nanog mailing list archives
Re: What do you consider acceptable packet / session modification for a network operator?
From: Owen DeLong via NANOG <nanog () lists nanog org>
Date: Fri, 26 Dec 2025 02:25:13 -0800
[snip]
Examples: - Using different source IP ranges in CGNat for ‘web’ traffic vs ’non-web’ (i.e. port 80/443 vs all other ports) - this can break local IP discovery for peer-to-peer stuff if it relies on a ‘web’ port for an API endpoint
Even more annoying than basic CGNAT, and doesn’t really benefit the ISP.
- Using any form of NAT / packet translation with IPv6 (not including nat64 / other v4 transition related)
Pointless, annoying, unacceptable.
- Dropping non-TCP/UDP/ICMP protocols (outside of CGNat) - such as ‘raw’ IPSec ESP / AH without UDP encapsulation, or SCTP
Completely unacceptable.
- TCP MSS - MSS Clamping all connections
May be necessary in limited circumstances. Best avoided if possible.
- TCP MSS - MSS Clamping, but you instead (accidentally?) set MSS to your desired value even if it was lower before
That’s just dumb.
- Other TCP options - Dropping syn packets with invalid/unknown options
Annoying and probably ill-advised.
- TCP connection interception - Network operator terminates TCP session from user and then establishes a new one with the original destination. All TCP options, sequence numbers, .. are lost in this translation
I don’t know what you would call this form of proxy, but it’s not internet service.
- Related to above - Network accepts TCP connection which it will intercept (sends SYN/ACK to user) before it confirms that the destination is reachable
A particularly ill-advised version of the above.
- Dropping/resetting port 80 sessions that don't ‘look like’ HTTP
Unacceptable.
- Dropping/resetting port 443 sessions that don't ‘look like’ TLS
Unacceptable
- Redirecting port 53 DNS queries to ISP’s own servers, regardless of destination IP
Unacceptable
- HTTP header injection into port 80 HTTP traffic (i.e. for user tracking)
Unacceptable
- HTTP content injection into port 80 HTTP traffic (i.e. replacing ads, adding dialogs, …) (and not blanket redirection for non-payment)
Unacceptable Owen
Thanks, Andrew ‘apalrd’ Palardy www.apalrd.net https://www.youtube.com/c/apalrdsadventures _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog () lists nanog org/message/JCNJISMBZQ3RBO5YJQKF6EU52T73A6B7/
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog () lists nanog org/message/FHA4PZNNAWWFVKVC32UTPFFUMWPODMUB/
Current thread:
- Re: What do you consider acceptable packet / session modification for a network operator?, (continued)
- Re: What do you consider acceptable packet / session modification for a network operator? Saku Ytti via NANOG (Dec 26)
- Re: What do you consider acceptable packet / session modification for a network operator? Marco Moock via NANOG (Dec 26)
- Re: What do you consider acceptable packet / session modification for a network operator? Saku Ytti via NANOG (Dec 27)
- Re: What do you consider acceptable packet / session modification for a network operator? William Herrin via NANOG (Dec 27)
- Re: What do you consider acceptable packet / session modification for a network operator? nanog--- via NANOG (Dec 30)
- Re: What do you consider acceptable packet / session modification for a network operator? William Herrin via NANOG (Dec 30)
- Re: What do you consider acceptable packet / session modification for a network operator? Lukas Tribus via NANOG (Dec 30)
- Re: What do you consider acceptable packet / session modification for a network operator? Tom Beecher via NANOG (Dec 26)
- Re: What do you consider acceptable packet / session modification for a network operator? Marco Moock via NANOG (Dec 26)
- Re: What do you consider acceptable packet / session modification for a network operator? Jared Mauch via NANOG (Dec 26)
- Re: What do you consider acceptable packet / session modification for a network operator? Ca By via NANOG (Dec 25)