From:                                         Jason R. Coombs

Sent:                                           Sunday, 26 April, 2009 12:37

To:                                               'fccinfo@fcc.gov'

Subject:                                     Comcast CIFS blocking complaint letter (attached)

Attachments:                          Comcast CIFS blocking Complaint Letter.pdf

Signed By:                                jaraco@jaraco.com

 

Dear FCC,

                Please find below or attached a complaint letter regarding unfair practices of Comcast and their Broadband Internet service.   I would have submitted this letter via the online form, but that form provides only a limited interface for describing this somewhat complex issue.

                Please let me know if the supplied formats are insufficient to properly route and address this complaint.

Sincerely,

Jason

 

Federal Communications Commission

Consumer & Governmental Affairs Bureau

Consumer Complaints

445 12th Street, SW

Washington, DC 20554

26-Apr-2009

Dear Sir or Madam,

I would like to bring to your attention the unfair and restrictive policies of Comcast pertaining to their High Speed Internet service.  Since at least 2002, Comcast has blocked the transmission of legitimate communication over their Internet service. The specific traffic they block is Windows File Sharing and Domain Services, collectively known as the Common Internet File System or CIFS.  I have attached an appendix to elaborate on the technical details of this action.

This traffic enables several capabilities, including Windows services management, File Sharing, Printer Sharing, Unified Authentication.  The vast majority of system administrators are primarily Unix proponents and so realize very little benefit from these services.  For the rare expert Windows administrator who operates outside an isolated intranet environment, however, these services are essential; without these services, a Windows domain cannot be effectively maintained.

Historically, this traffic was allowed transmission. In early 2004, the worm known as Sasser was created to exploit vulnerability in CIFS and infected unpatched Windows systems throughout the Internet.  As a result, many Internet providers, including Comcast, chose to restrict this traffic.  Comcast in particular blocks both outgoing and incoming traffic, regardless of whether it is legitimate or otherwise.

Since the release of Sasser and similar exploits, Microsoft has taken extensive measures to prevent similar worms from having such a devastating impact.  In addition to having fixed the underlying vulnerability prior to the release of the worm, Microsoft has improved the automatic patching mechanisms and also incorporates firewalls that voluntarily block most traffic, including CIFS.  Furthermore, a typical Internet customer today will run behind a software security system as well as behind a Network Address Translation (NAT) firewall that further limits potential unintended exposure.

Nevertheless, Comcast continues to restrict without exception the transmission of traffic both to and from their customers.  As a result, I’ve been forced to pay for more expensive and lower speed service using DSL providers who do not restrict such traffic.

Regarding this matter, I have submitted several formal complaints to Comcast by telephone and by USPS mail.  When I’ve received responses, and the agent adequately comprehends the problem, the basic answer has been that they refuse to provide any relief despite acknowledging the existence of legitimate uses of such activity.

I acknowledge the benefits of blocking CIFS by default.  Doing so effectively renders exploits over that channel useless.  However, the provider can achieve the same ends by allowing the traffic to those who request it.  Those who have protected their systems and have a legitimate need for that traffic should have a means to achieve it.

Generally, I would defend a company’s right to run its business as it sees fit. Comcast, however, has a special arrangement with the public and with its competitors that puts it in a unique situation and holds it to a higher standard. Comcast is in a unique position of controlling the infrastructure that provides the highest Internet bandwidth at the lowest cost to consumers.  Competitors face a prohibitively high threshold of entry into the market, and special arrangements allow Comcast to be the sole cable operator in many markets (including the one in which I reside).  For a consumer like myself to solicit Internet service of an equivalent bandwidth would cost several times more through another transmission mechanism such as a leased line. It is this special position that I believe holds Comcast and similar ISPs to a higher standard.  Because there is no cost-equivalent alternative to receive similar capacity of service, other ISPs have no opportunity to compete for services in this market, leaving Comcast to dictate what services will be available and not available at their whim.

Based on the Commission’s order regarding P2P throttling in July, 2008, I believe the commission agrees with my sentiment.  In particular, the FCC has publicly presented several principles[1] that go directly to the issue herein.

I repeat these principles here for reference. “To encourage broadband deployment and preserve and promote the open and interconnected nature of the public Internet,

·         Consumers are entitled to access the lawful Internet content of their choice

·         Consumers are entitled to run applications and use services of their choice, subject to the needs of law enforcement

·         Consumers are entitled to connect their choice of legal devices that do not harm the network

·         Consumers are entitled to competition among network providers, application and service providers, and content providers”

Comcast and their refusal to allow an exception process to open communication for CIFS flies in the face of all four of these principles.  I have attempted to bring this apparent violation to the attention of the appropriate management at Comcast, but the requests have been dismissed outright with no further action pending.

Because the connectivity issues only affect a small minority of Windows power users, and because other potential users will be unlikely to emerge due to the policies in place, Comcast has little motivation to correct their unfair policies.  Were similar policies to be applied to services such as HTTP (a.k.a. the web), certainly a customer uprising would quickly correct the situation. Since the issue affects such a specialized minority, however, Comcast can maintain their refusal of fair service with minimal consequence.

Therefore, I implore the FCC to take whatever action possible to encourage Comcast to do what is right and honorable in this situation and re-open CIFS traffic or otherwise provide an exception process for those customers who chose to utilize it.

I appreciate your attention on this matter.

Sincerely,
Jason R. Coombs


 

 

Appendix: Technical Details of the CIFS protocol and adverse effects of dropped packets.

CIFS, the Common Internet File System, designed and developed by Microsoft, runs over TCP port 445.  There are other legacy ports over which similar traffic is transmitted, but for Windows 2000, Windows XP, Windows Vista, and server operating systems, port 445 is the preferred channel for many services, including File and Printer Sharing, Remote Server Administration, Domain Authentication, and Domain Services.

Unlike other services, the port number for CIFS is hard-coded.  That is, it is very difficult and sometimes impossible manage these services on anything other than the default ports.

Because port 445 is blocked without exception, the functionality of Windows is severely limited. Particularly, when the traffic is not properly blocked, but instead lazily dropped, the protocol will stall, waiting until a timer expires.  Sometimes, this can render entire applications, even Windows Explorer, unusable for 30-60 seconds.  While this doesn’t sound like a lot, it can be severely limiting.  It can even be embarrassing and costly when if it happens during an important demonstration or presentation.

Here is a screenshot that utilizes standard tools to demonstrate the problem.

Rounded Rectangle: Control is lost for approx. 20 seconds.clip_image001

This illustrates that connectivity is present between the two machines, but the connection fails.  Furthermore, rather than failing gracefully, a timeout must pass before control can be returned to the user.

Without this blocking, one could issue simple commands like

net use \\messiah.jaraco.com\myfiles

to connect to file shares over the Internet.  This capability has been built into Windows since Windows 95 was released (although CIFS was not present until Windows 2000, I believe).

Instead, with the server or the client on a Comcast connection, the connection cannot be established as all TCP port 445 traffic is dropped without notification.

 





[1] Martin, Kevin J, Statement of Chairman, En Banc Hearing of the Federal Communications Commission, Cambridge, Massachusetts, February 25, 2008