NNSquad - Network Neutrality Squad
[ NNSquad ] Re: [IP] Re: a wise word from a long time network person -- Merccurynews report on Stanford hearing
I have to disagree with both Brett and Warren on this:
Brett: If you block a flow with an inline device, the amount of
additional traffic the flow will generate is going to be very low if
you don't send a RST, so you don't need to worry about this part.
Just look at it this way, you'll get a few repeats of a 1.5 kB packet
(MTU) and then it goes away. When dealing with a MB flow, this is in
the noise.
So if you are in-path, you don't need to bother sending a RST or
anything. Amdahl's law is a wonderful thing.
However:
Warren: There are many out-of-path network devices (eg, intrusion
detection systems, spam detectors, the Great Firewall of China, and,
gasp, P2P shapers) which may decide that a flow is "Bad" and should be
blocked. In many cases, these are not only legal, but may be REQUIRED
of network operators.
Without having an inline blocking mechanism (eg, ACL injection into a
router), with the significant reliability headaches incurred, RST
injection is the ONLY mechanism for a legitimate network policy
enforcer to block a TCP connection.
Sending an ICMP message is likely to get ignored by the endpoint, but
RSTs will be respected.
Lauren: IMO, "RST Manipulation/Forging" is a loaded term, indicating
that the use is illegitimate. "RST injection" is a neutral term,
describing the actual process.
Additionally, any one in the position to Inject RST packets as a
legitimate network operator COULD construct an in-patch blocker, but
does not probably for reliability or cost reasons, which makes this
something of a digression in terms of considering neutrality issues.
Even in the case of asymmetric routing, an in-patch blocker will kill
TCP flows well.
[ "RST injection" is indeed a less emotional term -- as is
"nuclear device" in preference to "nuclear bomb" ...
-- Lauren Weinstein
NNSquad Moderator ]