2022-08-16

WIFi is not Internet!

xkcd.com/2659
I know most of you will know this, but I hope it is helpful.

Typical home internet

A typical home internet will involve some connection, usually over wires or fibreglass, maybe even radio / mobile / satellite, and maybe even some combination of these with fallback.

But ultimately it will end up on a box, a "router".

For most people that router will have WiFi. It will have a label or card or some such with the name of the WiFi and password, e.g. vodagin5A4C and password kjhasd87af, which you will have dutifully typed in to your iPhone and iPad, and so on, to make it all work.

For most people that WiFi connection is "the Internet".

If you change "Internet provider", the new provider sends a new box which you plug in and you have new WiFi details to use.

So for most people WiFi is "Internet"...

WiFi and Internet are separate things

In practice the WiFi and Internet connection are separate things. It is just that your provider has created a nice simple package that provides the whole solution. Which is nice.

The Internet connection is the wires/fibre/etc that connect to your router. The router will probably have an "Ethernet socket" on it, or several of them. The WiFi part is the radio link from that router to your devices. These are actually separate things.

Using wires

The first thing to learn is that you don't have to use WiFi at all. Yes, your average phone or iPad will use WiFi, but if you have a laptop or desktop computer, especially if it is in a fixed location like a desk, you don't actually have to use WiFi. The Ethernet port on your router can be connected using a cable to your computer. You can even install cables permanently in your home to connect places like a desk to where your router is located. Some people install Ethernet wall sockets and have a place where they all go to which allows them to be connected as needed to equipment like a router.

You can also use switches, small devices that have multiple Ethernet ports, to make this simpler - e.g. one wire to your desk, and a switch allowing several things on your desk to connect using Ethernet cables. In some cases you can get a switch which provides power via the Ethernet cables - this can be useful for things like an Internet connected telephone, or cameras, etc. This also works for most TVs and set top boxes.

The "speed" you experience when accessing the Internet will basically be the lower of the speed of your Internet connection and the speed of your WiFi. If you have a large house or thick walls you may find the limiting factor is the WiFi. It can also be a bit unreliable. Using cables will be much more reliable and faster meaning the limiting factor is the Internet connection. So if using a computer at a desk, e.g. working from home, using wires is by far the better option. It does not stop you also using WiFi for things, at the same time.

This wiring is not specific to your Internet connection, if you change ISP, you simply connect the wiring you have installed to the new router they provide. The wiring is infrastructure in your home, just like electrical wiring or plumbing.

Better WiFi

The next thing to realise is that you don't have to use the WiFi your ISP included in the router. You may be able to get a router without WiFI (perhaps even cheaper), or have it turned off. Some routers even have a button or switch to turn the WiFi off, or perhaps a setting you can change. You can leave it on, but better to turn off if not using it.

You may still want to use WiFi, obviously. WiFi uses an "access point" (AP). This is the radio part that you phone, etc, connects to. The router from your ISP has an AP built in to provide WiFi.

The clever bit is that you can have your own separate AP. You can even have more than one AP for the same WiFi network. If you have a large house you may want an AP each end of the house, or each floor. If you have thick walls (as I do) you may even want external (weatherproofed) APs to allow WiFi outside.

There is a lot of choice in terms of the WiFi APs you get. Ideally you use Ethernet cables to connect to these APs to your network (and to the router for your Internet connection). You can use a power over Ethernet switch with many APs meaning so that you only need an Ethernet cable and don't have to also run power to the APs. It is also possible to get APs that are designed to "mesh" - connecting from one AP to the next using radio - these need power but don't need the Ethernet cable. This is not as good as using cables to all APs, but sometimes is the best you can do.

At the end of the day it is all down to budget, there are APs that are hundreds of pounds, and there are cheaper ones. Ideally you want APs that are designed to work together so they "hand over" your connection as you move around the house making it seamless. You don't "see" lots of different "WiFi" - you see one WiFi that works everywhere in the house.

Much like running your own wiring and switches, these APs are yours to set up for the best working in your home. They are infrastructure in your home. If you change ISP you simply connect to the new ISPs router.

Signal strength

Of course, having sorted your (multiple) access points, you now see your nice strong WiFi signal strength. But remember, WiFi is not Internet!

If you have a "really good WiFi signal", that just means you are well connected to your AP. It does not have any bearing on speed or quality of your "Internet connection". A comment by @markusl@fosstodon.org: "This does seem to be a real cause of confusion. It took me a long time to explain to Mrs Wife why having a strong WiFi signal at both ends of a video call doesn't guarantee good call quality".

I name this WiFi ...

xkcd.com/2199
One of the nice things about using your own APs is you get to name your WiFi. To be fair, you can usually do that with an ISP provided router, but so many people don't do this. You can give the WiFI any name you like (even with emojis), and your choice of password.

There are loads of more complex options, multiple networks with different firewalling and security, and so on, with different named WiFi (all on the same APs), and so on. But that is not necessary for most people.

So it is worth thinking about things separately. Sorting our your home network - quite separately from deciding on a suitable Internet access provider.  Some people even change ISP to get "better WiFi", which, as you can see, is not necessary - pick an ISP because of the Internet connection, and make sure your home infrastructure does what you need.

2022-07-28

Research on misdialled numbers

I am considering if there is research on this, and even if I should do such research.

This is slightly relevant to things like W3W. I don't think they did any research of mis spoken, mis remembered, mis heard, and mis typed, random words, to be fair. Words work well in context and are shit when random from a huge dictionary (especially when beyond most people's vocabulary and available in multiple languages). Heck, even in "context" the classic game of "Chinese whispers" shows how shit this is.

But conveying numbers is a totally separate issue - a much smaller space to play with, except people "group" numbers internally. The whole concept of phone numbers in UK works well with area code (a familiar number sequence) and then number. People cope well with local numbers. They cope well with numbers in neighbouring area codes.

It has been long known that people can "transpose" digits, and this is why some check digit systems (like used on credit card numbers) specifically target digit transposition.

But people can also group sequences of digits in various ways. The ways they are presented with spaces matter. They create patterns. People are good with patterns.

I am well aware of two distinct misdials, and they are quite different.

One is seeing 0XXXX 400 000 and dialling 0XXXX 400 400. This happens a *lot*. We changed to not even publish 0XXXX 400 000 so as to avoid this.

One is seeing 0XXX 0 112 112 and dialling 0XXX 112 112 0.

This latter one is weird, in my view. I don't grasp why it happens, but it happens around 4 or 5 times a month. People misdial Screwfix's number and get me!

This is really not something I expected, which is why I wonder if numbers being mis handled is a topic for research.

We know W3W is crap, but can research make normal grid references and phone numbers better, if we understand how people get them wrong?

2022-07-19

How did the aircon cope?

Well, it coped quite well.

The red line is the temperature at my desk, which I was aiming for 22C. In practice the floor ends up around 20C.

The interesting bit is the blip around 13:00 where it got colder. It seems that the aircon is not doing what I expect. In order to control the temperature at my desk rather than at the wall controller or the air inlet in the loft, I tell the aircon a target temperature. When too cold I tell it to to cool to 5C higher than the wall controller. When too hot I tell it to cool to 5C lower than the wall controller. This works to turn the compressor off or on. But as the inlet (pink line) got hotter we got to a point where telling it to cool to 5C higher was not turning the compressor off. This means that it is clearly using the inlet as a reference, or possibly inlet and controller average. The inlet is interesting as (being ducted) the air leaves my room, via some ducting in to the aircon in the loft, and the loft temperature was up to 40C, meaning the inlet temp sensor was way hotter than the air actually leaving my office.

This is rather annoying as there is an explicit field setting to tell it what to use as a reference and that is set to the wall mounted controller. The fix was to change my code to allow me to expect the reference to be the inlet temperature or the controller or average of the two. As you can see, that fixed it.

However, from around 14:30 it was not going below 22C. The thicker line is my code making the fan speed higher in an effort to get it to go down to 22C. The compressor was on and the coolant was cool. But it was struggling. My office got up to a roasting hot 22.4C :-)

All this was on one of the hottest days of the year. So, yes, I think it is working well :-)

2022-07-15

It's bad luck to be superstitious

How was it not Friday the 13th today?

I am not one for "bad luck", but today has been quite special, so much so I felt it worth some blogging, sorry.

It all started quite innocently - the locksmith was finally coming to fit an EL560 lock on the back door with my Solar System door entry control system. The plan for that door is that it will be "unlocked" during the day, only having access within our grounds. But locked when we leave and alarm set, and locked at night. This means we need a way to "lock" the doors at night. So I decided to install this - you press the button when going to bed and that makes sure all doors are locked.

Yes, it is a mess, and that is partly because of the first issue - there was a wooden stud in the way, even though I was sure I checked. So a lot of chiseling. Plaster and paint will fix.

Installing this should be simple, need live/neutral from adjacent light switch. It is a Shelly Plus 1 running alarm code and linked to the secure alarm network, so simple. Except things went wrong.

  • First off I managed to "borrow a neutral", which does not go well with RCBOs. But easy to sort, get live and neutral from the same circuit. I forgot the light switch was on both down and up stairs lighting circuits.
  • Then, well it did not come on. In fact none of the lights in the south of the house came on, it seems.
  • The light was fed from another light switch - now this is a house rewired only a couple of years ago by the previous owners, so I take no responsibility for this mess
The light switch from hell

Somehow this was not right, no power. I checked for loose wires, and no joy. OK to be fair, one earth and one live were not connected (!) but putting them back did not help. No power on any brown wire in the box, well, any wire at all. I even re-did all the WAGOs, and no joy. I even checked the RCBO in the consumer unit. No joy. But I realised one light was on. So the issue was between the lights.

Just to add to the "not actually Friday 13th", in the middle of this, when testing on another switch I was puzzled that the switched on the upstairs lights did not show live. I was using a simple (and I know they are iffy) electrical test screwdriver, and it was showing nothing. It seems, in the middle of my trying to diagnose this, my screwdriver had actually failed! I got a new one from Screwfix.

At this point it was time to bring the sparky in - wiring an extra switch I could easily do - solving this was getting beyond me. I mean I have A level physics, and a degree, and I could work it out I am sure, but really, to be on the safe side, getting someone who knows the conventions and rules for wiring a house was in order.

So the sparky tried to trace the issue - it looks a lot like a break in live from the light that is working to that light switch from hell mess. But not completely open - showed some voltage. Great. But then we realise the cloakroom was on, and that is a second light on the same circuit, so let's test from there. One touch of the wiring and the circuit trips.

We have now moved from an open circuit to a fault that trips an RCBO, but takes maybe a second to do so. The second working light had been working, but the wiring was in an old ceiling rose shoved behind the ceiling which promptly snapped, so replaced by a nice new joint box and WAGOs. If that was the cause of the fault it should all be sorted now. No such luck!

Still tripping. Arg. OK, so on to the light switch from hell as pictured above. So the plan was to try and work through its nightmare circuits one by one. First step, chop off the 8 way WAGO for 8 of the live feeds. Test, and WTAF, all the other lights in the house now working. The fault is gone, and the short is gone, and the open circuit is gone.

OK, test them all, and not problems found, to connect back one by one, and well, all 8 back and all working. These are a number of outside lights and stuff. But just reconnecting all 8 live wires to a new WAGO and it works. Arrrg!

Then we discover that somehow tripping the RCBOs has killed 5 of the Shelly in the lights, so next to work on that - but in the morning. That should not happen - I know some of the shit involved in electrical interference immunity testing for CE, and this should not kill a Shelly, really!

So that was the power nightmare - somehow two separate and unrelated faults happen when I am doing something minor, and one remains 100% unexplained. In the end, my switch and indicator are fine, as I had wired them.

Now for the lock fun - a simple job as the locksmith had practiced on my office door and the outhouse door already and was all over confident "simple, 2 hours". Then he realised he did not have to drill the whole door width for a power cable as it could be done with a groove, and that the keep was the same place and size for the new lock, and did not need changing. So he was all super confident this would be easy. Spoiler: it was not.

It went OK to start, but then the lock was not working, and the handles not working, and then the keep not engaging, and then the spindles somehow started to slip and stopped working, and well, everything went to shit - and he is on the clock, after 6 hours here, he has to catch a plane. So we now have a door that is "technically" secure, but far from pretty until he gets bank from holiday. With him, and the sparky, alternating in finding impossible shit happening with their jobs, at the same time.

So seriously a lot broken, a hell of a lot. Stuff totally unrelated all happening at once.

Then, to top off the day, just as things calm, and I decide I am doing nothing now but watching TV and drinking whisky, on basis they cannot go far wrong, I get this from my son.

Is this a bad sign, dad?

Err, yes! But at least he has a working screwdriver! It is a really sensitive LED based one though, so lights up if you sneeze too close to it - turns out he just had a loose wire in the switch.

P.S. Some credit to Shelly. Whilst we have had, in the past, some Shelly 1 struggle with heat and fixed by replacing with Shelly Plus , and I am pretty sure we have had a Shelly die before. On this occasion it looks like it was actually intended behaviour - tasmota code has a last ditch recovery mode config reset if you power cycle it several times quickly - which is, of course, what was happening, and resulted in four of them simply being factory reset, and hence easy to fix.

2022-07-02

A flaw in GDPR

One of the aspects of the General Data Protection Regulation (GDPR, and UK GDPR) is that you can expect that the personal data an organisation holds on you to be accurate.

Specifically, that if it is inaccurate, you have a right to rectification, and you can require them to correct it and make it accurate (even if the ICO don't quite understand that, it is the law).

This is important if the information is mistakenly wrong, but also if it changes over time...

  • If you move house and your postal address changes
  • If you change your name
  • If you change your gender
  • If you change your title
  • If you change your phone number
  • If you change your email address
  • Etc...
(obviously if someone has a record of "the postal address you had when you signed up", then that does not need to change just because you move, unless it is a mistake, but a record of "current address" needs to change when you move).

The organisation has to, legally, rectify the inaccurate personal information they hold on you when you ask them to. That is the law.

But, in my opinion, there is a flaw in GDPR. When "signing up", "registering", etc, when first becoming a data subject with an organisation, it is apparently legal for that organisation to impose rules on what they consider acceptable personal information.

A perfect example is, apparently, British Airways, this week, refused to accept someone that was female and a Doctor, as the gender and title did not match!

But organisations will decide someone cannot have a first name that is one letter, of that you have to have a first and last name, or that your email address cannot have a dot before the @, etc.

Of course, the person could have recorded themselves as male and a doctor, and having been accepted they could require the incorrect personal information be corrected, under GDPR. The same is true for email addresses that an organisation decides is not valid, or a phone number, or postal address or name, etc. Ultimately, legally, they have to accept the accurate personal information in the long run if you required them to rectify the inaccurate personal information they hold and collected at "sign up".

But it seems nothing in GDPR requires that organisations accept the "accurate" personal information from data subjects "in the first place". They can make any arbitrary rules they wish. So we see shit like this, even for perfectly valid email addresses.

To be fair, companies can, and should, validate that something like an email address is valid and is the subject's email address. That is part of GDPR when it comes to rectifying personal data as well. But if it is valid, they should accept it, in my view. Making random rules on names, genders+titles, email addresses, phone numbers, etc, are all stupid and should be fixed by an update to the law.

I feel GDPR (or UK GDPR) needs updating so that no data controller can discriminate (i.e. refused to accept a new data subject) based solely on the format or syntax or rules they have created relating to any valid and accurate personal information at the point of becoming a data controller, any more than they could at the point of being required to rectify inaccurate personal data later.

The fact this is not part of the GDPR, is, in my view, a flaw, that needs fixing.

I have written to my MP asking for this, maybe you could too?

2022-06-29

The round one

As previously blogged, I created an NFC RFID reader based on the PN532 NFC chip.

It works well, and includes red/amber/green LEDs and tamper switch and even contacts for a "door bell". This makes it ideal for access control.

But I decided some cases may look better with a round modules. So I wrote code to measure track lengths in KiCad PCB files, and then code to make a spiral track, which I made the same length, and then made a round version of the same thing.

It works. It worked first time. Indeed, the solder paste and cook worked first time - no re-work - no glitches - just worked. I am really pleased.

One of the small tweaks was around the reverse mount LEDs which used to tombstone in the oven - that is all fixed nicely now.

Other changes are that the connectors are all SMD now to make the other side "clean".

Which leaves me wondering if I should add a logo or something on that side. I am really not sure. I also think purple solder resist may be nicer. The main thing is I want a distinctive appearance / brand that can compete with elechouse on Amazon. Suggestions welcome.

Of course, what is super frustrating is that these are all prototypes - I cannot really make commercially until the global component shortages are sorted and I can actually order 100 of the PN532 or indeed anything else! Once sorted, I plan to put these on Amazon.

2022-06-28

ICO and NHS

I have a short email address. Those that know, know, so not posting here.

Suffice to say it is of the form x@x.xx so is only 6 characters. It is 100% valid. I have used it for a couple of decades now - this is not new. I am not alone. [side note, I tried to sort x@xx email, which is not easy, and did not get off the ground, but some people have done this, and it is valid]

I registered to get access to on-line COVID passes with the NHS or is it NHS Digital, or what? To be honest it is not 100% clear. Privacy policies and the like should make this clear, but even now I am not sure. My MP believes it is Welsh government. The fact I am not 100% sure is part of the problem.

[update: https://access.login.nhs.uk/privacy says it is joint data controllers of the devolved (Welsh) administration and NHS Digital]

They would not allow me to register, so I created a temporary address (longer) and registered. Simple. I even have the whole domain rfc2822.uk for this purpose.

I then tried to change the email address to my normal x@x.xx email address, and their system would not accept it.

NHS expecting me to change my personal data to fit them

So I emailed their data controller requiring them, under my right of rectification under (UK) GDPR to correct my email address. They refused. Note the original (temporary) email is no longer valid, and hence meets the definition of not "accurate" personal information. Indeed, I do not even have the domain any more.

I wrote to ICO, and have exchanged several emails to ICO, and escalated and asked for review of the case.

Basically the ICO said: There is nothing in data protection legislation that prevents an organisation from having a system that has a minimum requirement for an email address.

This seems odd, as how can an organisation accurately record personal information if they do not accept a valid email address, i.e. they have a "minimum requirement" for what is "valid"?

This has gone on for some time, and I am not alone, there are others I know with similarly short email addresses that have issues with NHS (and other organisations). There are others I know with related issues on incorrect data validation at "sign up".

Just to be 100% clear, the NHS fully accept my email address is a valid email address, and have emailed me, to that email address, to say so, as have ICO.

I also asked ICO more generic questions about whether an email address is personal information, and if I can expect (require) an organisation to correct it when it is wrong. They confirmed that is the case, so I again wrote to NHS quoting them - no reply. What a surprise.

I have written to my MP as well, and asked them to chase, and they have written to NHS (Welsh Government).

Latest from ICO is "For clarification, as the NHS has not recorded your email address then we are unable to suggest that they are recording inaccurate information. 'Inaccurate' would apply to information that was recorded incorrectly. There is no suggestion that they have done this."

Seriously, I'm shocked. This has, all along, been about the NHS refusing to correct my email address. So I have explained, again, to the ICO, that the NHS have recorded my wrong email address and are refusing to enact my request under my right to rectification to correct it under UK GDPR.

We will see how it goes, but this is a matter that relates not just to email, but other things.

  • Organisations will insist someone has to meet some format for a name - a forename and surname (not all have this), a name with more than one letter (not all have this), etc.
  • Organisations will insist a UK mobile phone number has to start 07, and organisations will even blacklist some operators 07 mobile numbers as not valid mobile numbers!
  • Organisations routinely try to impose rules on email addresses.
  • I really expect organisations to have shit when it comes to recording gender, which is rather topical.

The law does not stop companies from having rules to take their service as long as not discriminating based on some protected criteria. They can refuse me because my email address is too short. IMHO this is wrong.

But once they have accepted a customer/client, perhaps with wrong, or temporary personal details, they do have to comply with GDPR and have to correct incorrect personal information. So it would be better if they accept the correct personal information in the first place. In seems to me that GDPR (or UK GDPR) has a flaw in not covering this properly for "sign up". People should not be able to use email address, mobile number, name, or gender, as a reason to refuse to accept a customer/client.

This is even more so when it is not some company, but an organisation like the NHS. I have an NHS presence, I have to, as a UK citizen, and they have data on me right now that is not "accurate". That needs fixing.

Update: 1st Jul: The ICO now seem to be suggesting that because the email address they recorded at the time was correct (accurate) that they do not have to correct it now that it has become inaccurate. This would suggest organisations do not have to update name, address, phone number, email address, well, any personal information they hold when it becomes inaccurate over time. That seems a stretch!

Update: Someone has suggested this is "the same on all GDS platforms", and that it is not fair for me to "bother" the NHS. I appreciate the NHS have a hard time, but if this is the case the all the NHS have to do is contact whoever maintains their platform for them, explain they have a legal requirement to correctly record personal data, so have 30 days to "fix" this, and the NHS will have done what they need. Instead the NHS have so far chosen to spend time arguing with me, and then updating their site to state that an email address has to be at least 7 characters (previously it accepted it but did not send the confirmation email so it did not work). At the end of the day, someone, somewhere, on some platform, just has to change a 7 to a 6 in some code (or better still, follow the RFC for validating email, which will be a simple regex or library). It is not a hard fix for whoever does it - if the layers of people above that, all the way to the NHS, simply tell them to do it.

2022-06-19

Euro profile locks - a few tips

Test door, lock sticks out a bit!
Euro profile locks are a doddle to change - it is literally one screw, and you can slide out the old lock and slide in the new locks. They are easy to buy, or order on-line. But a few quick tips:

  • You need to order the right size (inside and outside). This is the distance from the centre of the lock to the key slot each side. Usually available in 5mm steps. You want it just right, not sticking out, though good locks have a snap off part if someone does take pliers to it.
  • You can order keyed alike locks so they all have the same key, which can be very handy. Somehow people don't realise this!
  • There are loads of different quality and prices of locks.
  • You can have key both sides, or one side with a thumb turn, or just keyed one side and blank the other side even (half lock).

So, when we moved in, the first thing I did on day 1 was order new locks. Five of them. The house had all been recently re-done and the locks in the house already were all brand new, so a bit of a shame. But I wanted higher quality locks and did not want five different sets of keys (don't people know you can get locks that have the same key?).

Cheaper lock

I ordered like for like, the same size, and keyed both sides as that was what was in the house.

Unfortunately, after a little while we realised the choice of locks was wrong. You do not want keyed both sides. The reason is that the doors were all multipoint locks, and only locked by turning the key. Without that someone can literally walk in from the street (which has happened!). But this means you can only use the door from the inside if you have a key to unlock it. This means if there was a fire in the night when the doors are (obviously) locked, you need a key to get out. Remember the house originally had 5 sets of keys so you need to find the right key for the door by which you are trying to escape from a fire.

The short term fix, a key on a hook by the door, but that is far from ideal. Obviously.

Thumb turn on inside
So I ordered another complete set of locks (getting expensive now) with thumb turn on the inside. This means you can always lock or unlock the door easily from the inside without a key. Importantly it is not hard to unlock if trying to escape a fire. I actually disposed of the first set of locks as no use to me any more.

As some of you know, I have a complete door access control system and alarm system, but changing locks means a locksmith and time and money, so even though we have been here over a year I had not yet changed the locks. I was also researching the right lock for the job. Being a house, I really don't want an "exit button" and an "emergency break glass" by every door. I also wanted a "fail secure" so a power cut when we are away (long enough for battery to drain) does not leave all the doors unlocked. But I also want it "safe" so always possible to get out in a fire even when nothing is working electrically.

So the locks are Abloy EL560. I have been testing on my office/study door, meaning we now have six locks. This is great, it is fail secure (i.e. power fail is locked). But it can always be opened from the inside with the handle, and with a key. It also has signals so you know if opened by handle or key. This is great.

RFID reader
They are being installed in the rest of the house shortly, with my AES DESFire based readers to open from outside - nice and secure, and all links in to the alarm system.

However, if it was to be opened from outside using a key, I would want the alarm to know this, and disarm. The idea is we can trust a key. That is fine, I simply configure the system to disarm when the key is used. The system is very flexible and easy to configure for various types of lock.

Except... I have thumb turns on the locks on the inside. I don't need these now as you can open the door with the inside handle. But if I set the system to trust a key it trusts the thumb turn as well. Someone breaking in only has to turn the thumb turn on any door to disarm the alarm. So yes, obviously, it is not being configured to do that (yet). Indeed, one approach would be you have to enter a PIN on the keypad if not using a DESFire fob, even if you did use a key. Given how easily keys, even high security keys, can be copied or 3D printed, this may be sensible anyway.

The real answer is order locks keyed both sides, or even no key at all on the inside now.

I had a full set of locks just like that from when we first moved in. I have disposed of them. Arg! So another set of locks, six this time.

The moral is never throw anything away, ever!... I should know this already.

2022-06-15

IPv8?

I should write up my concept for IP. This is literally stuff I dream of!

This is totally "if I had a time machine and could fix IP at the start" and very much not a "this is what we should move to". The time taken to get IPv6 deployed (over 50% in US now) shows this would never fly.

So my ideas is this...

IP addresses would have multiple levels, tagged at the binary level in some way to allow each level to be different number of bytes, and allow for multiple levels - perhaps top two bits say length of each level. The exact detail on this is not that important other than the fact it is "variable" in some way and a fixed pattern for any IP address to allow hardware to cope. The displayed format is not that important either, but probably a series of decimal numbers with a separator.

The top level of any target IP would be AS number. This is still routing packet by packet, not session routing. So an ISP level core router needs a simple top level binary decisions, is target outside our AS (so send to target AS) or within (so send to next level at byte X in packet). Yes, a router could have more than one role as more than one AS maybe, but in general it is simple. This is the sort of thing that can work at a hardware level in ASICs without too much issue. A CAM at top level for sending to AS and a CAM for "within my network (AS)" level.

Routers below this level are similar - "is it my network" do routing to "next level", or I send "upstream".

The concept is that the IP would actually go in levels from AS, to areas within an AS (if needed), to customers, to devices on customer networks, and even include "port" within the device. No need for NAT ever. Ultimately extensible at ISP or customer or network level and even within device to allow more ports (which can be an issue). Some limit on levels, and bits at each level, but more than enough.

Yes, TCP and UDP would change to not have a port where it is now, but part of the IP addressing.

As for allocation and RIRs, the allocation would be AS, and anyone with an AS controls as many IPs within that as they need.

More ports

Also, the session connection to a device would be a protocol in itself, for things like TCP (maybe even UDP and others), where the connection is to the device IP address (not a port level) but the payload includes a text port name. So https would be to port "https" not port 443. The reply would confirm the actual target IP (which includes port ID) to use for that connection. This allows target port to be unique without mapping the source IP/port and target IP/port normally needed to identify TCP socket within a device, even as a server. So simpler code (yes, check the IP/ports are right when you match it).

I also think that, unlike IPv6 which has a separate standard header for encryption (which therefore does not actually work for TLS we have now) I think TLS would be an option in the that SYN, along with port name. So port "http" can request TLS or not as a standard start of that session, with things like "use previous authentication session" as an option at the SYN level for faster connections. Ideally the application calls for TCP would make it very simple for any stream to be TLS or not with minimal coding overhead.

Multihoming at TCP level

Also, you need protocols like TCP to be multi-homed at the TCP level. Mobile phones can already do this to some extent. Connect to a name, not an IP, and it has multiple IPs, but allow the IPs to change during the session if needed, either end, as part of the connection protocol. This avoids the need for multihoming at the BGP level, and IPs can start with AS at a top level regardless.

No, not "IP is the route" - still routing path redundancy

Just to be clear, this is not saying the IP is the route to the end point, either. The route taken would be determined by routing protocols like BGP, and still have the alternative paths and redundancy that exists now to get to an AS, and within an AS. The only really difference is that core routing policy would almost certainly not allow announcements below the AS level, and hence keeping routing tables smaller. At present IPv4 does not work (by policy) smaller than a /24, for the same reasons. This just makes a really simple and obvious policy as the inter-AS level. It also means each AS only needs to originate one prefix (their AS) where as now they originate loads of separate blocks. That one prefix is extensible as much as they like. Indeed, the role of RIRs for IP management would pretty much vanish as having an AS would entitle you to allocate IPs under that AS, and originate routing for those IPs from that AS.

Comments and discussion welcome - but remember this is essentially just a thought exercise.

Alternatives rejected

This idea is still per packet - a totally different approach involves a connection based system. Establish a route over the internet as you connect and each point reports the connection id, and at the start you send to the local connection ID which is mapped to next hop connection ID. It could work but is a massive amount of "state" in the core, and I don't think a viable approach. Sorry.

2022-06-12

Un-mapping CGNAT for IPv6, etc, with no overhead?

Some links are IPv4 CGNAT (notably Starlink at the moment).

What if I want IPv6.

Well, a simple approach is something like L2TP. The issue is that this is IPv6 over L2TP over UDP over IPv4 over CGNAT, and that means a much reduced MTU. This is not the end of the world if you know you have the reduced MTU, but a shame.

So would there be a way, even if only for outgoing sessions, to "tunnel" the IPv6 over IPv4 with zero overhead?

I think so. You need something in the Internet with IPv6 and something on the network that is stuck behind the IPv4 CGNAT end point.

The trick is that an IPv4 header is 20 bytes shorter. So if you reduced an IPv6 packet to IPv4 you get 20 bytes spare. You could tack something on to the end of the packet, and it should arrive at the tunnel endpoint via the CGNAT over IPv4.

So why not tack on the original external IPv6 address?

Yes, the source address would have to be tracked using NAT of the IPv6. And indeed, one could say you only need to tack on the original IPv6 at the start of the session as once you have created the NAT session you know both IPs involved.

Only catch is that TCP, for example, does not normally have extra data on SYN packets, so you have to check they arrive intact. One would hope so.

OK scrap that - I have a better idea :-)

You establish a link, maybe simply a TCP session, between your devices, outgoing via the CGNAT IPv4 to the far end. You use this to carry some control data. It could even be TLS with client cert, etc, for security.

Every outgoing session you create you send details over your TCP control link to the far end with details of that session, and it allocates an IPv4 UDP or TCP port for you and advises over the TCP control link. You can then send a new packet of the same type, e.g. TCP/UDP, to the far end. This then maps through to the IPv6 addresses you want to use, and the original ports. The CGNAT is then used to carry each new packet in or out over the session map each end.

What makes this even more clever is that you can do incoming new sessions as well. Obviously the IPv6 block being used has to be routed to the outside device. But simply carry the details of the new incoming connection over the TCP control link, and then have the NAT end start an outgoing session. Once established, that is used to carry the incoming packet and the outgoing reply packets. Yes, it could make for a slight odd TCP handshake, and that may need slight messing, e.g. send the SYN and SYN/ACK over TCP control link, but create an outgoing SYN and SYN/ACK exchange over the CGNAT outgoing, setting up the payload sequence numbers to match what the ongoing packets will be using.

This could allow full IPv6 both ways over an IPv4 only CGNAT, and not only would it have no overhead, allowing full MTU, it would actually use fewer 20 bytes per packet after the first control packets, and so be 1.3% more efficient on the wire. Technically you would lose per packet flow labels, but not a lot else. Of course things other than TCP and UDP would be a challenge, but could simply be mapped to look like UDP on the IPv4 if needed.

Of course the same could be done for IPv4, not saving 20 bytes per packet, but basically un-mapping the CGNAT at each end.

A zero overhead tunnel could save one of the classic IT/networking issues "MTU".