Saturday, 30 October 2010

Namespaces

We are seeing interesting changes in the namespaces that people use. No, I do not mean XML namespaces (that really would be a bit geeky to post even on my blog). I mean more generally.

On the internet we are familiar with the idea of domain names. They are used for web pages and email and so on.

Domain names have a number of challenges. The fact there are many top level domains and not just one that applies for a specific application. The original concept was to segregate the different uses, e.g. .uk for UK domains, .org for non profit organisations, etc. But the whole think has got complicated. Some countries exploit (why not?) their country code, e.g. .tv for TV shows. Some people get domains in the wrong top levels (e.g. non ISPs using .net domains). And then I even see normal companies with domains within .uk.net which is so wrong I don't know where to start.

What is also interesting is the way domain names have changed from a simple entry in a register and the associated NS record in the DNS system, to a valuable resource which comes to the attention of governments. The UK has recent legislation governing the way domains are managed so that they can, if they wish, step in to manage people like Nominet (who manage most of the .uk space).

But it is moving too quickly for governments, and in fact, government meddling just confuse things more. If the .uk name space gets tinkered with by government it will simply means people will move to other name spaces.

We are seeing them emerge already. People use twitter tags, and facebook names, and so on.

I even saw, today, a TV advert for a car. A Toyota Highlander. The obvious web site name to quote would be something like www.toyota.com/highlander. In fact, it is the right web site for details of that car (I just guessed it). On the TV advert they have youtube.com/highlander. It has a slightly amusing extended advert as a video.

So this shows that the advertisers decided the youtube namespace was the one to use for their advert not the domain name name space. Yes, you have to use domains to get to youtube.com (for now). I have also seen adverts saying to search for X or google for X rather than quoting a web site. The number of people I see typing a URL in to a google search box is scary (I bet google have stats for that).

The government has no control over all of the namespaces. They may legislate to get involved in Nominet, for example, but so what. They cannot control all of the namespaces that will be used, and become important resources for UK industry. So one wonders why they even try...

But then the government want to snoop on our internet traffic anyway and you wonder why they are bothering with that anyway.

How to get ripped off in Vegas

Always check the price...

I managed to lose the eyecup for my camera - it is the bit that fits on the viewfinder. Its a bit of plastic and slightly cushioned surround.

I did not actually look at the price, but as I needed it I paid it anyway even when they rang up $75 (about £50).

I just checked, and as I suspected, in the UK you are looking under £10 for this bit of plastic even with a Canon logo on it!

Grrr.

Friday, 29 October 2010

XML for dummies

Is there an "XML for dummies"? I must get a copy for our favourite telco.

Once again, it seems, they have a simple text substitution in an XML message they pass on where they add our company name and forget to escape the &

How does a big company make such basic errors?

Thursday, 28 October 2010

Fun in Vegas

Well, it was a good start when Sandra put her first bet of $5 on 13 and won... But by 2am, after countless comp drinks, the four of us walk away from the table some $200 up between us. I think that was a good evening entertainment and good value. Viva Las Vegas!

Wednesday, 27 October 2010

I never had a big brother and don't want one now

As the eldest I did not have a big brother. I don't want to get one now. However the new government seem to be trying to resurrect expensive, intrusive and pointless snooping legislation in the Interception Modernisation Programme (IMP).

1. It is very costly to do what they are proposing - and will mean huge investment in equipment to snoop on normal people and to store the data. This has to be paid somehow, either by tax payers or by ISPs and hence ISP customers.

2. It is risky storing all of this data as we have seen both government and private companies finding it increasingly difficult to make data storage secure. To get it right just adds to the costs.

3. It is not just for terrorism and serious crimes - this data can be used for anything, and could be used to seriously invade peoples private lives.

4. It is totally pointless as anyone that actually wants to do bad things will be able to easily avoid the snooping. Encryption is standard on lots of systems from email to chat and criminals already know how to use overseas servers and secure encrypted access.

5. Every spam will be logged, but the content will not be so you won't be able to tell it is spam, so the data will not actually be useful in any court case as it could be spam. It will be difficult if not impossible to sort the meaningful data from the noise. And then there is the very real possibility of people generating huge amounts of fake data for the fun of it and to break the system.

As an ISP we expect to fight this. If the wording is as bad as the data retention directive it will be a doddle to legally bypass it even if that means running the break out to the internet in another country.

Tuesday, 26 October 2010

Really unimpressed with Bellagio now

So the wifi is broken because they appear to be allowing people to send IPv6 RAs on the LAN causing my machine to pick up an IPv6 (2002: prefix) and then having no routing.

What is really annoying is I have complained 3 days in a row now and not one reply!

How can they just ignore complaints from paying guests?

Crap service.

Monday, 25 October 2010

IPv6 vs NAT

There are many ways to make a networking protocol, and one of the key aspects of the protocol definition is the addressing. There are many ways to address the information (typically packets).

1. You can create a system where the data has a locally relevant address which defines some channel of communications. At the next hop there is a pre-set path for that channel to go to the next hop after that via some local channel. The target address in the packet changes as it goes hop to hop to get to the destination. The channel creates an end to end path. You can have many different paths across a network.

These paths could be pre-set or could be created by some other protocol. Examples of this are protocols like ATM and even TDM (phone calls). It is a separate issue of whether the data flows continuously at a pre-defined rate (like a phone call) or has some dynamic bandwidth (as ATM can do). What I am talking of here is the addressing system being used.

2. You can create a system that has some hop by hop local addresses in the original packet. This allows each hop to work out where next to send the packet. Typically the packet changes as it goes to create a reverse path allowing a reply. This has the advantage that you do not have to establish end to end pathways in advance and can send packets ad-hoc. However, it does mean that the addressing is variable length and you have to work out the path needed to make the packet address header which depends where you start from. E.g. using some other protocol to find the path needed from where you are to where you want to get to.

3. You can create a system where packets are addressed based on a globally unique ID that identifies the target. The address stays the same at each hop. Each hop uses this target address to send the packet logically closer to the designation. Usually in this case the source globally unique address is included to allow replies. This has several advantages. Protocols to look up addresses can return the same final unique destination address regardless of where the packet starts. It is a good system and how IP works.


Another key aspect of a protocol definition is the way it works with layers. You have distinct layers that are responsible for different levels of communications. E.g. a low level that gets packets to their destination. Layers above provide session management and reliable communications with retransmission and acknowledgments. Layers above provide more complex protocols like web pages and email and so on. The principle is that you have well defined interfaces between layers and a general hiding of information between layers to some extent.


Internet Protocol uses the third type of addressing I listed. It means that every IP packet contains a globally unique final endpoint destination and source address. Internet Protocol also provides means for communications at higher levels to work (e.g. ICMP, UDP, TCP).

Some people have said that IPv6 is "throwing the baby out with the bathwater". IPv6 is indeed replacing the IPv4 layer. Everyone that looks at IPv6 can find one or other thing that IPv6 could also have done. There are many small niggles and problems that could have been fixed or improved in making IPv6 which is a shame. However it does address the problem with IPv4 running out of space. It is a big change, but gives us a chance to get rid of NAT now.

The alternatives being suggested, which are basically lots more NAT are a problem for a lot of reasons.

NAT breaks the basic principle of globally unique target addresses. It changes to a sort of ad-hoc connection based addressing one side. It also interferes with higher protocols like UDP and TCP. UDP cannot work as designed via NAT! NAT has to understand UDP and TCP and ICMP and make changes to that layer. In some cases NAT has to make changes at the layers above that even. NAT has to understand the way IP is used at various levels to work at all.

NAT breaks almost all innovation in protocol development. Nobody could make a new IP protocol (along side ICMP, UDP, TCP) as it simply would not work through any existing NAT router. You would have to change the software (maybe even the hardware too) for all existing NAT routers in the world to add a new protocol. You can't even rely on UDP and TCP working as they should and make new application level protocols without assuming NAT is in the way, which restricts what you can do or means changes NAT routers. People complaining about IPv6 seem to understand that changing every router is a bad thing, but that is what NAT is forcing when ever anyone makes a new protocol.

Also, the idea you can just NAT more and more for end user connections misses the point. For a start it creates resource issues for ISPs (processing power, memory for session tracking, and limited numbers of sessions due to port number limits). It creates huge traceability issues (history of every session needed). So it will not scale indefinitely.

But also this is not the only issue. What about when hosting companies have no IPv4's left and you want to host a new web server? You can't just NAT that side. You have to create all sorts of bodges. There are ways of doing it, but they create yet new issues.

NAT is an evil bodge that should never have taken off. Are we stuck with it? Probably for IPv4, but we can make a fresh start with IPv6. NAT and RFC1918 can continue to stretch IPv4 so that devices on local networks (printers, etc) can carry on working without change. But new applications can start to rely on proper IP functionality using IPv6.

Now, what will happen is that IPv4 and IPv6 run in parallel. Machines will dual stack with no problem. IPv6 can "just work" as IP was always intended. IPv4 can be carrier grade NAT'd and bodged and get increasingly broken. But we then have the best of both worlds.

We should be concentrating on making that happen. Making it seamless for end users when they next replace their router (typically small routers go bang after a year or two anyway). We need ISPs to handle the IPv6 side too.

We need any moves to create any sort of IPv6 NAT to be stamped on as soon as they are suggested.

Look forward, not back!

Sunday, 24 October 2010

Broken IPv6

OK, hotel wifi assigns an IPv6 address - woohoo!

Except it is:-

(a) a 2002:: address which is a tad silly
(b) not actually working

Arrrg.

I seriously doubt the hotel will have any clue if I complain...

P.S. I've emailed guest relations. I wonder how daft their reply will be. I'll post a follow up.

Saturday, 23 October 2010

Not impressed with Belagio, Vegas

How hard can it be if someone books and pays for rooms months in advance to actually have rooms that they booked when you get there.

No, they have to fuck about. And they are incapable of actually putting two rooms together. It makes me wonder why they bother building rooms with interconnecting doors (as these have) if they are incapable of actually putting two parties next to each other even with months of planning.

And then we have the wrong room keys. Just as well all on my card else that would cause problems. How we find that out is that the hotel wifi needs room number and surname, and surname did not match unless I uses my sister-in-law's surname.

Oh, and the wifi is $15/day extra

Oh, and not tea/coffee making facilities (though that seems to be the norm in US).

Thursday, 21 October 2010

Sticking to IPv4

Well, I am slightly surprised at the views of some people, one of which was a comment on my "Kick starting IPv6" post. Some people want to stick with IPv4!

Perhaps this is just resistance to change or being devil's advocate or trolling. I am not sure.

The reasons for sticking with IPv4 also made no sense - they appeared to be around wanting some basic fire-walling, which applies as much to IPv6 as to IPv4, rather than actually saying there was any problem with IPv6 as such.

Basically, IPv4 runs out. Running out comes in several stages, starting with IANA running out in a few months, the RIRs, then in various degrees ISPs running out.

So there will be no end of bodges and multiple layers of NAT and web sites on odd ports. Things will get less reliable on IPv4. Eventually you will get to the stage that web sites and other "services" start to work better on IPv6 or have less quirks or restrictions, and eventually some will simply "only be available on IPv6". Mapping systems to allow IPv4 users access IPv6 will be a similar level of bodge with limitations.

So sticking with IPv4 is not ultimately an option. Its like sticking with dial-up or sticking with analogue TV. Eventually you have to change, or put up with failing and inferior services.

Kick starting IPv6

One way to kick start IPv6 is to try and convince the likes of google to rank IPv6 accessible web sites higher than IPv4 sites.

They don't have to say how much higher or anything, just make it a published factor in the ranking.

I suggest they give the world a couple of months notice so people do not whinge, though no special reason they have to.

As soon as they do this we will have a mad scrabble to get web sites enabled on IPv6 to increase peoples rankings. There will suddenly be commercial pressure on hosting companies to provide IPv6 access (hence it would be nice to give a bit of notice).

Obviously these hosts would be dual stack for now, but it would make a big chunk of the internet IPv6 accessible, and would push deployment of IPv6 routers and firewalls and servers.

It is not the whole battle - you have to get consumers moved over too, but it is a big step forward. One side will have to move first.

So, google, please rank IPv6 hosted sites higher - simples.

Of course, if google won't do this we just need to start an urban myth / rumour that they already do it or are about to do it and are keeping it secret. The myths and rumours about search engine ranking are mad enough already this would be quite believable.

As someone else said, this close to Y2K we had massive take up and everything was "Y2K compliant" even toasters. We have almost no take up with domestic router manufacturers and are now only a few months away from trouble...

Wednesday, 20 October 2010

Technology testing ground?

Well, I popped over to our neighbours here in the industrial estate. Always good chaps for a chat and they are an excellent place to test technology!

The main things we can test is how well things work if you have a 10 year old computer running (or perhaps that should be "walking") IE6 still. It is also interesting to see how the internet behaves on an old (and slow) machine even when they are plugged to our offices for their connection.

Sadly I think they are finally going to be upgraded their computer systems at last. But they did give me some toast (and a banana) which shows they have one bit of technology we don't in our offices (a toaster). Thanks guys :-)

[Yeh, I did consider getting them linux'd up, honest]

Monday, 18 October 2010

Bastards!

Big rise in VoIP hacking lately. We can usually pick up on it and stop it. This is not automated (yet).

Sadly one of my customers was hacked, and we are charging him hundreds for the calls.

What really pisses me off is that, in an effort to help customers, if a call cannot route via one call carrier we fall back to another. Sadly in this case the other carrier cost us way more.

In fact, whilst we are charging our poor customer a few hundred, we expect to be paying nearer £15,000 for the calls.

I am not a happy bunny :-(

P.S. Nagios is getting quite a few more alerts added.

Saturday, 16 October 2010

Can I ask a question ... ?

OK, why do people do this? They say things like "Can I ask you a question about something?" Typically on irc, but even in real life some times. Worse, some times people just say "Can I ask you a question?" !!!!

I expect part of it is the use of the word can. In my mind that is asking if something is possible, i.e. physically possible, doable, can happen. I.e. "Am I physically able to ask you a question..." which is a daft thing to ask - only you know if you can, or not, and generally, barring having a heart attack just then or suddenly going mute, you can indeed ask the question. After all, you have just shown the ability to ask questions by asking the first question :-)

However, even assuming the more likely meaning "Do you mind if", which makes a lot more sense, you then start to be playing in the realms of etiquette, which is a minefield in itself. If one has to have permission to ask a question surely one needs to have permission to ask the first question, i.e. I may mind being asked "Can I ask you a question?". I suppose this very rant suggest that is the case! So presumably the first question is a break in etiquette (doing something I do mind) in order to avoid breaking etiquette by asking the real question straight off... WTF?

I should probably not be trying to apply my tactless, and mostly logical, mind to any sort of social etiquette really should I? :-)

Friday, 15 October 2010

Your learn something every day - well Mon/Wed/Fri

You know the saying: "you learn something new every day"

Well it seems more likely that it is Monday, Wednesday or Friday. The reason being that XKCD almost always has some deeper meaning or higher maths that involves googling and reading of wikipedia to fully understand.

Even today's - I did not know what a Shibboleth was and now know that Shibboleet is a Shebboleth and a play on words as well. See the wikipedia on it to fully understand.

I should have guessed it was not just a random made up word, but something "clever" too.

XKCD/806 compliance

Its been tricky ensuring we comply with lots of rules and regulations and RFCs, but the latest challenge was XKCD/806 compliance.

I think we managed it. The problem was that whilst there are not that many people on tech support that actually know at least two programming languages, all of them know better than to ask people to click on the "start" button. So we were not sure if calls actually needed transferring or not.

Even so, 07:27 this morning they were all briefed on the new code word just in case, so I think we can say AAISP support is XKCD/806 compliant now.

:-)

Current affairs

Was having a chat the other day about someone watching news and how there is 24 hour news and people watching miners getting rescued at some ungodly hour of the morning.

I hardly watch news at all - what's the point? So I did wonder what was the point?

Obviously there is news that could affect me. Some things have impact because they are local to me or my business or things that affect my family or friends. Some things have impact even if they are world news (like volcanic ash clouds) as they can have impact on me (e.g. people not making meetings because flights cancelled, etc). So there is reason to keep up with relevant current affairs - though generally not an urgent reason (i.e. not to be up watching 24 hour news in the middle of the night).

Then it occurs that the main reason to keep up with current affairs is conversations with other people. People I talk to assume a level of awareness of current affairs, and use them as part of conversation. Even so, it does not require the level of urgency with 24 hour news!

Then it occurred to me - with the people I talk to it is far more critical to have read today's Dilbert and XKCD than know if some miners have been rescued safely or not. Is that sad?

P.S. Glad they got out safely.

WOW broke

Arrrg, patch applied and now does not work - crashes
(under wine, of course).

I'll have to trawl the blogs to find why and what wine patch I need.

Thursday, 14 October 2010

Overtake

It is a sad day when downloading an app or patch takes way less time than installing or applying it.

The latest WoW patch seems that way. Download was not problem, pffff 5GB, no problem. Applying the patch is taking ages!

P.S. I just love the filenames on the WoW patch as it applies.

Wednesday, 13 October 2010

Turning up the wick a bit

Well, there is some good news with our favourite telco. They are upping the targets they have for throughput on broadband lines a bit.

The concept is pretty simple - they sell data, so any point in their network that is full - limiting data - limits what they can sell. The idea of charging for data should allow uncongested networks.

Unlike our other favourite telco, they are not actually stating that they aim for an uncongested network, but the figures for what the do plan are somewhat improved. They work on the basis of of "X Mb/s for 90% of the busiest 3 hours of the day". A tad confusing, but basically for 90% of the busy 3 hours you get a throughput, and obviously the rest of the time you get better than that.

We are pushing for definitions we can measure against - like loss and latency - but that is a tad more long term.

But yes, in some cases they have again doubled their targets for throughput and that should be seen in the network now. Well, apart from some 6 hour period over night...

So, good news.

How to break a network

I have to say that our favorite telco are at it again a little bit...

We are working with them quite well, but some times they just take the biscuit, and this is one of them.

They are, for the third time now over the last few years, taking everyone off line for hours over night. 6 hours in fact. It is one area at a time and there are about 20 areas.

Each one causes everyone in the "metronode", whether 20CN or 21CN, to go off line all night.

Extra catches - when the do the area covering the node we are connected to (Stepney Green), that means all lines we have going down again everywhere. So 95% of people get two outages of 6 hours not just one.

And why? To "add resilience". And this is the third time now. Someone does not understand the word "resilience".

Just to add to the fun, this time, when they take out each node they are shutting down RADIUS so even if not in one of the affected areas, if you go off line, you will not get on line until 6am, tough!

And did they tell us - well technically yes - a notice (one of dozens a day) said they would do this, but unlike other notices it did not list the circuits affected. So kind of missed.

Manchester and Faraday have been done, so many more to go - all going on status pages.

We are not alone in being outraged. There are even some companies offering some interesting alternatives to these links we have to our favorite telco which would avoid this Dent in our service now and then...

I'll try and find more details. It may be that this time they are actually adding resilience and it will be the last time. That would be good news, but I am not holding my breath.

Monday, 11 October 2010

It just works!

OK, this is slightly blowing my own trumpet, well the trumpet of the whole FireBrick team really, but I have been involved in a fun project for the last few weeks to deploy a FireBrick in a completely new environment - mobiles.

An LNS, as this is, handles the endpoint of connections to the internet, typically from broadband lines these days. We have tested from dialup, and broadband. We have tested from BT and Be. We have tested the way things are done in the ISP world and we are selling them (albeit prototypes, technically). They work well.

The mobile world is a challenge though. We are talking to very different kit (A Nokia GGSN) and it is not quite what we expected. The PPP negotiation is faked in the mobile network, and the RADIUS responses were not what we expected, and lots of little snags and differences.

Throughout the work I have ended up making all sorts of changes only to find that, after hours (or days in some cases), what we were doing was right all along and no changes were needed. The end result is a richer set of features on the FireBrick, which is good, but mostly a lot of work for no reason.

The final solution is handling layer 3 termination as well as lots of L2TP relay to all sorts of different manufacturers kit in ISPs.

Basically, "it just works". I should not be surprised, and I know customers using this kit are not surprised, but it is always scary when you are launching any new product. You worry about every little thing - from "is there some subtle bug that will break things?" do "did we design a product people actually want to buy?". When it goes out there in to the world on its own and just works you are always relieved, and it is always a surprise no matter how many times you have done it before with other products that "just work".

So, onwards and upwards - the new smaller FireBrick products are due to launch real soon now, and we have much to do.

Code code code!

Friday, 8 October 2010

I can ping my iPad

OK, this may not seem that hard. After all, it is networking. But the mobile networks make this a nightmare, so finally being able to actually ping my iPad is a huge step forward.

We finally have data SIMs that have unfettered IP connectivity (if only for a single static IPv4 address for now). No session tracking. No firewall. No NAT. Just raw IP. Networking like what it should be, in'it.

What is fun is that even when "turned off" (well, the blank screen mode one normally leaves it in) it seems to maintain the data connection indefinitely. And you can ping it! It does take a few seconds to respond initially so I can only assume the radio side is shut down to something that exchanges data every few seconds at most - though once you get through all the queued pings reply and it works.

Yay!

Wednesday, 6 October 2010

Hiding keys

http://www.bbc.co.uk/news/uk-england-11479831
[Someone jailed for not handing over an encryption key]

I was rather shocked by that. I remember being shocked when RIPA came in and had not caught up with the fact that there have been a few cases now.

It is a fact of life now that information can be hidden and not be accessible if someone wants it to stay hidden. To be honest this has always been the case even without convoluted tricks like Dan Brown's cryptex. People have been able to just keep secrets in their head.

Forcing someone to come up with a password if they do not want to goes against basic ingrained ideas like right to remain silent and right not to incriminate yourself as well as right to privacy. This is eroding civil liberties, IMHO.

It is also so pointless. People can hide information - there are plenty of tricks if you want to hide data in ways that do not look like the data is hidden. The more cases like this happen the more standard, off the shelf (well, downloadable for free), apps will provide this functionality and the concept of asking someone for their encryption keys will vanish.

There are almost certainly legal tricks too, such as the key being held by someone else but you having no right to it or control over them formally and them being in another country, etc. i.e. they happen to log in an unlock your disk for you if you ask, but there is no actual right to compel them to, and they won't if they hear you have been arrested.

I think I'll start putting random data files on my hard disk to prove a point.

Saturday, 2 October 2010

Internet HD

I know how to get people in to using IPv6... Rename it "internet HD". Everyone will upgrade to "HD". I mean, "HD" seems to get everywhere now not just TVs.

We could sell Ethernet cables that are "Internet HD ready"...

:-)