Transparent proxy disabled?

Forums › Telecom New Zealand, XT Network, Yahoo!Xtra › Transparent proxy disabled?

tcpdump

233 posts

Master Geek

Topic # 92580 2-Nov-2011 10:07
Hi, I recall the last time I checked I was using Telecom's transparent proxy but it seems it's no longer the case: # telnet 1.1.1.1 80 Trying 1.1.1.1... ^C # My network knowledge tells me that transparrent proxies capture all traffic, including the one for IP addresses that don't run a web server and/or are down. Am I mistaken? Thanks. PS: I am comfortable not using their proxies so I'm not looking to have it enabled, I am just wondering if they have disabled the "feature" or they are using a different method. I'm on a Total Home 60GB broadband plan.

BarTender

1309 posts

Uber Geek

Trusted

Reply # 540226 2-Nov-2011 10:23
tcpdump: Hi, I recall the last time I checked I was using Telecom's transparent proxy but it seems it's no longer the case: # telnet 1.1.1.1 80 Trying 1.1.1.1... ^C # My network knowledge tells me that transparrent proxies capture all traffic, including the one for IP addresses that don't run a web server and/or are down. Am I mistaken? Yes, you are. Transparent proxies only cache http traffic to allow for faster browsing experience and reduced usage of international connectivity. It won't cache https or any other traffic such as vpn's or tcp sessions that are reset due to the remote site being down. tcpdump: PS: I am comfortable not using their proxies so I'm not looking to have it enabled, I am just wondering if they have disabled the "feature" or they are using a different method. I'm on a Total Home 60GB broadband plan. You can request a static IP, and have that IP added to the no-proxy list. Transparent proxies by their nature shouldn't be affecting your browsing experience in any other way than a positive one by making it go faster. That is of course if the cache hasn't got corrupted and the proxies are all bent out of shape :) Check out my Mobile Cell Site Google Maps KML Files in my blog. Now using Google Fusion Tables or Address Lookup or GPS using Smartphone I update it on a monthly basis automatically from RSM.

tcpdump

233 posts

Master Geek

Reply # 540231 2-Nov-2011 10:34
I have a remote linux machine and I launched a tcpdump -n port 80 and host $telecom_ip 10:29:34.858398 IP $telecom_ip.36881 > $remote_server.80: Flags [S], seq 1524399974, win 14600, options [mss 1340,sackOK,TS val 208051953 ecr 0,nop,wscale 5], length 0 10:29:34.859587 IP $remote_server:80 > $telecom_ip.36881: Flags [R.], seq 0, ack 1524399975, win 0, length 0 This would point to a transparent proxy not being used, correct? Thanks. PS: Based on http://www.telecom.co.nz/packages/packages/plansandpricing/totalhomebroadband - does the "static ip address - included" mean it's free? :)

BarTender

1309 posts

Uber Geek

Trusted

Reply # 540336 2-Nov-2011 14:02
tcpdump: I have a remote linux machine and I launched a tcpdump -n port 80 and host $telecom_ip 10:29:34.858398 IP $telecom_ip.36881 > $remote_server.80: Flags [S], seq 1524399974, win 14600, options [mss 1340,sackOK,TS val 208051953 ecr 0,nop,wscale 5], length 0 10:29:34.859587 IP $remote_server:80 > $telecom_ip.36881: Flags [R.], seq 0, ack 1524399975, win 0, length 0 This would point to a transparent proxy not being used, correct? Thanks. PS: Based on http://www.telecom.co.nz/packages/packages/plansandpricing/totalhomebroadband - does the "static ip address - included" mean it's free? :) You wouldn't be able to tell if you are going via the transparent proxy unless you took a trace on both end and saw different sequence numbers between source and destination. You might see additional http headers injected into the payload but that's at layer 5 rather than 3. I suggest you request a static IP, to me I don't see a issue with it since it only improves browsing, but if you have a specific business need / reason then put in the request and see how you go. Check out my Mobile Cell Site Google Maps KML Files in my blog. Now using Google Fusion Tables or Address Lookup or GPS using Smartphone I update it on a monthly basis automatically from RSM.

codyc1515

1599 posts

Uber Geek
Inactive user

Reply # 540352 2-Nov-2011 14:31
BarTender: tcpdump: I have a remote linux machine and I launched a tcpdump -n port 80 and host $telecom_ip 10:29:34.858398 IP $telecom_ip.36881 > $remote_server.80: Flags [S], seq 1524399974, win 14600, options [mss 1340,sackOK,TS val 208051953 ecr 0,nop,wscale 5], length 0 10:29:34.859587 IP $remote_server:80 > $telecom_ip.36881: Flags [R.], seq 0, ack 1524399975, win 0, length 0 This would point to a transparent proxy not being used, correct? Thanks. PS: Based on http://www.telecom.co.nz/packages/packages/plansandpricing/totalhomebroadband - does the "static ip address - included" mean it's free? :) You wouldn't be able to tell if you are going via the transparent proxy unless you took a trace on both end and saw different sequence numbers between source and destination. You might see additional http headers injected into the payload but that's at layer 5 rather than 3. I suggest you request a static IP, to me I don't see a issue with it since it only improves browsing, but if you have a specific business need / reason then put in the request and see how you go. Would I be correct in saying that you couldn't use an Alternate DNS if you we're on the transparent proxy?

tcpdump

233 posts

Master Geek

Reply # 540354 2-Nov-2011 14:35
Would I be correct in saying that you couldn't use an Alternate DNS if you we're on the transparent proxy? Not necessarily. They are two different things as the transparent proxy intercepts requests at the IP level (layer 3) , not on the DNS level (layer 7). However, I have read quite a few topics on various issues when using non-Telecom provided DNS servers.

Ragnor

6891 posts

Uber Geek

Trusted

Subscriber

Reply # 540361 2-Nov-2011 14:51
My understanding is that Telecom use a large cluster of Bluecoat devices for caching (some of the newer Cacheflow, some of the older Proxy SG). In practice they only intercept international http requests (not https or other protocols) and serve those from the cache. I believe a http request served from the cache will have an the cache domain name added to the http headers in the server field. You can inspect the response headers in the dev tools in any modern browser (IE9, Chrome, Firefox + Firebug addon). It will look something like this (this is Firefox w/ Firebug addon), except the server field will have additional text like: AKmdrL2CacheBC4.telecom.co.nz So you will probably need to inspect a http request for a static resource eg: css, js, images from an international site where the cache-control headers have been set for caching in order to see this in action.

ptinson

491 posts

Ultimate Geek

Trusted

Orcon

Reply # 540536 2-Nov-2011 23:48
Ragnor is pretty much on the money, with the exception that the the high end cacheflows didnt allow the insertion of the via header, so if you pass through one of those you wont see it. The Telecom cache was setup so that if your HTTP request didnt match certain criteria it would bypass the cache farm, this was to catch port 80 international traffic that wasnt actually HTTP, so if you simply open a telnet connection to international IP on port 80 and send any random char down it you will bypass the cache:) There are other tricks you can try and use to see if you are being proxy cached, some are reliable and others arent, things like window scaling size etc. All depends on the cache... The Telecom caches do secondary DNS resolution before filling a request (it is also a dns cache) so if you use a DNS cache other than the one the caches do then it will screw with your requests. Common things like requesting facetube from google dns returning a server in the states and the cache seeing it as some where a lot closer, you start getting responses from servers you didnt request them from. Also be wary of testing to a server the is international, always make sure both the request and response paths are international routes, they are not always and this causes other issues... Paul (please Telecom, help me purge the cache from my brain:))

plambrechtsen

897 posts

Ultimate Geek

Trusted

Telecom NZ

Reply # 540563 3-Nov-2011 07:56
ptinson: Paul (please Telecom, help me purge the cache from my brain:)) Cheers Paul for the insightful response... And no.. you won't ever be able to purge the cache ;). I work for Telecom, but as always my views are my own.

ptinson

491 posts

Ultimate Geek

Trusted

Orcon

Reply # 540567 3-Nov-2011 08:16
Insightful? mmm, just factual i think, nothing in that post is new. I would still be pushing for a big change in how they run if I was still there, ah well. Such is life.