Tuesday, 28 December 2010

Brave and trusting staff

Well, jimi is at his parents this week, and decided that he would try the new FireBrick PPPoE code at home. So upgrading software, remotely by many miles, reconfiguring for PPPoE on FireBrick and then on router and hoping for the best.

What can I say - it worked.

Well, technically it did not quite work, but worked well enough for us to fix a couple of slight buglets. But he is now on-line without having to drive back home.

I think he was very brave! But it does now mean we have the confidence to talk customers through this.

He also has native IPv6 "just working"® now.

Monday, 27 December 2010

Everything you wanted to know about PPPoE but were afraid to ask

PPPoE is a simple concept allowing PPP (point to point protocol) packets to be carried over Ethernet (normal local area networks).

The RFC is refreshingly small, and is largely concerned with how a device (client) discovers and connects to an access controller on the network. Once you have a connection to an access controller, the rest is PPP, which has its own protocols to negotiate IP addresses and carry packets.

PPP itself dates back to the good old days of dialup modems, but is still used today for broadband lines and even high speed fibre to the cabinet and fibre to the premises lines.

The key thing PPPoE does is separate the modem (which converts signals on the line itself) from the router (which decides what to do with IP packets). There are a couple of good reasons to do this. (a) It makes for a good demarcation point for a telco allowing generic termination equipment (the modem) to be part of the service whilst providing choice of actual router, and (b) modem/router manufacturers are notoriously bad at making routers that are any good at routing (note lack of IPv6 support as a good example) and you usually want to have a decent router/firewall from someone that can make routers (like the FireBrick, of course :-) ).

As you probably saw, I wrote the FireBrick PPPoE client on Friday morning, and was well pleased with myself having tested on a Vigor V120 PPPoE/A modem on a BT line. I then spent most of this morning trying to get it working with BT lines using a Zyxel in bridge mode. It is working now with zyxel in bridge mode to BT and Be as well as to the Vigor. Next to test is FTTC and FTTP BT lines.

Whilst the RFC for PPPoE is not bad, there are a few issues:-
  1. PPPoE limits the MTU to 1492 as 8 bytes are used for PPPoE and PPP headers. Fortunately there is a later RFC allowing negotiation of baby jumbo frames (dumbo frames?) to handle full 1500 byte MTU. Unfortunately I have yet to find a router that supports it even though their Ethernet chip-sets can probably do the larger frame. Fortunately BT FTTC and FTTP does support it, apparently.
  2. PPPoE has a range of extensible tagged parameters, but they missed a trick by failing to define a few simple ones such as telephone number for dialup or VPI/VCI/encap mode for DSL. Having these would mean modems need no configuration at all and so not need DHCP, IP and web interfaces - having all parameters using the PPPoE tags would be perfect and should have been encouraged in the original PPPoE spec. Other obvious status parameters, like tx speed and rx speed and so on, in the response from them modem would have been a simple addition. These could have been defined as optional tagged values in the original spec and saved everyone a lot of time.
  3. PPPoE allows for a relay device. This makes perfect sense for a DSL router to relay PPPoE either to PPPoA as raw PPP, or to a remote PPPoE device on the wire whilst appearing as only one device on the local network. This is how it should be done. Sadly it seems almost all routers that do PPPoE work in a bridge mode - bridging the LAN to the far end of the DSL line. This causes serious problems. For a start you have no way to direct traffic to a specific line via a specific router/bridge, if you have more than one, as you only see the far end bridged Ethernet MAC addresses. You also have no way to tell this has happened. You also have to run a separate LAN segment even if you only have one router/bridge as the broadcast traffic on your LAN is bridged and can trip MAC address limits on the DSL service. In short, each PPPoE router/bridge has to be on its own LAN segment which is a pain, and a shame as the spec allowed them to act as relays!
  4. Finally, bugs... It seems our favourite telco do not follow the RFC. There is an "end" tag, id 0x0000, which you can put at the end of the list of tags. It is not required but remains for backwards compatibility. So I dutifully included it, and all was well. Vigor happy. Be happy. Could not get working with our favourite telco. Turns out if you include this completely valid tag then our favourite telco just totally ignore your PADI packets. WTF! RTFRFC guys!
So, the new FireBricks now do PPPoE, including negotiating IPv6, including baby jumbo frames, and including multiple links on separate ports with bonding. They even provide loss/latency graphs for each line from the client end.

There is much more code still to do though...

Saturday, 25 December 2010

Test one unknown at a time

New FB2700s are being shipped and so when a customer could not get tunnels set up properly we spend ages trying to find the cause, assuming it is the FB2700 as it is all new code.

Turns out, having spent all day on this, one of his DSL lines filters some UDP traffic which meant the tunnels did not work. Thankfully the port mapping functions make it easy to work around once we know the problem!

But we got to try about 3 different ways of setting it up which is nice. We even tried PPPoE before discovering the combination of line, provider, and router meant it would not do it!

Oh, and yes, PPPoE is all coded as well now, and is standard in the base model.

All in all a good couple of days development, all the better for some turkey and trifle.

More to do next week! Ho Ho Ho

Thursday, 23 December 2010

Getting there

Well, the FB2700 now has a nice DHCP server, with lots of bells and whistles.
Next is the PPPoE client with bonding.
Should be fun.

Tuesday, 21 December 2010

Ho Ho Horde!

What can I say?!

Sunday, 19 December 2010

Thin end of the wedge

http://www.news.com.au/breaking-news/world/all-internet-porn-will-be-blocked-to-protect-children-under-uk-government-plan/story-e6frfkui-1225973481287

I said the IWF list was just the thin end of the wedge. The objective of stopping people accidentally encountering child porn on the web was a crazy one (IMHO) as it did not even try to stop people that want to access such material, and (as has been shown) has side effects.

The only real reason for IWF blocking list was to get in place a mechanism to allow arbitrary web sites to be blocked. Then the list can be conveniently expanded to other things. Start with something nobody can object to like "child porn", and build from that.

The quote on that article is "Technically we know it can be done because the ISPs are already removing child porn after the government put pressure on them". This kind of shows why the otherwise pointless IWF block list was encouraged so much in the first place - it was a foot in the door.

The latest is to add all porn (completely legal porn) on the basis children might see it, and allow adults to opt-in to access it. It's think of the children mentality. Of course these blocking systems are trivial to get around. There are already plenty of ways for parents to control what their children see on their computer. And, whats to bet that such opt-in systems will be on IP and so mean (with NAT) that the whole house has opt-in, including the kids machines?

You can see where it goes. I am sure terrorist web sites will be next on the list, after all, who can argue with that. Of course, any extreme political web sites will need to be next. Basically any wrong thinking.

Thankfully, due to other oppressive governments around the world, there are already well established and well documented ways to bypass all of this crap to allow people to communicate and access the Internet without trace and without filters.

Utter incompetence on the part of our government, IMHO.

Oh, and they are talking of doing it without legislation. OK, so they want communications for a perfectly legal purpose between two parties via a communications network to be intercepted and blocked without the specific (opt-in) request of either of the parties, and somehow this is legal under RIPA?

Friday, 17 December 2010

For the horde!

Well, I would like to thank Mike for the full size World of Warcraft Orc we now have in our training room. A really novel Christmas present which will make for a real talking point.

Twit!

Well, I have signed up with twitter. I am not feeling too well so not going to a party, but the party is on twitter, and it means I can talk to them and be there virtually so I joined.

I am not sure of the terminology, does that make me a tweeter or a twit or a twat? maybe all three.

First ever tweet:
First tweet - I understand it is protocol for me to say that I am threatening to blow up an airport because of snow...

Thursday, 16 December 2010

Copyright

Well, sounds like my copyright statement might well be valid, especially with rulings like this!
http://zine.openrightsgroup.org/comment/2010/the-long-arm-of-copyright 
This is absolutely crazy!

Cunning plan

Why can't they make mobile phones that have a small compartment that has space for tablets...

The phones themselves are so small now, it would be easy to include a small compartment or two. And it would be ideal for diabetic old fogies like me that now have to take a couple of pills with me to have with meals.

That way I would never forget them as I am never without my phone!

If it has a sensor to tell you opened the compartment, it could have an alarm in the morning if you have not opened it to put pills in, and another at pre-set times to remind you you have not opened it to take pills out. That'll be useful when I get older and start losing my memory!

Tuesday, 14 December 2010

Cool TV

OK, the new Sony TV is quite smart...

My son sat here on his iPad, VNC'd on to his windoze PC that is up in his bedroom...
Selects a video on the PC, and it has "Play to ->" which lists the TV!
Click and TV is playing video!

Cool or what...

Sunday, 12 December 2010

Bah, humbug!

Well, it is that time of year.

TBH, Christmas is a time where customers do not hassle me for days on end and I can get some real work done :-)

But it is also a time for presents. Basically, this means, things you might get for kids because it is nice are delayed until Christmas. Any other time of the year if the kids wanted something or I felt like getting something, that would happen. But in December things are delayed. Kind of odd arrangement. Birthdays are a bit like that too.

I would rather give gifts when I have reason to or can do so, and make any day special. It is more of a surprise. More fun.

Of course Christmas is also a time for finding a fucking huge corporation tax bill, just a month before a nice big personal tax bill. Perfect timing for spending extra on nice things, not! The fact the accountants have dragged their heels for 9 months and so I am not sure what I owe does not help either. Arrrg!

So, Merry Humbug :-)

Thursday, 9 December 2010

Make life difficult, or what!

I think I have the new VAT rate change worked out...

The logic is simple, and always has been simple.
The VAT rate applicable is the one at the tax point.
Suppliers can, optionally, bill in advance and split on the date of VAT change, but they do not have to, and it is the suppliers choice.

So, for 1st January invoices that are for services for all of January, the VAT rate is 17.5%. Simples!

Unfortunately the Finance Act adds some extra confusion. In almost all cases that does not cause us a problem, but I think it does for a few of the invoices.

Basically, if the customer is a connected party (i.e. family member, a related company, etc), and they cannot reclaim VAT, then they have to be charged a supplementary 2.5% VAT on the period after the VAT change. This also applies in some other cases such as invoices over £100,000, but that is not an issue.

So, for the most part the invoices are as normal, and no problem.

However, I expect I'll have to charge my parents a supplementary 2.5% VAT from 4th January until the next full moon (they are invoiced every full moon). I probably should try and work out if employees count as "connected parties" too. That is assuming being parent of director of the company makes them "connected" - I'll have to read another Act to check that, or maybe I'll just email HMRC...

Why the hell make is so damn complicated? Arrrrg!

Wednesday, 8 December 2010

Practical experiences with IPv6

OK, now we finally have boxes that will allow us to deploy IPv6 sensibly in SMEs. (No, not DSL routers with IPv6, but our new FireBricks) - we are keen to start getting some practical experiences. There are some DSL routers on the horizon, but we have seen some very special routers for IPv4 so what they will do with IPv6 and how configurable their firewalls will be is anyone's guess. The FireBrick we can control and we can make it work sensibly!

This is not directly a technical exercise. The technicalities we know pretty well, having used IPv6 ourselves, and sold it to customers, for 8 years or so. It's the experiences of how to tackle the things everyone has forgotten about. How well old machines cope with dual stack. What management think of the problem. Etc, etc.

It is also about the practical experiences of selling the idea to companies. Right now there is not much internet you can't get on IPv4. A NATted connection gets you most things - as an edge connection rather than being part of the internet as such. IPv6 offers more, but in most cases, right now, it is not offering things people know that they need. We are at the start of the problems now, and they will gradually get worse over the years, but at what point does IPvb6 become the obvious solution for people, rather than a contingency?

We do have some technical things like VoIP. I am working on making our SIP server mix IPv4 and IPv6. At present it does IPv6, but only works to other devices that understand IPv6! Once we have that sorted, the plan is to understand how to deploy SNOM phones. Sadly SNOM are being totally thick here as (a) they make a s/w version that is IPv6 only not dual stack, and (b) they do not pick up an address by RA or any other means - you have to manually set some how - arg!

I think non NAT VoIP deployment using IPv6 is a leading application. People are starting to deploy VoIP more. NAT is a pain in the arse for VoIP in many ways. The best way to solve it is non NAT. That will be harder to get on IPv4, so non NAT IPv6 phones on a LAN makes sense. It could make IPv6 a must have when deploying VoIP phones centrex style.

So, fun times ahead.

Sunday, 5 December 2010

Soul of a new machine

Well, FB2700 is racing forward and we have them for sale now. I should have a large pile of the by end of the week :-)

The staff use ones have managed to highlight several opportunities for improvement (as bugs might be called) and they have realised (aka fixed).

Much to do, but the more people we can get using them in anger, the more feedback we get...

Saturday, 4 December 2010

In game pocket money?!

OK, had to post this, sorry.

BT CRM (Ian) has kids (6 & 7) and they play WoW, and they apparently want in-game pocket money, i.e. world of warcraft gold (as well as real life pocket money, obviously).

What is the (virtual) world coming to?

Well done Ian!

Friday, 3 December 2010

Summer time all year? WTF?

OK news on BBC suggesting it is again being considered.

Sorry but that is just crazy. TBH the change of clocks is a pain, but we all cope with it. So some reasons not to fuck about:-
  • Unless we make working days shorter it will be dark one end or other of the day in winter. That is tough. Changing the clocks does not make more daylight. Darkness causes accidents and problems, but tough. This won't be solved be renaming the hours of the day - it will just move the issues around.
  • Changing clocks is a pain. I have spent a lot of time on software development related to this in every system we have in the company. Man months of time spent/wasted to allow for clocks changing. But we cope. We have systems that understand 23 hour days and 25 hour days. We do better than some (BT!) in sending correct times on XML messages. It would all be a lot simple if clocks did not change.
  • But clocks not changing does not mean UTC+1 for the year - that really is fucked up. When the sun is overhead in Greenwich the time is 12:00. That is the way we decided to name the hours of the day. It makes sense - it is the middle between one midnight and the next. Living in UTC+1 in the country that defined the clocks in the first place is just madness.
  • At the end of the day, what we call the hours is not important. If we think there is a benefit in people going to work and school earlier, why not do that. You do not have to change what we call the hours of the day. Yes, it would not be universal. Make schools an hour earlier and some offices and shops will follow and some will not - excellent. It would spread out rush hour on the trains and roads. That alone means fewer accidents and problems.
So my preferrence is UTC all year, and schools starting earlier.

TBH I bet I have a lot of code that will in fact break if we were UTC+1 and no DST. It would cost me to make that work, and I am a small business. Imagine someone the size of BT changing all their systems to handle that. We are lucky we are based on UTC as lots of stuff is hard when not on UTC. DST is a problem, but UTC+1 all year would be a lot more work.

Thursday, 2 December 2010

The end is nigh!

Well, IPv4 is running out as we know. What is interesting is that we are actually going for a bit of a rush at the end with blocks being used up faster than expected. Four blocks in November. We only have 2 more to go before we are at the end and some ceremonial handing over the of the final 5 blocks from IANA to the RIRs. It may even be before Christmas, but will certainly be soon.

The question is, what does this mean, to you and me or the man in the street?

Internet Service Providers
There are people that actually use IP addresses, where they are a day to day resource. ISPs like us. But even in a small organisation like A&A the allocation of IP is some obscure thing done by someone (me) every couple of years and not a day to day issue. The people on the ground can assign IPs using the systems and no problem. The issue is that I will probably not ever get a new block, or at least one of any useful size, from RIPE for IPv4. I might. It is possible we run low in the next few months and RIPE are not on a "last /8" policy, and we can get more, but unlikely. If I don't have a new block of IPs now, my next block will be a /21 at most (2048 IPs) and that will be it, for ever!!!

So ISPs will be hit soon - running out of IPs, and if they have any sense they have a plan for this, but do they?

Hosted servers
People host servers with ISPs (hosting companies) and expect that they get at least "an IP address" as part of that, if not several. That will stop. Well, it will stop being simple. You have a server (with web site, email, whatever) and you may find you cannot get an IPv4 to use with it. What then? IPv6 only servers? Port mapping? Paying through the nose for IPv4s?

Whole countries
Some countries are embracing IPv6 and already have some IPv6 only services. To deal with such countries even now you have to have IPv6. This will get more widespread.

End users?
For most end users the end is not nigh yet. They have IPv4, even if NAT and NAT and NAT (By the way, NAT is evil!). But I foresee problems. They will be all sorts of niggles and annoynaces. Things not quite right. Stuff not working. The big things - google and facebook and twitter - will be fine, but some things won't be. It will gradually get worse and worse. Only once end users have IPv6 as well will there be some light at the end of the tunnel and some things "just work" over IPv6. But when can they get that, by default, from cheap ISPs?

Businesses?
Business will be the ones that actuall need working internet and for which the increasing problems of NAT, and IPv6 only services, will hit them financially. Any business that uses the internet (who doesn't) and does not have a plan for IPv6 will lose out - end of story...

Crime!
There has to be some crime. IPv4 is becoming a valuable and scarse resource. That has to result in some crime. We are not sure what or how yet, but it will happen. What would you do if someone stole your IP addresses?

AAISP
Even we have some bits not quite right. We have done IPv6 for 7 or 8 years but find snags even now. Our VoIP will be sorted over the next few months. But we are committed to making this work. We can support you as a business in moving to IPv6. OK, yeh, shameless plug, but what do you expect...

Wednesday, 1 December 2010

Government meddling

One of the issues that came up today at the ISPA conference was various sorts of government meddling. As I say, I am not convinced MPs have any clue on the technicalities, but it goes deeper than that.

Super-fast broadband
We have an aim to be the best super-fast broadband in EU. But to be honest that is daft as there are countries taking it more seriously (fibre to every home) and smaller countries that can do it more easily. It is probably a good aim to have some level of inclusion in the technology in the UK. It helps if everyone has internet access just as it helps if everyone has a phone or a TV. If we have a sensible minimum level of technological inclusion in the community and it makes it easier for business and government to interact with the population at various levels.

The problem is one of defining a good internet connection in any measurable way. The last government were aiming just for last mile access speed (ADSL sync in effect) of at least 2Mb/s. As I saw today, asking where that 2Mb/s goes to, for how much of the day, and for what cost, just confused people. But you can't just say it is 2Mb/s to BBC iPlayer for example. You have to qualify that. When is it 2Mb/s - all day? or "whenever someone wants it"? If you go for all day then BBC suddenly need population times 2Mb/s links and huge links in to ISPs that will never be used else we have not met the goal.

If you dumb down the goal then you get typical consumer internet access, where 2Mb/s line rate may be anything from 100Kb/s data transfer at peak times to 2Mb/s at 1am and never very quick for bit torrents. Such services have a place though. It is these that are the cheap, entry level, services that allow people to get on line and have email and web pages. But they do not, on their own, achieve the goal of good 2Mb/s internet.

So you have to allow competition. Can everyone get internet? Can anyone that wants good internet get it even if more expensive? For that you need infrastructure that is open to all ISPs and can be un-congested if they ISP is prepared to buy enough interconnect. People like BT will not even agree a target of an un-congested network so would never agree to guarantee one. BE-Wholesale seem happier to consider it a target. Even if not a guarantee, you need carriers that accept congestion as a fault and will take action to increase capacity. Thankfully I was able to make this point to BIS to consider in their specification for super-fast broadband. Who knows if the comments hit home?

Monitoring and blocking
We know the government like to snoop and meddle. We have the last lot endorsing IWF filtering and even considering legislating (even though the IWF block list only aims to stop people accidentally finding illegal content, and only on web pages - it does not aim to stop abuse or people accessing it if they want to). See cleanternet.org

We have the DEA with the possibility of technical measures in the future to restrict or block some or all internet access to someone that has not been convicted and not even directly accused of any crime or civil wrong doing, over copyright violations which may be mistakes or the actions of a third party. As one person made a good point today, legally I am not responsible for other adults in my house - I may have some responsibility for children and pets, but not my wife for example. I cannot be punished in law (criminal or civil) for actions of my wife. But the DEA aims to do just that - with many (most?) internet access having some sharing by people in a household, someone will be punished for the actions of another if technical measures are taken.

The DEA is flawed. It has serious holes that make it easy to bypass, not least of which is the customer simply getting a migration code on recieving the first letter. But it is a stick, which can never work. You need a carrot. People will be able to transfer files covertly - there are some serious innovations in anonymous encrypted mesh networks because of this challenge! If anything this is driving some clever network designs but not stopping copying. No stick can work, but more importantly, even if a stick did stop people copying (or your stats says that has happened as you can't see it now) you don't make more money for the rights holder, and that is what matters. If someone copies a song, or not, is not what is important to an artist, what matters is not being paid for it. Just stopping the copy being made does not help and just means the artist becomes heard less. What you need is a carrot. Make it easy to get media cheaply and simply. Try and change business models to avoid reliance on control of copying, which is fundamentally impossible now. Trying to enforce a concept based on a time when you could control copying is doomed to failure. So media companies, artists, creators of content - find new models. People want what you make so there will be a business model that fits even if not as profitable as the old way.

Of course now this government is also trying to resurrect the interception modernization programme. They want ISPs to log communications data - who you are emailing, including every spam you get or is sent in your name. The concept is flawed. People can get around it. Bad people will. It is well documented how to bypass monitoring and this is necessary for people living in oppressive regimes where the governments snoop on everything and take action without legal process (yes, I know the UK is starting to sound like that). The cost will also be huge. The data will be meaningless (think how much spam you see), and that is before people try to poison the data with fake emails and calls.

Net neutrality
We then have the non story of the end of net neutrality - even though it never existed, and the strange concept that "no service should be blocked or disadvantaged for commercial reasons". But I co-locate my email servers on my network, for commercial reasons, disadvantaging competing email servers. That is how it works. Forcing ISPs to run independent networks to slow down some traffic, and not to peer with other providers but all go via a common neutral transit provision is madness. No, that is not what they are saying, but try and define a law on net neutrality that does not have that implication?

Encouraging growth
All the time we have the complex and expensive and damaging suggestions, the government wants to grow the economy, encourage ISPs and create a digital Britain. They have it backwards. ISPs need freedom from meddling.

It's all messed up, IMHO.

Grr, MPs with no clue

Ok, drives me mad. Politicians with no clue on the technicality.

We have had comments on net neutrality, but not understanding the issues.

And a shadow minister in ISPA today talking about the now defunct idea of 2M minimum broadband.

I asked "where to?". I had to explain, that it may be 2M at the end user, but where is the other end? 2M to germany, to US, to where?
She said to the exchange. Ok, so I said that 10k from the exchange would be ok?
She did not understand as you said show me an exchange with only 10k.
I asked again, what was the commitment?
She said that the smallest link in the chain has to be 2M

Sadly I did not get to debate more. 2M at the smallest link in the chain is meaningless anyway. For a start, does that mean I can run a million 2M lines on one 2M backhaul and that is fine? Does it mean that every web server in the world must have a 2M link, else they are the smallest link in the chain?

They simply do not understand the difference between the speed of one link such as a broadband line, and the usability of the intent as a whole and all of the components. They also do not understand contention or congestion...

Yet they make laws!