-- -Michael Fincham System Administrator, Unleash www.unleash.co.nz

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Paul Tinson

7:22 a.m.

Using a tcp 80 policy route to your cache farm is a good start to achieve what TCL have done, you then check what is actually going on in that TCP stream, however when it breaks its not transparent, in some cases you will get error pages generated by the cache appliance as well. Telecom has much the same setup, in that it starts with a policy route and then some L7 magic to check its actually an HTTP request. (none of this is news I posted about it a few times:)) The major piece of evidence its not transparent is that if you change your DNS settings you can reap pain on your user experience, many of the commercial products do secondary resolution of the host. The secondary resolution in some is simply for 'security' and in others its also used to help it work out a storage algorithm that is as optimal according to that vendor. You can turn it off but the vendor doesn¹t recommend it and advises your performance will decrease and the amount of storage required will increase which == $$$ for more hardware. Never discount how frustrated you can make an engineer when he/she has to hunt the wumpus on a proxy cache. Its not fun tracking multiple tcp streams each with their own sequence numbers, especially when load balanced across a farm of such devices... I know it made my Friday more than once:) On 10/10/11 2:02 PM, "Michael Fincham" wrote:

...

On Mon, 10 Oct 2011 13:56:55 +1300 (NZDT), Pieter De Wit wrote:

...
The open source solution I was thinking of would add a "bit" of work to your current Linux/Unix admins. Getting the grips with an application is, imho, 100 times easier than learning something from scratch.

In a few words, what did you have in mind? I've looked at a few systems in the past and none of them really met my requirements for 'transparentness'.

Squid w/ TPROXY support is close to OK, but it still does expectation-breaking things like returning squid-generated failure pages in some situations.

I've definitely not come across anything with the kind of level of sophistication of say, TCL's transparent proxy which (correct me if I'm wrong) seems not to jump in unless it's pretty sure you're doing HTTP on port 80. Kudos to them for putting in a minimally invasive system.

-- -Michael Fincham System Administrator, Unleash www.unleash.co.nz _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Mauricio Freitas

21 Nov 21 Nov

4:18 a.m.

Hello folks Yesterday I published some numbers for Geekzone - web page load time average for New Zealand regions, cities and networks: http://www.freitasm.com/7874 I am pretty sure no other publisher have posted this kind of information in NZ before. Data was collected from Google Analytics, over a month. About 835,000 page views (NZ only) with 51,985 samples collected for speed reports. Web page load time *IS NOT* time to download HTML. It is the time a browser takes to load a page, including all its resources, such as CSS, scripts, images, etc. It's related to user experience more than anything. Comments welcome. Since this is probably the first time this is being done. Cheers Mauricio Freitas www.geekzone.co.nz www.freitasm.com www.twitter.com/freitasm -----Original Message----- From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Paul Tinson Sent: Monday, 10 October 2011 1:07 p.m. To: Pieter De Wit Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] Proxy Servers... Admin overhead doesn¹t reduce a whole lot with an open source solution. Many of the overheads are around cache tuning, purging stale objects, resolving oddball issues that occur and general systems management. <sarcasm> I have never seen an over blown solution, especially from designers who have never built anything </sarcasm> Very true there is many a toast making email system around, but just because its 'just' cacheing don¹t discount the useful ability to steer traffic any way you can. Do you mean caches run by the IX or inter cache communication as peering? I could see someone trying to offer a caching service to multiple ISP's, the try thing being able to cater for a wide range of bandwidth and interconnect requirements. I would imagine many an ISP would be basing what they would for pay such a service on what it can save it in any given month, and would expect to pay very little when it saves very little. Unless the proposition is based around add on services like making toast. paul On 10/10/11 12:13 PM, "Pieter De Wit" wrote:

...

Hi List,

I think more ISP's should implement proxies (can be OPT-OUT ?)and even extend it to something like the peering agreements that are in place. Everyone knows that int. bw costs quite a bit. Proxy solutions doesn't always have to be "built for purpose hardware", there are open source solutions that will do the job, with less overhead/admin and on common hardware, imho.

I think things get tricky when solutions (any and all for that matter) are "overloaded" - Hey, Let's do L7 filtering along with deep packet inspection, cut the grass, iron the clothes etc - This is when things fall appart

Cheers,

Pieter

On Sun, 9 Oct 2011, Paul Tinson wrote:

...
Saving money on international bandwidth with HTTP proxy caches is somewhat dubious and I suspect (no hard facts just experience) that in the long run it wont save you anything.

That all depends on your implementation of course.

There are a number of reasons you may want to run transparent proxy caches, saving money is only one of them. There are providers that offer a 'secure browsing' solution, others tend to believe the story that it increases performance for customers as its local (this is possibly true if you build it right), or that you can do interesting things at layer7 as the packets pass through, some have used them for transcoding in mobile networks...

However many transparent proxy cache installs suffer from high operational overhead, poor cache performance, high scale out costs and high impact on failure (many fail closed) and many have obscure failures that mean interruption to the customer while you work out why the magic black smoke escaped...and how to put it back in.

I would be more than interested in peoples views on the hardware that is commonly used in these solutions. I know I have my own views on some of them, less than happy would be mild in some cases.

Simon the xtra/telecom cache is purely international, so any of your content that is delivered over domestic routes will not go anywhere near it.

Paul Random Thoughts Daily

On 9/10/11 8:39 AM, "Philip D'Ath" wrote:

...
I'd be surprised if anyone is using a transparent cache for local content.

Transparent caching only makes sense if it is going to save you money. Also you would need much bigger caching boxes to handle both national and international traffic, as opposed to just international.

-----Original message----- From: Simon Lyall Sent: 08-10-2011, 23:24 To: nznog Subject: Re: [nznog] Proxy Servers...

On Sat, 8 Oct 2011, Ragnor wrote:

...
It does sounds like Vodafone are running a caching transparent http/web proxy now. These are all the rage again now with Telecom, Telstraclear, Slingshot and others running them.

I believe there are still a number of ISP's not running one: Snap, Xnet, Orcon, Maxnet ICONZ, Actrix and probably more.

Do these ISP level cache's actually work? I have long lived images with headers to indicate their age and long expire time and I get a fresh copy every time I request it from my XTRA DSL account.

We certainly notice browser caches and the Corporate proxies (lots of IE6 users, proxy doesn't support http gzip compression, often bluecoat) especially when they break (usually by caching a corrupt element or no updating properly) but I don't get the impression ISP proxies are caching even my "highly cacheable" stuff.

Is it because we are delivering bytes out of NZ? I can switch to delivering out of the US if it'll hit the "Free ISP CDN" :)

-- Simon Lyall | Very Busy | Web: http://www.darkmere.gen.nz/ "To stay awake all night adds a day to your life" - Stilgar | eMT.

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Michael Fincham

4:36 a.m.

On Mon, 21 Nov 2011 15:18:14 -0800, Mauricio Freitas wrote:

...

Web page load time *IS NOT* time to download HTML. It is the time a browser takes to load a page, including all its resources, such as CSS, scripts, images, etc. It's related to user experience more than anything.

How do you determine when a page load is complete?

...

Comments welcome. Since this is probably the first time this is being done.

If you're collecting the information via Javascript is there any scope to grab some more variables like the CPU type, browser, OS etc? I can imagine that there may well be bigger contributors to page load time than the ISP used. For instance, what if Orcon users (for whatever reason) have on average older machines? I think if you're testing "ISP" performance you need to be controlling for everything that is outside the ISP's control? -- -Michael Fincham System Administrator, Unleash www.unleash.co.nz Phone: 0800 750 250 DDI: 03 978 1223 Mobile: 027 666 4482

Mauricio Freitas

9:22 a.m.

Michael, Thanks for your questions. I'm not collecting this data myself, it's part of Google Analytics. It was by invite only until a couple of days ago. I've been using for a while, so had a good number of samples already. IIRC the data is collected when OnLoad event is fired. Yes, I have all that data and could cross if you want to. The report is about User Experience, not about line speed. "What's the average user experience, measured in time to load a page, in such a city/ISP" is the question to be asked here. The question if the ISP A or ISP B attracts an audience with more or less updated machine is not part of the thing. I'd like to believe all ISPs would have a representation of our society in general. I'm no statistician and I look at the number that tell me on average a user on Orcon will see our page take almost 12 seconds to load, while a user on nzwireless (with a close sample size) can have that in 2 seconds. As for your worry about Orcon (which seems absurdly high)... We have an interesting audience, as in most of our readers have a different browser profile than Trade Me for example. We currently have a mix of Firefox (29.74%), IE (28.43%) , Chrome (27.36%), Safari (10.33%). More specifically in Orcon's case, their customers use Windows (68.70%), Mac OS (21.33%). In terms of browsers they are split in Firefox (31.41%), Chrome (30.36%), Safari (17.82%) and IE (16.73%). I don't think they have slower PCs than the average New Zealander. Their customers are actually savvy enough to move away from IE and even have a good Mac OS uptake. Remember this is web page load time, which includes the html request, followed by all resources including images, scripts, CSS, ads. Some of these resources are local, some are from third party. Those resources however are presented as the same to everyone. Cheers Mauricio Freitas www.geekzone.co.nz www.freitasm.com www.twitter.com/freitasm -----Original Message----- From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Michael Fincham Sent: Tuesday, 22 November 2011 12:36 p.m. To: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] Proxy Servers... On Mon, 21 Nov 2011 15:18:14 -0800, Mauricio Freitas wrote:

...

Web page load time *IS NOT* time to download HTML. It is the time a browser takes to load a page, including all its resources, such as CSS, scripts, images, etc. It's related to user experience more than anything.

How do you determine when a page load is complete?

...

Comments welcome. Since this is probably the first time this is being done.

David Anso

9:33 a.m.

IANAS either, but mean values hide a lot of very interesting data. Have you got any raw data going spare that I could Splunk? On 22/11/2011, at 17:23, Mauricio Freitas wrote:

...

Michael,

Thanks for your questions. I'm not collecting this data myself, it's part of Google Analytics. It was by invite only until a couple of days ago. I've been using for a while, so had a good number of samples already.

IIRC the data is collected when OnLoad event is fired. Yes, I have all that data and could cross if you want to.

The report is about User Experience, not about line speed. "What's the average user experience, measured in time to load a page, in such a city/ISP" is the question to be asked here.

The question if the ISP A or ISP B attracts an audience with more or less updated machine is not part of the thing. I'd like to believe all ISPs would have a representation of our society in general. I'm no statistician and I look at the number that tell me on average a user on Orcon will see our page take almost 12 seconds to load, while a user on nzwireless (with a close sample size) can have that in 2 seconds.

As for your worry about Orcon (which seems absurdly high)... We have an interesting audience, as in most of our readers have a different browser profile than Trade Me for example. We currently have a mix of Firefox (29.74%), IE (28.43%) , Chrome (27.36%), Safari (10.33%).

More specifically in Orcon's case, their customers use Windows (68.70%), Mac OS (21.33%). In terms of browsers they are split in Firefox (31.41%), Chrome (30.36%), Safari (17.82%) and IE (16.73%). I don't think they have slower PCs than the average New Zealander. Their customers are actually savvy enough to move away from IE and even have a good Mac OS uptake.

Remember this is web page load time, which includes the html request, followed by all resources including images, scripts, CSS, ads. Some of these resources are local, some are from third party. Those resources however are presented as the same to everyone.

Cheers

Mauricio Freitas www.geekzone.co.nz www.freitasm.com www.twitter.com/freitasm

-----Original Message----- From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Michael Fincham Sent: Tuesday, 22 November 2011 12:36 p.m. To: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] Proxy Servers...

On Mon, 21 Nov 2011 15:18:14 -0800, Mauricio Freitas wrote:

...
Web page load time *IS NOT* time to download HTML. It is the time a browser takes to load a page, including all its resources, such as CSS, scripts, images, etc. It's related to user experience more than anything.

How do you determine when a page load is complete?

...
Comments welcome. Since this is probably the first time this is being done.

If you're collecting the information via Javascript is there any scope to grab some more variables like the CPU type, browser, OS etc?

I can imagine that there may well be bigger contributors to page load time than the ISP used. For instance, what if Orcon users (for whatever reason) have on average older machines?

I think if you're testing "ISP" performance you need to be controlling for everything that is outside the ISP's control?

-- -Michael Fincham System Administrator, Unleash www.unleash.co.nz Phone: 0800 750 250 DDI: 03 978 1223 Mobile: 027 666 4482 _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Paul Tinson

1:33 p.m.

You would assume that google have removed far outliers and anomalies from the reported stats, or at least hope they would before allowing things like this to be published. A raw feed being picked apart by someone with a good statistical bent would be interesting. Has google also provided a measure of load times for people who use ad blockers vs those that don¹t? Is there also a view on load time throughout a day,week,month period, can you see any impact on load times as internet usage ramps up and down? On 22/11/11 5:33 PM, "David Anso" wrote:

...

IANAS either, but mean values hide a lot of very interesting data.

Have you got any raw data going spare that I could Splunk?

On 22/11/2011, at 17:23, Mauricio Freitas wrote:

...
Michael,

Thanks for your questions. I'm not collecting this data myself, it's part of Google Analytics. It was by invite only until a couple of days ago. I've been using for a while, so had a good number of samples already.

IIRC the data is collected when OnLoad event is fired. Yes, I have all that data and could cross if you want to.

The report is about User Experience, not about line speed. "What's the average user experience, measured in time to load a page, in such a city/ISP" is the question to be asked here.

The question if the ISP A or ISP B attracts an audience with more or less updated machine is not part of the thing. I'd like to believe all ISPs would have a representation of our society in general. I'm no statistician and I look at the number that tell me on average a user on Orcon will see our page take almost 12 seconds to load, while a user on nzwireless (with a close sample size) can have that in 2 seconds.

As for your worry about Orcon (which seems absurdly high)... We have an interesting audience, as in most of our readers have a different browser profile than Trade Me for example. We currently have a mix of Firefox (29.74%), IE (28.43%) , Chrome (27.36%), Safari (10.33%).

More specifically in Orcon's case, their customers use Windows (68.70%), Mac OS (21.33%). In terms of browsers they are split in Firefox (31.41%), Chrome (30.36%), Safari (17.82%) and IE (16.73%). I don't think they have slower PCs than the average New Zealander. Their customers are actually savvy enough to move away from IE and even have a good Mac OS uptake.

Remember this is web page load time, which includes the html request, followed by all resources including images, scripts, CSS, ads. Some of these resources are local, some are from third party. Those resources however are presented as the same to everyone.

Cheers

Mauricio Freitas www.geekzone.co.nz www.freitasm.com www.twitter.com/freitasm

-----Original Message----- From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Michael Fincham Sent: Tuesday, 22 November 2011 12:36 p.m. To: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] Proxy Servers...

On Mon, 21 Nov 2011 15:18:14 -0800, Mauricio Freitas wrote:

...
Web page load time *IS NOT* time to download HTML. It is the time a browser takes to load a page, including all its resources, such as CSS, scripts, images, etc. It's related to user experience more than anything.

How do you determine when a page load is complete?

...
Comments welcome. Since this is probably the first time this is being done.

If you're collecting the information via Javascript is there any scope to grab some more variables like the CPU type, browser, OS etc?

I can imagine that there may well be bigger contributors to page load time than the ISP used. For instance, what if Orcon users (for whatever reason) have on average older machines?

I think if you're testing "ISP" performance you need to be controlling for everything that is outside the ISP's control?

-- -Michael Fincham System Administrator, Unleash www.unleash.co.nz Phone: 0800 750 250 DDI: 03 978 1223 Mobile: 027 666 4482 _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Jean-Francois Pirus

27 Nov 27 Nov

2:46 a.m.

New subject: Phishing reporting for Westpac or ANZ, or lack of.

If anybody from Westpac or ANZ is lurking. It's a really stupid idea to have your emails addresses for phishing reporting go thought a spam filter. Defeats the whole purpose really... -- Jean-Francois Pirus | Technical Manager francois(a)clearfield.com | Mob +64 21 640 779 | DDI +64 9 282 3401 Clearfield Software Ltd | Ph +64 9 358 2081 | www.clearfield.com

Spiro Harvey

3:02 a.m.

New subject: Phishing reporting for Westpac or ANZ, or lack of.

...

If anybody from Westpac or ANZ is lurking. It's a really stupid idea to have your emails addresses for phishing reporting go thought a spam filter. Defeats the whole purpose really...

Replying to an old thread and changing the subject mucks up the threading. I know it's hard and takes a couple more clicks, but copying the email address from the email you were going to reply to and starting a new message is preferred for those of us who have threading mail clients, and those who will expect to read the archives in a sane way. -- Sent from my c=64

Brian E Carpenter

8 Oct 8 Oct

1:14 a.m.

Another similar catch with "transparent" proxies is that they can end up being half-dual-stacked, with unfortunate consequences. Scenario: client side of the proxy is dual-stacked and the proxy code is IPv4-only. Client tries to reach ipv6.google.com, which is of course v6-only. IPv4 side of proxy barfs. Regards Brian Carpenter On 2011-10-08 13:00, Steve Holdoway wrote:

...

Sorry if this is OT but my thinking is that if you don't know, then it's going to be a hard job finding one that does.

For my broadband I have a boring old iHug - now Voda - ADSL connection. A lot of my work involves monitoring and managing remote websites. (Probably) since the new government legislation came into effect, my guess is that I am now behind a transparent proxy for web traffic.

Now, I'm not *too* bothered by that ( well, except when it falls to pieces like one evening last week! ), but in final testing I often override DNS with a local host entry. This no longer works, and my SP sends me to the production one every time. This is a major problem.

Does anyone know...

a) whether this can be disabled? b) whether there is another provider out there who doesn't do this?

I've got plenty of servers worldwide that I can route all my traffic through in an encrypted manner which would almost certainly circumvent this, but I shudder to think what can of worms that would open!

Any suggestions??

Cheers,

Steve

------------------------------------------------------------------------

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Philip D'Ath

1:35 a.m.

If the transparent cache isn't IPv6 capabale then it isn't likely to intercept the original IPv6 request to be able to break it ... -----Original message----- From: Brian E Carpenter Sent: 09-10-2011, 08:14 To: Steve Holdoway Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] Proxy Servers... Another similar catch with "transparent" proxies is that they can end up being half-dual-stacked, with unfortunate consequences. Scenario: client side of the proxy is dual-stacked and the proxy code is IPv4-only. Client tries to reach ipv6.google.com, which is of course v6-only. IPv4 side of proxy barfs. Regards Brian Carpenter On 2011-10-08 13:00, Steve Holdoway wrote:

...

Sorry if this is OT but my thinking is that if you don't know, then it's going to be a hard job finding one that does.

For my broadband I have a boring old iHug - now Voda - ADSL connection. A lot of my work involves monitoring and managing remote websites. (Probably) since the new government legislation came into effect, my guess is that I am now behind a transparent proxy for web traffic.

Now, I'm not *too* bothered by that ( well, except when it falls to pieces like one evening last week! ), but in final testing I often override DNS with a local host entry. This no longer works, and my SP sends me to the production one every time. This is a major problem.

Does anyone know...

a) whether this can be disabled? b) whether there is another provider out there who doesn't do this?

I've got plenty of servers worldwide that I can route all my traffic through in an encrypted manner which would almost certainly circumvent this, but I shudder to think what can of worms that would open!

Any suggestions??

Cheers,

Steve

------------------------------------------------------------------------

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Alastair Johnson

1:42 a.m.

Indeed. I'd expect that anyone that dual-stacks their proxy on the client side *and* configures it to transparently intercept IPv6 would be able to figure out dual-stacking the network side (or notice quickly when it doesn't work). Otherwise I'd expect that nobody is intercepting IPv6 tcp/80 right now. I'd be interested in hearing whether this is an actual observed problem. aj -----Original Message----- From: Philip D'Ath Sender: nznog-bounces(a)list.waikato.ac.nzDate: Sat, 8 Oct 2011 19:35:05 To: Steve Holdoway; Brian E Carpenter Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] Proxy Servers... If the transparent cache isn't IPv6 capabale then it isn't likely to intercept the original IPv6 request to be able to break it ... -----Original message----- From: Brian E Carpenter Sent: 09-10-2011, 08:14 To: Steve Holdoway Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] Proxy Servers... Another similar catch with "transparent" proxies is that they can end up being half-dual-stacked, with unfortunate consequences. Scenario: client side of the proxy is dual-stacked and the proxy code is IPv4-only. Client tries to reach ipv6.google.com, which is of course v6-only. IPv4 side of proxy barfs. Regards Brian Carpenter On 2011-10-08 13:00, Steve Holdoway wrote:

...

Sorry if this is OT but my thinking is that if you don't know, then it's going to be a hard job finding one that does.

For my broadband I have a boring old iHug - now Voda - ADSL connection. A lot of my work involves monitoring and managing remote websites. (Probably) since the new government legislation came into effect, my guess is that I am now behind a transparent proxy for web traffic.

Now, I'm not *too* bothered by that ( well, except when it falls to pieces like one evening last week! ), but in final testing I often override DNS with a local host entry. This no longer works, and my SP sends me to the production one every time. This is a major problem.

Does anyone know...

a) whether this can be disabled? b) whether there is another provider out there who doesn't do this?

I've got plenty of servers worldwide that I can route all my traffic through in an encrypted manner which would almost certainly circumvent this, but I shudder to think what can of worms that would open!

Any suggestions??

Cheers,

Steve

------------------------------------------------------------------------

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Brian E Carpenter

4:06 a.m.

It was observed, a year or two ago, on the UoA campus, for clients in an IPv6-enabled student lab. It was an issue with an oldish version of Squid, and it actually broke a student assignment that I'd tested from a client that didn't happen to go through the proxy. Just a point to watch when deploying a proxy on a dual stack network. Regards Brian Carpenter On 2011-10-09 08:42, Alastair Johnson wrote:

...

Indeed.

I'd expect that anyone that dual-stacks their proxy on the client side *and* configures it to transparently intercept IPv6 would be able to figure out dual-stacking the network side (or notice quickly when it doesn't work).

Otherwise I'd expect that nobody is intercepting IPv6 tcp/80 right now.

I'd be interested in hearing whether this is an actual observed problem.

aj

-----Original Message----- From: Philip D'Ath Sender: nznog-bounces(a)list.waikato.ac.nzDate: Sat, 8 Oct 2011 19:35:05 To: Steve Holdoway; Brian E Carpenter Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] Proxy Servers...

If the transparent cache isn't IPv6 capabale then it isn't likely to intercept the original IPv6 request to be able to break it ...

-----Original message----- From: Brian E Carpenter Sent: 09-10-2011, 08:14 To: Steve Holdoway Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] Proxy Servers...

Another similar catch with "transparent" proxies is that they can end up being half-dual-stacked, with unfortunate consequences.

Scenario: client side of the proxy is dual-stacked and the proxy code is IPv4-only. Client tries to reach ipv6.google.com, which is of course v6-only. IPv4 side of proxy barfs.

Regards Brian Carpenter

On 2011-10-08 13:00, Steve Holdoway wrote:

...
Sorry if this is OT but my thinking is that if you don't know, then it's going to be a hard job finding one that does.

For my broadband I have a boring old iHug - now Voda - ADSL connection. A lot of my work involves monitoring and managing remote websites. (Probably) since the new government legislation came into effect, my guess is that I am now behind a transparent proxy for web traffic.

Now, I'm not *too* bothered by that ( well, except when it falls to pieces like one evening last week! ), but in final testing I often override DNS with a local host entry. This no longer works, and my SP sends me to the production one every time. This is a major problem.

Does anyone know...

a) whether this can be disabled? b) whether there is another provider out there who doesn't do this?

I've got plenty of servers worldwide that I can route all my traffic through in an encrypted manner which would almost certainly circumvent this, but I shudder to think what can of worms that would open!

Any suggestions??

Cheers,

Steve

------------------------------------------------------------------------

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

4774

Age (days ago)

4825

Last active (days ago)

List overview

Download

26 comments

16 participants

participants (16)

Alastair Johnson
Brian E Carpenter
David Anso
Jean-Francois Pirus
Josh Bailey
Matthew Harrison
Mauricio Freitas
Michael Fincham
Paul Tinson
Philip D'Ath
Pieter De Wit
Ragnor
Simon Lyall
Spiro Harvey
Steve Holdoway
Tim Price

Proxy Servers...

Matthew Harrison

Philip D'Ath

Josh Bailey

Paul Tinson

Paul Tinson

Michael Fincham

Paul Tinson

Paul Tinson

Michael Fincham

Paul Tinson

Jean-Francois Pirus

Spiro Harvey

Philip D'Ath

tags

participants (16)