|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: backbone transparent proxy / connection hijacking
Jeremy Porter wrote: > Cisco policy routing can use source IP address for deciding to pass > traffic to the cache engine. The cache engine, normaly can be > configured to exempt destination. I believe that this fixes both > issues. Except that it's an extremely manual process to define these "exemption" policies on an "it's broken, please fix" basis, and something that will likely be duplicated hundreds or thousands of times. Perhaps a more friendly deployment that allows customers to register for this "big incentive" individually would make the most sense, rather than just throwing it out there and seeing what breaks. With this model it's true that all the benefits of caching wouldn't be immediately apparent, but the customer will likely be less annoyed when something does break, and less inclined to select a new provider. Of course, this thread wouldn't have started had caching vendors (or better, their customers) agreed on what transparent actually means. I seem to recall one of it's definitions to be "free of deceit. (that's period)", not "free of deceit .. unless IP-based filtering, or the like (anything else that happens to break), is deployed". Only one implementation seems to have got it right at this point, which seems utterly amazing. > Expecting the customer to be able to have a clue to > go to a www page is a bit much, tho. Some customers have setup > IP based authentication on their NT server, but can't figure out how > to configure SLL which wouldn't be cached, and would be more secure. > The burden of making this work is on the cache operator. Also it turns > out that the sites with the most problems with the cache are the ones > paying the least money for service. Its hard to feel very sorry for > a $20/month dialup customer, who is connecting to his coporate site > with a broken NT server. I'd think that a $20 dialup customer deserves the same level of service as any other customer, else they're obviously in the wrong market. ...and I certainly wouldn't say that a server, or entire corporation, is in the wrong for deploying properly working IP based authentication as a first level of security. -danny (speaking only for myself)
|