So what is being done with the SPI problems?

[Guest]

There seem to be a lot of folks having issues with crippled internet browsing
capabilities due to SPI being enabled at their routers/firewalls (me
included). Disabling SPI is not an option in many corporate network
environments. The bandwidth gestapo will be happy that Vista users cannot
surf the net, but as far as I am concerned the product is still essentially
unusable in Beta 2 (I can't even download the bug reporting tools or navigate
to windows update). It seems to me that the nifty new TCP stack is terribly
broken. What is Microsoft doing about this? Can we expect any relief soon?

 

[AMDX2]

If it is broken and doesn't affect everyone, what then? I have a great
internet appliance from Sonicwall and no problems surfing the net with beta
2.

 

[Guest]

I am glad that you are having success with your experience AMDX2. I guess
what I am really trying to state here is that if you intoduce a new TCP stack
that is incompatible with an extremely common network topology, then it is
"broken" in my "book." My "book" defines "broken" as something that does not
work correctly. A "workaround" are the steps and measures taken to compensate
for something that is "broken" in order to use it. Synonyms for "workaround"
include "hack" and "kludge".

I am not assuming that you have hacked your firewall settings in any way,
but don't the Sonicwall appliances combine SPI with Deep Packet Inspection
(DPI)? I'm thinking that there may possibly be a problem with TCP packet
headers that may be causing them to get dropped by routers/firewalls that
only use SPI. DPI might be able to correctly determine that the packets are
indeed valid, but at what cost? DPI enabled firewalls are more expensive in
both cost and processing time. In an enterprise network ecosphere this could
be cost prohibitive.

I know from my testing experiences both at home and work that disabling SPI
at the firewall "cures" my Vista throughput problems. But disabling SPI also
opens the doors for DoS attacks and other malicious connection hacks. Such a
workaround is not an option for most users that wish to protect their
networks. There are a ton of corporations (from small to enterprise scale)
that rely on existing SPI enabled environments to protect their systems -
there will be a lot of resistence to adopting Vista if it requires
significant upgrades to firewalls (or a degradation of existing policy to
workaround Vista's apparent "issues" with SPI). I am just wanting to make
sure that Microsoft is aware that until they can fix this problem there is at
least one business environment of over 250 desktops and another 50 servers
that will not be upgrading to Vista any time soon.

 

[AMDX2]

What you say makes total sense and I get it now. The Sonicwall is Deep
Packet Inspection firewall yes.

Shoot, I might even want to sell my Sonicwall soon, not sure though.