Difference: EvilMiddlebox (1 vs. 13)

Revision 132012-10-31 - AlexGall

Line: 1 to 1
 
META TOPICPARENT name="WebHome"
Changed:
<
<
An evil middlebox is a transparent device that sits inbetween an end-to-end connection that disturbs the normal end-to-end traffic in some way. As you can not see these devices which usually work on layer 2, it is difficult to debug issues that involve them. Examples are HTTP proxy, Gateway proxy (all protocols). Normally, these devices are installed for security reasons to filter out "bad" traffic. Bad traffic may be viri, trojans, evil javascript, or anything that is not known to the device. Sometimes also so called rate shapers are installed as middleboxes; while these do not change the contents of the traffic, they do drop packets according to rules only known by themselves. Bugs in such middleboxes can have fatal consequences for "legitimate" Internet traffic which may lead to performance or even worse connection issues.
>
>
An evil middlebox is a transparent device that sits inbetween an end-to-end connection that disturbs the normal end-to-end traffic in some way. As you can not see these devices which usually work on layer 2, it is difficult to debug issues that involve them. Examples are HTTP proxy, Gateway proxy (all protocols). Normally, these devices are installed for security reasons to filter out "bad" traffic. Bad traffic may be viri, trojans, evil javascript, or anything that is not known to the device. Sometimes also so called rate shapers are installed as middleboxes; while these do not change the contents of the traffic, they do drop packets according to rules only known by themselves. Bugs in such middleboxes can have fatal consequences for "legitimate" Internet traffic which may lead to performance or even worse connection issues.
  Middleboxes come in all shapes and flavors. The most popular are firewalls:
Line: 22 to 19
 
  • WindowScalingProblems: when window scaling was enabled, TCP performance was bad (10-20 KBytes/sec). Some older versions of PIX could also be affected by window scaling issues.

DNS Based global load balancing problems

Changed:
<
<
>
>

Juniper SRX3600 mistreats fragmented IPv6 packets

 
Added:
>
>
This firewall (up to at least version 11.4R3.7) performs fragment reassembly in order to apply certain checks to the entire datagram, for example in "DNS ALG" mode. It then tries to forward the reassembled packet instead of the initial fragments, which triggers ICMP "packet too big" messages if the full datagram is larger than the MTU of the next link. This will lead to a permanent failure on this path, because the (correct) fragmentation at the sender is annihilated by the erroneous reassembly at the firewall.

The same issue has also been found with some models of the Fortigate firewall.

-- ChrisWelti - 01 Mar 2005
-- PekkaSavola - 10 Oct 2006

 
Deleted:
<
<
-- ChrisWelti - 01 Mar 2005
-- PekkaSavola - 10 Oct 2006
 -- PekkaSavola - 07 Nov 2006
Added:
>
>
-- AlexGall - 2012-10-31

Revision 122006-11-07 - PekkaSavola

Line: 1 to 1
 
META TOPICPARENT name="WebHome"
An evil middlebox is a transparent device that sits inbetween an end-to-end connection that disturbs the normal end-to-end traffic in some way. As you can not see these devices which usually work on layer 2, it is difficult to debug issues that involve them.
Line: 19 to 19
 

A Cisco IOS Firewall in August 2006 in Funet:

Changed:
<
<
Some older versions of PIX could also be affected by window scaling issues.
>
>
  • WindowScalingProblems: when window scaling was enabled, TCP performance was bad (10-20 KBytes/sec). Some older versions of PIX could also be affected by window scaling issues.
 

DNS Based global load balancing problems

Revision 112006-11-07 - PekkaSavola

Line: 1 to 1
 
META TOPICPARENT name="WebHome"
An evil middlebox is a transparent device that sits inbetween an end-to-end connection that disturbs the normal end-to-end traffic in some way. As you can not see these devices which usually work on layer 2, it is difficult to debug issues that involve them.
Line: 19 to 19
 

A Cisco IOS Firewall in August 2006 in Funet:

Changed:
<
<
  • WindowScalingProblem: when window scaling was enabled, TCP performance was bad (10-20 KBytes/sec).
>
>
 Some older versions of PIX could also be affected by window scaling issues.

DNS Based global load balancing problems

Revision 102006-11-07 - PekkaSavola

Line: 1 to 1
 
META TOPICPARENT name="WebHome"
An evil middlebox is a transparent device that sits inbetween an end-to-end connection that disturbs the normal end-to-end traffic in some way. As you can not see these devices which usually work on layer 2, it is difficult to debug issues that involve them. Examples are HTTP proxy, Gateway proxy (all protocols). Normally, these devices are installed for security reasons to filter out "bad" traffic. Bad traffic may be viri, trojans, evil javascript, or anything that is not known to the device. Sometimes also so called rate shapers are installed as middleboxes; while these do not change the contents of the traffic, they do drop packets according to rules only known by themselves. Bugs in such middleboxes can have fatal consequences for "legitimate" Internet traffic which may lead to performance or even worse connection issues.
Changed:
<
<
Two examples for performance issues that occurred in the beginning of 2005 in the SWITCH network:
>
>
Middleboxes come in all shapes and flavors. The most popular are firewalls:
 
Changed:
<
<
- HttpProxy: very slow response from a webserver only for a specific circle of people
>
>
 
Changed:
<
<
- GatewayProxy: tcp transfers get stalled as soon as a packet is lost on the local segment from the middlebox to the end host.
>
>

Examples of experienced performance issues

 
Changed:
<
<
A Cisco IOS Firewall was found to cause issues in August 2006 in Funet network:
>
>

Two examples in the beginning of 2005 in SWITCH:

 
Changed:
<
<
- WindowScalingProblems: when window scaling was enabled, TCP performance was bad (10-20 KBytes/sec). Some older versions of PIX could also be affected by window scaling issues.
>
>
  • HttpProxy: very slow response from a webserver only for a specific circle of people
 
Changed:
<
<
Firewalls have been reported to break window-scaling enabled sessions before as well, see e.g., LWN Article, "TCP window scaling and broken routers", on July 7, 2004
>
>
  • GatewayProxy: tcp transfers get stalled as soon as a packet is lost on the local segment from the middlebox to the end host.
 
Changed:
<
<
Another example of an evil middle box that can cause problems would be Why DNS Based Global Server Load Balancing (GSLB) Doesn’t Work
>
>

A Cisco IOS Firewall in August 2006 in Funet:

 
Changed:
<
<
Middleboxes come in all shapes and flavors. The most popular are firewalls:
>
>
  • WindowScalingProblem: when window scaling was enabled, TCP performance was bad (10-20 KBytes/sec).
Some older versions of PIX could also be affected by window scaling issues.
 
Changed:
<
<
* Check Point VPN-1 & FireWall-1 NG Performance Tuning Guide
>
>

DNS Based global load balancing problems

 

-- ChrisWelti - 01 Mar 2005

Revision 92006-11-07 - PekkaSavola

Line: 1 to 1
 
META TOPICPARENT name="WebHome"
An evil middlebox is a transparent device that sits inbetween an end-to-end connection that disturbs the normal end-to-end traffic in some way. As you can not see these devices which usually work on layer 2, it is difficult to debug issues that involve them.
Line: 13 to 13
  A Cisco IOS Firewall was found to cause issues in August 2006 in Funet network:
Changed:
<
<
- CiscoFirewallWindowScaling: when window scaling was enabled, TCP performance was bad (10-20 KBytes/sec). Some older versions of PIX could also be affected by window scaling issues.
>
>
- WindowScalingProblems: when window scaling was enabled, TCP performance was bad (10-20 KBytes/sec). Some older versions of PIX could also be affected by window scaling issues.
  Firewalls have been reported to break window-scaling enabled sessions before as well, see e.g., LWN Article, "TCP window scaling and broken routers", on July 7, 2004

Revision 82006-11-07 - PekkaSavola

Line: 1 to 1
 
META TOPICPARENT name="WebHome"
An evil middlebox is a transparent device that sits inbetween an end-to-end connection that disturbs the normal end-to-end traffic in some way. As you can not see these devices which usually work on layer 2, it is difficult to debug issues that involve them.
Line: 15 to 15
  - CiscoFirewallWindowScaling: when window scaling was enabled, TCP performance was bad (10-20 KBytes/sec). Some older versions of PIX could also be affected by window scaling issues.
Added:
>
>
Firewalls have been reported to break window-scaling enabled sessions before as well, see e.g., LWN Article, "TCP window scaling and broken routers", on July 7, 2004
 Another example of an evil middle box that can cause problems would be Why DNS Based Global Server Load Balancing (GSLB) Doesn’t Work
Line: 23 to 25
  * Check Point VPN-1 & FireWall-1 NG Performance Tuning Guide

Changed:
<
<
-- ChrisWelti - 01 Mar 2005 -- PekkaSavola - 10 Oct 2006
>
>
-- ChrisWelti - 01 Mar 2005
-- PekkaSavola - 10 Oct 2006
-- PekkaSavola - 07 Nov 2006
 

Revision 72006-10-10 - PekkaSavola

Line: 1 to 1
 
META TOPICPARENT name="WebHome"
An evil middlebox is a transparent device that sits inbetween an end-to-end connection that disturbs the normal end-to-end traffic in some way. As you can not see these devices which usually work on layer 2, it is difficult to debug issues that involve them.
Line: 13 to 13
  A Cisco IOS Firewall was found to cause issues in August 2006 in Funet network:
Changed:
<
<
- CiscoFirewallWindowScaling: when window scaling was enabled, performance was bad (10-20 KBytes/sec) for FTP transfers. Some older versions of PIX could also be affected by window scaling issues.
>
>
- CiscoFirewallWindowScaling: when window scaling was enabled, TCP performance was bad (10-20 KBytes/sec). Some older versions of PIX could also be affected by window scaling issues.
  Another example of an evil middle box that can cause problems would be Why DNS Based Global Server Load Balancing (GSLB) Doesn’t Work

Revision 62006-10-10 - PekkaSavola

Line: 1 to 1
 
META TOPICPARENT name="WebHome"
An evil middlebox is a transparent device that sits inbetween an end-to-end connection that disturbs the normal end-to-end traffic in some way. As you can not see these devices which usually work on layer 2, it is difficult to debug issues that involve them.
Line: 11 to 11
  - GatewayProxy: tcp transfers get stalled as soon as a packet is lost on the local segment from the middlebox to the end host.
Changed:
<
<
More details on these two cases will be posted later on.
>
>
A Cisco IOS Firewall was found to cause issues in August 2006 in Funet network:

- CiscoFirewallWindowScaling: when window scaling was enabled, performance was bad (10-20 KBytes/sec) for FTP transfers. Some older versions of PIX could also be affected by window scaling issues.

  Another example of an evil middle box that can cause problems would be Why DNS Based Global Server Load Balancing (GSLB) Doesn’t Work
Line: 21 to 23
  * Check Point VPN-1 & FireWall-1 NG Performance Tuning Guide

Deleted:
<
<
 -- ChrisWelti - 01 Mar 2005
Added:
>
>
-- PekkaSavola - 10 Oct 2006
 

Revision 52005-03-23 - SimonLeinen

Line: 1 to 1
 
META TOPICPARENT name="WebHome"
An evil middlebox is a transparent device that sits inbetween an end-to-end connection that disturbs the normal end-to-end traffic in some way. As you can not see these devices which usually work on layer 2, it is difficult to debug issues that involve them.
Line: 14 to 14
 More details on these two cases will be posted later on.

Another example of an evil middle box that can cause problems would be

Changed:
<
<
Why DNS Based Global Server Load Balancing (GSLB) Doesn’t Work
>
>
Why DNS Based Global Server Load Balancing (GSLB) Doesn’t Work
  Middleboxes come in all shapes and flavors. The most popular are firewalls:

Revision 42005-03-23 - HankNussbacher

Line: 1 to 1
 
META TOPICPARENT name="WebHome"
An evil middlebox is a transparent device that sits inbetween an end-to-end connection that disturbs the normal end-to-end traffic in some way. As you can not see these devices which usually work on layer 2, it is difficult to debug issues that involve them.
Line: 13 to 13
  More details on these two cases will be posted later on.
Added:
>
>
Another example of an evil middle box that can cause problems would be Why DNS Based Global Server Load Balancing (GSLB) Doesn’t Work

Middleboxes come in all shapes and flavors. The most popular are firewalls:

* Check Point VPN-1 & FireWall-1 NG Performance Tuning Guide

 -- ChrisWelti - 01 Mar 2005

Revision 32005-03-03 - ChrisWelti

Line: 1 to 1
 
META TOPICPARENT name="WebHome"
An evil middlebox is a transparent device that sits inbetween an end-to-end connection that disturbs the normal end-to-end traffic in some way. As you can not see these devices which usually work on layer 2, it is difficult to debug issues that involve them.
Line: 7 to 7
  Two examples for performance issues that occurred in the beginning of 2005 in the SWITCH network:
Changed:
<
<
- HTTPProxy: very slow response from a webserver only for a specific circle of people
>
>
- HttpProxy: very slow response from a webserver only for a specific circle of people
 - GatewayProxy: tcp transfers get stalled as soon as a packet is lost on the local segment from the middlebox to the end host.

More details on these two cases will be posted later on.

Revision 22005-03-03 - ChrisWelti

Line: 1 to 1
 
META TOPICPARENT name="WebHome"
An evil middlebox is a transparent device that sits inbetween an end-to-end connection that disturbs the normal end-to-end traffic in some way.
Changed:
<
<
As you can usually not see these devices it is difficult to debug issues that involve them. Examples are HTTP proxy, Gateway proxy (all protocols). Usually, these devices are installed for security reasons to filter out "bad" traffic. Bad traffic may be viri, trojans, evil javascript, or anything that is not known to the device. Sometimes also so called rate shapers are installed as middleboxes; while these do not change the contents of the traffic, they do drop packets according to rules only known by themselves.
>
>
As you can not see these devices which usually work on layer 2, it is difficult to debug issues that involve them. Examples are HTTP proxy, Gateway proxy (all protocols). Normally, these devices are installed for security reasons to filter out "bad" traffic. Bad traffic may be viri, trojans, evil javascript, or anything that is not known to the device. Sometimes also so called rate shapers are installed as middleboxes; while these do not change the contents of the traffic, they do drop packets according to rules only known by themselves.
 Bugs in such middleboxes can have fatal consequences for "legitimate" Internet traffic which may lead to performance or even worse connection issues.

Two examples for performance issues that occurred in the beginning of 2005 in the SWITCH network:

Revision 12005-03-01 - ChrisWelti

Line: 1 to 1
Added:
>
>
META TOPICPARENT name="WebHome"
An evil middlebox is a transparent device that sits inbetween an end-to-end connection that disturbs the normal end-to-end traffic in some way. As you can usually not see these devices it is difficult to debug issues that involve them. Examples are HTTP proxy, Gateway proxy (all protocols). Usually, these devices are installed for security reasons to filter out "bad" traffic. Bad traffic may be viri, trojans, evil javascript, or anything that is not known to the device. Sometimes also so called rate shapers are installed as middleboxes; while these do not change the contents of the traffic, they do drop packets according to rules only known by themselves. Bugs in such middleboxes can have fatal consequences for "legitimate" Internet traffic which may lead to performance or even worse connection issues.

Two examples for performance issues that occurred in the beginning of 2005 in the SWITCH network:

- HTTPProxy: very slow response from a webserver only for a specific circle of people - GatewayProxy: tcp transfers get stalled as soon as a packet is lost on the local segment from the middlebox to the end host.

More details on these two cases will be posted later on.

-- ChrisWelti - 01 Mar 2005

 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2004-2009 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.