The amazing George and his tunneling machine
My ZD Net colleague, George Ou, is a strident opponent of the concept of Net neutrality. He's also kind of an abusive jerk about it (see his comments on this posting). In a new posting, he touts the ability to tunnel through any firewall using DNS, then attempts to show that this feat of hacking defeats the idea that carriers could block traffic on the Internet. He writes:
"Anyone who thinks it's possible to block traffic to the Internet is fooling themselves. Even networks that restrict Ping and DNS have to permit proxy access if they want users to be able to get to the Web. Technologies like SSLVPN will actually encapsulate everything to HTML with SSL encryption and tunnel right through a proxy server"
I really don't know how long George has been fooling around with network technology, but I've covered the carriers, wired and wireless, long enough to know that they have always found ways to defeat what amount to hobbyist hacks of their network. By that, I mean that a few people can get away with anything on the Internet, Sure, George, I agree: Anything may be tunneled. Then reality sets in.it's built for wild experimentation. Carriers, however, have many ways to foil what they see as abuse of their networks and only want more. George may believe only engineers can understand this issue, but politics are a real force in network access and he refuses to acknowledge this. History shows the carriers will do almost anything to gain an unfair advantage over emerging competitors.
Sure, George, I agree: Anything may be tunneled. However, it won't necessarily be the case that the same routes will remain open as a sustained window for traffic, because admins will simply find and block the traffic. That's the history of UNIX, Windows, TCP/IP and every other network or OS stack that's ever existed.
More importantly, there is what a network administrator may be able to do, then there's what ordinary users will be able to do. The latter are
already stymied by VPN restrictions on their cable or DSL service, and will never tunnel through firewalls. The fact a few people can do this does not guarantee, as George argues, that the Net will never be controlled by carriers who are granted legal authority to discriminate based on packet type, destination or source.
It's also not clear what this kind of tunneling will do to latency in the last mile. Say everyone had to turn to using PingTunnel, ICMPTX or NSTX to tunnel through firewalls on the last mile? Would performance remain acceptable or even tolerable?
There are a couple ways to defeat this hack: 1.) Shut down pinging, except to the local DNS server; 2.) Refuse to deliver DNS referrals through the local router—in other words, if the DNS query wasn't directed to the local server, which may be in the wireless access point George uses as an example, the response from the remote DNS server would simply be discarded.
Finally, the carriers are promoting the idea they can be the authenticator of all traffic as a "feature," which will allow them to treat all DNS queries as recursive with the only valid results being those sites that have paid for authentication through the carrier's network. That's why the carrier view of network neutrality makes sense to George, who seems never to have looked beyond the carrier rhetoric, and other network admins who believe that everything they can add to a network should be billable: It's in their interest to generate more revenue, even if it it bad for virtually everyone else wanting to profit from the Net throughput they've already purchased.
UPDATE: I regret calling George a jerk, because I was lowering myself to his level. It was small of me, like he has been throughout the debate over Net neutrality, calling me an others names, suggesting we are lying or stupidly uninformed and so forth instead of arguing the points constructively. I tried to mend the fence in comments, yet George has persisted in his disdain toward anyone who disagrees with him and continues to repeat half- and untruths that he won't correct or modify. So, I'm going to let the orginal version of this posting stand, just because I'm disinclined to give him an inch, since he'd obviously take a mile.
If I have offended you, dear reader, with my calling George a "jerk," I apologize to you. I hope that this blog contributes to thoughtful discussion outside this Web site as well as here, among the people kind enough to comment politely and intelligently—so many people do that it is usually easy to ignore the jerks when they show up.
George knows a lot, but not everything, about networking. His political thinking is muddled and ideological, so I'm just going to avoid commenting on his blog, because it is not constructive. Hopefully, he'll do the same and read but hold his tongue in comments here, but if he does comment with his usual vigorous absolutism and venom, I'll serve him up the appropriate dish of humble pie without the use of insults. Again, I'm sorry if I've offended you, ZD Net readers. Now, back to the show....