The amazing George and his tunneling machine

The amazing George and his tunneling machine

Summary: George Ou is preaching his carrier-centric anti-Net neutrality religion, again.

TOPICS: Networking

My ZD Net colleague, George Ou, is a strident opponent of the concept of Net neutrality. He's also kind of an abusive jerk about it (see his comments on this posting). In a new posting, he touts the ability to tunnel through any firewall using DNS, then attempts to show that this feat of hacking defeats the idea that carriers could block traffic on the Internet. He writes:

"Anyone who thinks it's possible to block traffic to the Internet is fooling themselves. Even networks that restrict Ping and DNS have to permit proxy access if they want users to be able to get to the Web. Technologies like SSLVPN will actually encapsulate  everything to HTML with SSL encryption and tunnel right through a proxy server"

I really don't know how long George has been fooling around with network technology, but I've covered the carriers, wired and wireless, long enough to know that they have always found ways to defeat what amount to hobbyist hacks of their network. By that, I mean that a few people can get away with anything on the Internet, Sure, George, I agree: Anything may be tunneled. Then reality sets's built for wild experimentation. Carriers, however, have many ways to foil what they see as abuse of their networks and only want more. George may believe only engineers can understand this issue, but politics are a real force in network access and he refuses to acknowledge this. History shows the carriers will do almost anything to gain an unfair advantage over emerging competitors.

Sure, George, I agree: Anything may be tunneled. However, it won't necessarily be the case that the same routes will remain open as a sustained window for traffic, because admins will simply find and block the traffic. That's the history of UNIX, Windows, TCP/IP and every other network or OS stack that's ever existed.

More importantly, there is what a network administrator may be able to do, then there's what ordinary users will be able to do. The latter are
already stymied by VPN restrictions on their cable or DSL service, and will never tunnel through firewalls. The fact a few people can do this does not guarantee, as George argues, that the Net will never be controlled by carriers who are granted legal authority to discriminate based on packet type, destination or source.

It's also not clear what this kind of tunneling will do to latency in the last mile. Say everyone had to turn to using PingTunnel, ICMPTX or NSTX to tunnel through firewalls on the last mile? Would performance remain acceptable or even tolerable?

There are a couple ways to defeat this hack: 1.) Shut down pinging, except to the local DNS server; 2.) Refuse to deliver DNS referrals through the local router—in other words, if the DNS query wasn't directed to the local server, which may be in the wireless access point George uses as an example, the response from the remote DNS server would simply be discarded.

Finally, the carriers are promoting the idea they can be the authenticator of all traffic as a "feature," which will allow them to treat all DNS queries as recursive with the only valid results being those sites that have paid for authentication through the carrier's network. That's why the carrier view of network neutrality makes sense to George, who seems never to have looked beyond the carrier rhetoric, and other network admins who believe that everything they can add to a network should be billable: It's in their interest to generate more revenue, even if it it bad for virtually everyone else wanting to profit from the Net throughput they've already purchased.

UPDATE: I regret calling George a jerk, because I was lowering myself to his level. It was small of me, like he has been throughout the debate over Net neutrality, calling me an others names, suggesting we are lying or stupidly uninformed and so forth instead of arguing the points constructively. I tried to mend the fence in comments, yet George has persisted in his disdain toward anyone who disagrees with him and continues to repeat half- and untruths that he won't correct or modify. So, I'm going to let the orginal version of this posting stand, just because I'm disinclined to give him an inch, since he'd obviously take a mile.

If I have offended you, dear reader, with my calling George a "jerk," I apologize to you. I hope that this blog contributes to thoughtful discussion outside this Web site as well as here, among the people kind enough to comment politely and intelligently—so many people do that it is usually easy to ignore the jerks when they show up.

George knows a lot, but not everything, about networking. His political thinking is muddled and ideological, so I'm just going to avoid commenting on his blog, because it is not constructive. Hopefully, he'll do the same and read but hold his tongue in comments here, but if he does comment with his usual vigorous absolutism and venom, I'll serve him up the appropriate dish of humble pie without the use of insults. Again, I'm sorry if I've offended you, ZD Net readers. Now, back to the show....

Topic: Networking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • The Jerk Store Called

    [i]"He's also kind of an abusive jerk about it"[/i]

    Jerk? Oh Yeah? Well,

    [i]"The jerk store called, and they're running out of you."[/i]

    Oh. George knows Networking.

    Be nice, would you?
    D T Schmitz
    • George is a big boy

      He dishes out much worse. If he can't take a little in return, he
      ought to stop writing.
      Mitch Ratcliffe
  • I wasn't even discussing Net Neutrality

    First of all, I wasn't even discussing Net Neutrality (not even remotely) in the blog you mentioned. It was in reference to local networks, and a way that people steal hotspot access. It had nothing to do with Net Neutrality. You're trying to pick a fight in the wrong place. As far as your silly reference to VPN blockage, that?s about as accurate as the Cox/Craigslist conspiracy.

    Second, no one is suggesting that ISPs should be able to block anything (so long as it's not illegal like DoS attacks and the spreading of WORMS). Senator Stevens bill has the necessary protection that bans any kind of blocking or deliberate degradation of traffic (downgrading to less than best effort). The Net Neutrality (more like "Net Stupidity?) proposals that you're pushing where "all packets are equal" would out outlaw the sale of QoS. Don't try to deny that by saying they don't ban QoS because the key components of the Markey and Snowe-Dorgan proposals outlaw the sale of QoS.
    • Yes, George, you were, either that or you need an editor

      I wasn't referring to a Craig's List-like mistake, George. Many
      telcos and cable providers block VPN traffic, some entirely and
      others demanding additional fees to "turn on" the port. I have
      personal experience with Comcast doing this--they wanted $40
      a month to unblock a VPN in summer 2004--I switched to a DSL
      provider because of it. If they have changed their policy, they
      will likely change it back once the Stevens bill passes. You ought
      to check on the reality the network user experiences sometime.

      To preface the remainder of this comment, let me just say:
      Forgive me if I assume erroneously that you choose your words

      Your subtext was anti-net neutrality. You ought to own up to
      that, because you are writing for the public record here--the
      sentence "Anyone who thinks it's possible to block traffic to the
      Internet is fooling themselves" is a broad statement that reaches
      beyond the local network. It is a sentence begging for wider
      application. The sentence, had it been what you said you
      intended, should have read "Anyone who thinks they can protect
      a wireless point of access from unauthorized access is fooling
      themselves" -- and I would agree with that statement. But you
      used the phrase "block traffic," which is a hot button for Net

      The fight here started when you stopped debating the technical
      and political issues and repeatedly posted with no regard to the
      fact you were talking with fellow professionals. You've been at it
      for weeks and it is tiresome, making what should be interesting
      and engaging discussion quite tedious.

      Everyone blogging on ZD Net has the credentials to carry on a
      meaningful discussion about technology and the policies that
      affect it. Moreover, everyone reading you deserves not to be
      called stupid or ignorant for disagreeing with you.

      Unless you want to be an ideologue, may I suggest this rule of
      thumb for blogging: You have a right to your opinion, but you
      don't get to call other folks "stupid" because you think you're

      As for Senator Stevens' bill, it doesn't provide any protection
      against deliberate degradation and is vague enough that it may
      not prohibit blocking. <b>Would you provide the exact text that
      does what you say?</b> I am unable to find it. For that matter,
      if you can show me the text that bans QoS agreements in the
      Markey bill or the Snowe-Dorgan amendments I would
      appreciate it. Perhaps we could discuss it civilly.

      The legislation you're knocking isn't perfect, but at least it
      acknowledges the carriers' ability to abuse their chokepoints
      between Web service and Web customer. During exchanges with
      commenters in this blog, we've had very productive discussions
      about the details of what should and should not be thought of
      as "Net neutrality" without lowering the discourse to the level
      you have.

      So, for the time being, I think you are acting like a jerk and will
      feel free to call you on it and poke you like the skunk you're
      acting like. Start to address your colleagues and the community
      who don't agree with you politely and I'll be happy to amend my
      view of, and rhetorical approach to, you.
      Mitch Ratcliffe
      • Have you not even read Markey or Snowe-Dorgan?

        ?For that matter, if you can show me the text that bans QoS agreements in the Markey bill or the Snowe-Dorgan amendments I would appreciate it.? You are kidding right? Have you not even read Markey or Snowe-Dorgan? Both proposals where only a couple paragraphs long and I really don't know how you missed them since you think they where so important to pass. Here is the EXACT wording.

        Markey proposal:
        (3) if the provider prioritizes or offers enhanced quality of service to data of a particular type, to prioritize or offer enhanced quality of service to all data of that type (regardless of the origin of such data) without imposing a surcharge or other consideration for such prioritization or enhanced quality of service;

        Snowe-Dorgan proposal:
        (5) only prioritize content, applications, or services accessed by a user that is made available via the Internet within the network of such broadband service provider based on the type of content, applications, or services and the level of service purchased by the user, without charge for such prioritization;

        That means if an ISP gives one person QoS, they have to give everyone QoS. If you can?t understand that, then you?ve got some other issues to deal with. But it?s about as plain as day to the average person that your brand of Net Neutrality outlaws the sale of QoS and SLA (Service Level Agreements). Your buddy Tim Karr in my debate with him last Monday finally admitted that he wants it to be law that "everyone gets QoS or no one gets QoS".

        As for no-block and no-degradation rules, it?s in the bills passed by the House and the Senate. The House bill that passed without Markey has $750,000 fine per-infraction provision in it. Unlike Markey and Snowe-Dorgan which are only a couple paragraphs long which you seem to have failed to read, the larger bills are quite lengthy and it?s past 2 AM right now. But I will accept your challenge to provide proof of the no-block and no-degradation rules that have passed later in the day AFTER I?ve slept.

        As for the ?Net Stupidity? comment, it?s exactly what the DPSProject people are preaching and it seems to be their religion with ?The rise of the stupid network?. So the word ?stupid? is a direct reference to that.
        • Wrong...

          These refer to the backbone, but does not outlaw the kind of
          QoS that exists today, which would relate to the last-mile
          connection or data center where QoS is applicable to SLAs. As
          discussed here in several postings--where I have never blasted
          QoS agreements--where the the carrier provides end-to-end
          dedicated circuits they are free now and would be free under the
          legislation to offer QoS. The language is sufficiently broad that it
          should be worked out in conference committee, but it still
          enforces a basic priniciple of the market: You should be able to
          provide what you sell without hidden costs.

          The Markey and Snowe-Dorgan language deals with prioritizing
          packets <b>on the backbone</b>, where, if the carriers haven't
          invested in enough capacity to support the throughput they offer
          to customers at home or in a data center, they should fail. But
          what the Stevens legislation does is allow the backbone to be
          tiered so that carriers, even after selling SLAs at the end-points
          can charge more for traffic on their backbone.

          I've never met Tim Karr, he's not by "buddy." Quit the vast left-
          wing conspiracy crap, George.

          As for the stupid network, I don't think you fully understand
          what David Isenberg wrote. He never said that every end-point
          should have the same throughput, only that proprietary
          chokepoints on the backbone add greater costs than value they
          might add.
          Mitch Ratcliffe
          • Tell me where you saw the word "backbone" in those proposals

            Mitch you've got a very creative way of reading to put it politely. Those passages were about as CLEAR as possible. NOTHING in the Markey or Snowe-Dorgan amendment refers to the backbone, and why the hell would you outlaw the sale of QoS on the backbone anyways? That's just as bad.

            By the way, the only person I'm aware of that uses the word "vast" is Hillary.
          • No, I just took the time to learn about legislation

            George, is the word "wiretap" in the Constitution? No. Legislation
            is not written in jargon, but, for example, the Markey bill clearly
            delineates between last-mile and data center segments, where
            QoS is now and always will be perfectly legal:

            Nothing in this section shall prevent a broadband network
            provider from taking reasonable and nondiscriminatory
            measures to?

            (1) manage the functioning of its network to protect the security
            of such network and broadband network services, provided that
            such management does not depend upon the affiliation with the
            broadband network provider of the content, applications, or
            services on the network;

            (2) offer varied service plans to users at defined levels of
            bandwidth and different prices;

            You would do well to expand your vocabulary and stop listening
            to Rush Limbaugh to learn how to argue....
            Mitch Ratcliffe
          • Bandwidth != QoS or Prioritization

            "(1) manage the functioning of its network to protect the security of such network and broadband network services, provided that such management does not depend upon the affiliation with the broadband network provider of the content, applications, or services on the network;

            (2) offer varied service plans to users at defined levels of bandwidth and different prices;"

            Here?s the outlawing of QoS text:
            (3) if the provider prioritizes or offers enhanced quality of service to data of a particular type, to prioritize or offer enhanced quality of service to all data of that type (regardless of the origin of such data) without imposing a surcharge or other consideration for such prioritization or enhanced quality of service;

            Statements 1 and 2 DO NOT negate statement 3 which explicitly forbids the sale of QoS. You don't even need to be a lawyer to see that. Permitting the sale of different levels of bandwidth at different prices does not negate the ban on charging for QoS. You really seem to be utterly confused here on the difference between ?bandwidth? and ?QoS?. They are NOT the same thing.

            Now you?re telling me I don?t understand politics when you can?t even understand plain English? That?s really funny Mitch. I guess you can see what you want to see and you?re probably use to your activist judges making things up as they go to fit their agenda. But thank you for allowing me to expose your position on this.
          • Straight and simple

            I did not think it was necessary to recite the entire text of the
            proposed legislation to counter your specious argument that
            QoS would be "banned" entirely by the bill, but you seem intent
            on quoting one clause of a federal law out of context and it is
            impossible to help you see through your ideology to the real and
            true meaning of the Markey or Snowe-Dorgan bills. That is, that
            the backbone, a jargon word you wouldn't find in legislation, is
            where tiered services would be banned. The entirety of the
            existing telecom regime would be intact if "Net neutrality"
            legislation were passed, only carriers would not be able to
            extend tiered services to the backbones. They could still, as I
            have patiently explained in postings and comments, offer
            dedicated circuits to any place on the Net, including into
            customers' homes, if they wanted to have end-to-end QoS
            Mitch Ratcliffe
      • Show me where Net Neutrality was mentioned in that blog on tunneling

        Show me where Net Neutrality was mentioned in that blog on tunneling. I don't mind debating, but please don't bring non relevant topics and blogs in to this debate.
        • Already have....

          I explained exactly how you injected the issue without mentioning

          George, you made a broad statement about the absurdity of the
          idea that traffic could be blocked, instead of a specific statement
          about wireless security. You're laying little bricks of ignorance.
          Mitch Ratcliffe
          • George was right

            Sorry I could if I wanted get free service. In fact I do. But that is another issue, as far as tunneling or piggy backing signals. Not Hard Dude. You could try to block me, but let's see here hmm! how many people in the US have Broadband. 49,391,060 ok so if I jump in with 49 million people your going to be able to find me. Ya! I don't think so. Good luck trying. Just a quick Example SPAM: almost always spread through a hacked account or an attacked server or just piped directly through cyberspace with concealed identity. on average everyone with internet about 227 million users in US get 20 spam?s a day that is about 4.5 trillion spam emails a day. I am not going to confirm that what you say George said is correct but if he did he was right. As soon as high power lines come alive watch that number grow to about 8 to 20 trillion per day. The hackers will be on that right away, and don't even make me laugh by saying wireless security LOL. That is like saying Government Intelligence. It is an Oxymoron it doesn?t even exist. There is not a computer made hooked to the internet that I cannot simply walk into and do as I wish. Luckily I am a good guy. I would really like to believe like you that they could block it or stop a hacker from penetrating the security but the problem is, I don't because I do it on a daily basis. It's just too freakin easy especially when some know it all "administrator" (I do use the term loosely), thinks they can block all hackers from attacking them. They can make it harder but bottom line if you can get out I can get in. If there is a signal I can steel it.
          • What?

            Ice--I can't make out what you mean. "Free service"? What free
            service? The "you can't find me in 49 million people argument"
            seems to confirm my point that filtering packets is a hard problem
            that will only add to the latency in the Net if the carriers try to do it.

            Then, you just lose me with the George is right and I can hack your
            system, which has nothing to do with Net neutrality. There's a file
            on my desktop system called "3.Top20.png"--come and get it.
            Mitch Ratcliffe
          • He's talking about free hotspot service

            He's talking about free hotspot service. That's what I was talking about in my blog, but you have Net Neutrality blinders on and you refuse to accept anyone's explanation that I wasn't talking about Net Neutrality and it's becoming quite amusing.
          • Fine, be ridiculous if you want

            That blog on tunneling had NOTHING to do with Net Neutrality. Unlike your blog, my blog hardly touches political issues. Like I said, I'll debate Net Neutrality as much as you like but you're barking up the wrong tree by picking on that particular blog. If you want to be stubborn about it, that's your problem.
      • Don't confuse "no support" with "will block"

        "Many telcos and cable providers block VPN traffic, some entirely and others demanding additional fees to "turn on" the port. I have personal experience with Comcast doing this--they wanted $40 a month to unblock a VPN in summer 2004"

        THIS IS PATENTLY FALSE! I've personally had Comcast service and I will state with 100% certainty that IPSEC, L2TP, or PPTP type VPN works just fine. BTW, newer VPN technologies like SSLVPNs that support full IP tunneling are impossible to block even if you tried since they emulate SSL HTTP traffic.,aid,75844,00.asp
        You're confusing "WE DO NOT SUPPORT VPN" with "WE WILL BLOCK VPN". The no support issue is a typical tactic used by all kinds of businesses trying to squeeze more revenues but anyone smart will simply ignore that language. It's like some application vendor telling you that their application is only "supported" on Red Hat Enterprise Linux or SuSE Enterprise Linux. Do NOT confuse "no support" for "no service".
        • They did it to me.

          Yes, George, Comcast did block me for a while because I was using a VPN. They claimed that I needed to upgrade to business class service to use this feature.

          Also, they kept shutting my service down during the early days of the Iraq war when I was watching CNN live feeds from Iraq. Even though My service was supposed to be 3 Mbps down, and the feed only used about 150 Kbps, they claimed that I was using more than my fair share. They told me that their service was never intended to be used in such a way.

          Interestingly enough, Comcast provided services that used more than the CNN feed, but they were never subject to the cutoff. When I asked a supervisor about this, she hung up the phone and put in a ticket that claimed that I disconnected my service (both cable TV and Internet). This was a complete fabrication, and the next service technician bent over backwards to restore my services, but was unable to retrieve my e-mail.

          At the time, they were the only high-speed service provider in my neighborhood. Since DSL arrived (I sold an easement to the telco for a DSL box), Comcast has been much more cooperative.

          Government sanctioned monopolies are no better than free-market monopolies.
          • Re: They did it to me.


            When did they block your VPN? You said it was for a while, so I would be interested in knowing when they gave up and let you use it. Was it a PPTP VPN or IPSec?

            Besides the CNN live feeds, were you moving large amounts of any other kind of data?

          • I used all 3 kinds of VPN

            I used PPTP, L2TP, IPSEC, SSLVPN (full IP tunnel through SSL on port 443) all through 2004 and 2005 on Comcast. I even downloaded large BitTorrents. I didn't have a problem.