-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Ian, I made a new thread to avoid this discussion in the 'The Torouter and the DreamPlug' thread.
On Thu, Jun 09, 2011 at 11:47:10PM +0200, tagnaq wrote:
Doesn't "make random people into public (middle-only) relays" have the (well maybe not "problem", but "issue"?) that when GFW blocks them, they (the random people who bought an Excito/etc.) won't be able to connect to anything in .cn any more? Although I don't _often_ connect to .cn domains, it seems unfortunate to effectively auto-ban these people from Chinese websites.
I did not experience any problems connecting to .cn while using a relay IP address. I think they are just blocking an IP:port combination and not the entire IP address. ...but things might change
Hmm. I wonder what happens if the packets are fragmented so that the TCP port information isn't in the first fragment...
possibilities: a) a fragmented IP packet doesn't get blocked b) they don't allow IP fragmentation (Don't Framgent Bit set) c) their firewall is able to find out whether the fragment is part of a blocked destination (IP:port)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 06/11/2011 06:59 PM, tagnaq wrote:
Hmm. I wonder what happens if the packets are fragmented so that the TCP port information isn't in the first fragment...
An IP packet must be very small to fulfil this scenario (first IP fragment is so small that it is not able enclose the entire TCP header). IP hosts are required to be able to handle at least 576 bytes.
On Sat, Jun 11, 2011 at 07:21:53PM +0200, tagnaq wrote:
On 06/11/2011 06:59 PM, tagnaq wrote:
Hmm. I wonder what happens if the packets are fragmented so that the TCP port information isn't in the first fragment...
An IP packet must be very small to fulfil this scenario (first IP fragment is so small that it is not able enclose the entire TCP header). IP hosts are required to be able to handle at least 576 bytes.
Yes, but the client (say, inside China) is perfectly capable of artificially fragmenting its SYN packet. It shouldn't be too hard to check what actually happens in this case? (At least, for the current GFW configuration.)
- Ian
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 06/11/2011 07:58 PM, Ian Goldberg wrote:
Yes, but the client (say, inside China) is perfectly capable of artificially fragmenting its SYN packet. It shouldn't be too hard to check what actually happens in this case? (At least, for the current GFW configuration.)
No it wouldn't be hard and I would be surprised if no one actually tried that already. To be honest I didn't do any search on this.
On 06/11/2011 07:58 PM, Ian Goldberg wrote:
Yes, but the client (say, inside China) is perfectly capable of artificially fragmenting its SYN packet. It shouldn't be too hard to check what actually happens in this case? (At least, for the current GFW configuration.)
No it wouldn't be hard and I would be surprised if no one actually tried that already. To be honest I didn't do any search on this.
It seems prudent to mention sniffjoke at this point: http://www.delirandom.net/sniffjoke/
All the best, Jake
On Sat, Jun 11, 2011 at 07:14:52PM +0000, Jacob Appelbaum wrote:
On 06/11/2011 07:58 PM, Ian Goldberg wrote:
Yes, but the client (say, inside China) is perfectly capable of artificially fragmenting its SYN packet. It shouldn't be too hard to check what actually happens in this case? (At least, for the current GFW configuration.)
No it wouldn't be hard and I would be surprised if no one actually tried that already. To be honest I didn't do any search on this.
It seems prudent to mention sniffjoke at this point: http://www.delirandom.net/sniffjoke/
Right. Blocking by IP is simple enough to do. But go much deeper (even to TCP), and you can play such packetization games.
- Ian
If you want to confirm whether a UDP or TCP port (or range of ports) is being blocked or not, try http://www.firebind.com
-
Dave -
Ian Goldberg -
Jacob Appelbaum -
tagnaq