The Internet is it’s OWN governing body.  Within that entity there are many other parts and pieces,  RIPE, ARIN, IETF, IANA, IAB, AfriNIC, APNIC, LACNIC, NANOG, the RFC Editor, the list goes on.  There are many entities that govern the internet, or at least aspects of it.  If the US Government makes it harder for any of those entities, or their constituents (Verizon, Verio, Google, Yahoo, NTT, Level3, 360 Communications) to participate in the larger entity of the internet, then they will leave, the US citizenship will suffer, as we already do.  Ridiculously expensive internet communications costs, lack of availability in some areas still for example.  It will be EXACTLY what happened with the US Manufacturing industry, it is actually already starting to happen.

The Internet is not some single unit under the thumb of the US Government, it is an entity, in all reality a governing body, a nation, in and of itself with constituents in each and every nation, each and every district, city, county, state.  If the US Government tries to restrict the constituents of the Internet that live, work, and/or do business within it’s geopolitical boundaries, then those entities WILL suffer, and many will go elsewhere.  The Internet is fundamentally different from manufacturing in that in order to exist we have to work together.  My network, those of my neighbors, and so on.  My servers, your web browser, everything.  It is the nature of the beast.  And it will not exist under the control of external entities.  It simply can’t.

Most, if not all, canned security tests come down to what is often called security theater.  Security relies on a chain, and in some ways in layers, but it’s much more like a chain.  And the weakest link will be the break.  Take, for instance, the TJ Maxx debacle.  PCI DSS (Payment Card Industry – Data Security Standards) or whatever Visa and the other credit card processors are calling it nowadays are supposed to prevent this sort of thing.  Anyone in the industry will tell you almost all of their tests are meaningless security theater.  They do almost nothing to actually protect data.  PCI DSS has even been accused of making security worse because it often creates a false sense of security, because you can only test for and look for KNOWN problems.  Security is a chain, and it is as weak as its weakest link.  PCI DSS and other similar tests can only ever adequately look at the very last link in the chain, or known weaknesses.

The tools, techniques, and ideas of physical security often do not translate to the digital world.  In physical security the attackers tools are crowbars, explosives, cutting tools, lockpicks, things like that.  They all require that they physically move to the area to be attacked.  In the digital world the tools are the bit and the byte.  Infinitely simpler, but also infinitely more complex.  A security scanner can only look around the outside of the building, and check for things it knows to be insecure.  What it can’t, and often does not do, is even bother to check a majority of the NORMAL routes of ingress and egress.  Having a web server is like having an 8 line highway into and out of your server.  ANYTHING can come or go over that, so protection at the border, is NEVER enough.  You have to look at how every part handles the data that comes in, and goes out.  And even then you’re likely to only be able to look for things that are known to be problems, novel attacks often make use of what looks like innocuous or non-threatening avenues of approach, at least, until they’re used against you.

It is, and really must be, the individual entities responsibility to actually ensure their security.  You can’t just drop a steel gate in front of the 8 lane highway either, they’ll find a way under or around it, or just bomb the whole damn thing into oblivion.  Obscuring or hiding security problems does NOT help in the Internet.  In order for others to be aware, and secure themselves, they have to be informed.  If you have no idea that that “pool of water” is actually highly acidic, or has a cloud of sulfur dioxide hanging around it, you might jump in, and then be dead, or at least badly injured.  Being informed is the only way.  You can certainly do things to help mitigate some risks, but in the end EDUCATION is the answer.  Organizations like SANS that teach real world security and concepts are the way to improve “cybersecurity” — not legislation.  The US Government would do far more for “cybersecurity” by spreadign around 500+million to the likes of SANS than it could EVER hope to accomplish by any forms of “kill switches”

The ONLY thing the “kill switch” like legislation and “cybersecurity” legislation does is create a political knob that WILL be abused, intentionally, or by ignorance.  Take for instance FreeDNS getting shut down because some pencil pushing retard doesn’t know what a server is, much less DNS.  Tens of thousands of innocents were hurt by that one.

Hell honestly, the governments should be answering to the Internet as an entity/government/nation, NOT the other way around.

So for some (many) systems binary protocols are what you want.  Lots of times this takes the shape of some form of basic TLV (Type, Length, Value) type protocol.  This happens for many reasons, speed and simplicity being usually among them.  The problem with TLV protocols is they’re hard to get to/from human readable representations.  Further more developing your own binary protocol means you have to develop your own clients from the ground up, encoders, decoders, the whole enchilada. And you still have to specify your messages and such.

TLV also has the advantage of not needing to know all about all of the possible types of data in advance, or even necessarily how they’re supposed to be structured.  If you receive a Type you don’t understand you can skip over ALL the data involved for that type, emit an error, disconnect, whatever you need to do that’s appropriate.  In some situations you’re going to ignore it, in others you need to let someone know, in many situations an unrecognized type would indicate a lower level error occurring so your next step is to re-initiate the communications.

Enter ASN.1… I am familiar with ASN.1 only through SNMP MIBs, which, most of the time seemed to not work right, or at all. After actually getting myself acquainted with ASN.1 itself I’ve realized that this is partly to blame on ASN.1 having had multiple standards over the years and partly the fault of the individual MIB authors and the overall complexity of the SNMP MIB.  Using ASN.1 itself, in your own env, should work well, provided you stick with a given revision of the spec.  ASN.1 also defines BER (Basic Encoding Rules) as well as other formats for representing data encoded by a given ASN.1 definition.  BER is a simple TLV protocol.  BER is easily parsed by, well, anything.  Embedded systems with limited memory can even deal with BER, heck, usually their protocols end up looking something like BER anyway.  BER needs to be carried in something a little higher order if it’s going to be subjected to corruption or packet loss though.  Something like, oh, say TCP/IP or UDP/IP (gasp!)  This should come as no surprise since ASN.1 was originally designed to sit on the OSI stack above the session layer.

BER itself really only defines the ‘high level’ stuff.  Sets, sequences, integers, strings, things like that.  It’s up to the programmer to define the messages/data and their ordering and what they contain.  In other words, to give them actual context, and meaning.  ASN.1 lets you express the ordering and constraints on the data.  Your application still has to apply meaning to it.

So by using ASN.1 and freely available tools to compile ASN.1 specifications into encoder/decoders I can concentrate on writing the specifics of my protocol, and not have to worry about the over the wire bits.  Clients are also simpler to build because they can delegate all the lower level crap to any ASN.1 decoder/encoder.  In this particular case the system will be restricted to BER, but it would be easy to change that later and allow for any of the other encoding forms as well.

Chances are, whatever platform, OS, or programming language you’re using, there’s an ASN.1 encoder/decoder.  And if there isn’t?  Well you can probably leverage bits of some already written one to digest the ASN.1 specification into header files or atleast definitions of message types that your application can use.

The Internet is still very much growing, and IP addresses are a part of that.  Each IP address uniquely identifies an end point.  We got around IPv4 exhaustion for a while by using NAT.  But there are still hundreds of new websites and other types of services that require unique IP’s showing up every day.

It’ll be interesting when the runout actually occurs.  Because it’s likely to affect smaller businesses, NSPs, ISPs, and web hosts first.  Customers will be the last to be affected because they honestly don’t understand.

Another issue slowing deployment is a lack of CPE (Customer Premises Equipment) that support IPv6.  CPE is your Linksys (now part of Cisco), NETGEAR, D-Link, Cisco, ZyXEL, or whatever “router” — it’s your link to your ISP, and to the Internet at large.  And if your CPE doesn’t do IPv6, you can’t either.  Atleast not without slow and unreliable hackery.

So lets hope ISPs get on the ball, and SOON.  I am tempted to call mine this week just to see how much I can confuse their techs.

CloudEngines saw fit to include relatively robust filesystem support sporting HFS+, NTFS as well as the usual ext2/3, FAT/FAT32/VFAT.  HFS+ is provided by custom kernel modules, that work better than their cousins integrated into the Linux kernel (I’ve had some experience with them).  I haven’t yet tested the NTFS support.

The really unique thing about the Pogoplug is that it is completely integrated with the Internet.  The API system allows you to write your own scripts, or use others.  You can even cross-compile and run binaries on the Pogoplug itself.  Setup was easier than anything I’ve ever used of this nature. I plugged my device in, and went to the Pogoplug site.  I created a login, it quickly identified my Pogoplug device (I assume the Pogoplug called home and it saw us both coming from the same IP) and I was able to immediately use the WebUI to upload and download files.  They don’t support SMB/CIFS, but they have OS level drivers for Windows, OS/X, and Linux readily available.  I’ve only tried the OS/X and Win64 (Windows 7) drivers and they work very well.  Honestly since they seem to be fully supporting multiple OSes, and SMB/CIFS is so complicated and slow I don’t feel like this is much of a minus.  It does limit native support to “Supported” OSes for now unless the WebUI/API access fits for you.  I don’t know what their product roadmap is but I did find a (broken) symlink/mention of Samba within the device itself, and for those users that are on other OSes and *really* want CIFS they can cross-compile and install/run their own Samba binaries.

The native clients I’ve tested under Windows 7 and OS/X 10.6 (Snow Leopard) seem to perform well and bug free.  I’ll be pushing them a bit harder in the coming days to see what happens.  So far though I’ve had no issues.  The Native clients can be set to multiple drive or single drive mode.  The Windows client defaults to single drive mode with all of your connected drives showing up as P:\<Device Name>.  The OS/X (and I assume Linux clients) default to multiple drive mode with all of your connected drives showing up as separately mounted volumes.

You also can not initialize (format) a drive from the Pogoplug.  So you have to format your removable devices with a PC/Mac first.  This rather minor since if you have this device, then you have a machine, and the drives are removable by nature.

Performance is also very good, thanks in no small part to the speedy embedded Orion SoC, the Ethernet controller also has TSO, Receive and Transmit Checksum Offloading (part of TOE) which helps keep the CPU free from a lot of overhead.  These offload features are common in higher end servers and many ‘gaming’ Ethernet adapters.  Having a 1.2GHz CPU and these helpful hardware offload engines means that the CPU doesn’t work too hard and the performance will generally be limited by the RAM speeds.  To get the full LAN performance you do need to install the native clients.  The unit may be a little slow when you first start it as it indexes your files for searching and generates thumbnails and video previews.  This latter bit enables one of the more interesting features, search.

You can search all of your Pogoplug drives relatively easily from the WebUI, I haven’t toyed with this much yet but on the drive after you mount it the Pogoplug software creates a .ceid file that includes the name of the device and the version of the metadata, and a .cedata directory holding an SQLite 3 database file for indexed information and directories for the generated thumbnails and video previews.

The Pogoplug also ‘integrates’ with Facebook, MySpace and Twitter.  The Twitter support is definitely buggy, I was able to authenticate to it for one drive but not for another, and after signing out I have been unable to authenticate again.  Once setup you can ‘share’ a folder to these services and the unit will post updates whenever the folders are changed.  The update includes a (public) link to the folder’s contents.  Users can then download the data.  However the data is pushed directly from your Pogoplug so you must be connected via broadband.

On the hardware side inside the case there’s documented JTAG and Serial Port.  What does this mean?  Well if you’re asking then it won’t matter to you.    Basically it means that with a JTAG dongle and a 3.3v FTDI to USB serial adapter you have a $130 ARM9 dev kit, not bad at all.

I haven’t (yet) opened mine…I may yet buy another to do just that.  The Orion/Feroceon has a SATA controller that’s turned off (and quite possibly not even pinned out) on this board.  It also has a second Gig-E MAC thats likewise not available.  The CloudEngines/Pogoplug Engineers do read their forums, and seem to be (refreshingly!) helpful to those people who ask specific questions about the hardware and essentially how to use it as a dev platform, de-brick it, etc.  Being so helpful as to even link to DigiKey Parts for the mating connectors to the JTAG/Serial ports.

There are some chinks.  It has a NEON PINK “foot”.  The device has no ‘shutdown’ command (either via WebUI or SSH, or anything) so you can’t cleanly shut down the unit, you have to manually eject via the WebUI.  Unplugging the device, at least with HFS+, can cause the filesystem to come up ReadOnly with no way to fix it from the Pogoplug short of ejecting the device and manually running the included chkhfs utility.  Even that may not work since the utility is based off hfsprogs, which aren’t very good.  It will claim errors, not tell you what they are, and refuse to fix them.  Morale, either eject before you unplug the Pogoplug, or use other, better supported, filesystems.  I also have no clue what happens to the device when it loses Internet connectivity.  It may turn into a pretty pink and white brick, I don’t know, that’s one of the only things that actually worry me so far. I’ll be toying with that in coming days and make an updated post time permitting.

I keep seeing a LOT of well meaning but mis-informed or mis-understood claims about IPv6, even in technical circles. What I am going to try to address here though is from the every persons point of view. What it is, why we need it, what it fixes, why it’s hard to deploy/make available, what it (may) mean for an individual user.

The article here was sparked by IO9′s Article.

What Is IPv6?

Well simply put it is Internet 2.0 or Web 2.0, despite what you may have heard from the media.  IPv6 is short for Internet Protocol Version 6.  We currently use IPv4. IPv6 has a truely massive number of addresses (really, it doesn’t relate in simple terms).  IPv4 has around 4 Billion addresses, of which about 3 Billion are useable.  IPv6 though is big enough to give every person on the earth, every device, every item, it’s own group of say a million addresses, and still have many trillions left over.

Why is IPv6 the Real Web 2.0?

AKA Why is it so had to get IPv6 out there?

Because it requires touching and replacing or modifying every router, every piece of software, every device, in order to support it.  Your web browser, your operating system (Windows, Linux, OS/X), your Internet router/gateway (which a LOT of people confuse between ethernet switches and these things), your wireless access points, your ISPs equipment, your TiVo, your smart phone, everything.  This is also why it’s so very hard to get out there.

Now the tech heads and geniuses out there responsible for this have developed a number of ways to assist this migration to IPv6.  To allow IPv4 and IPv6 to sort of talk to each other.  They can easily exist together, but talking to each other is another matter entirely.  These methods are not perfect, they suck actually.  From the IPv4 side, it’s like sending a letter addressed to a city rather than a person.  For IPv6 it’s easier, in fact, there’s a block of IPv6 addresses (these blocks of addresses are called a prefix, like an area code, so I’ll use the term prefix from here on out) that are set aside to map directly to the old IPv4 addresses.  That’s how big the address space in IPv6 is!  Whats the number?  OK you REALLY sure you want to know?  Fine.  2¹²⁸ — Two to the power of 128.  That’s in scientific notation 3.4*10³⁸ or a 34 followed by 38 zeroes (rounded). How big is that? Every single dollar bill of the American national debt could be individually numbered. And we’d still have a LOT of space left over. Heck we could give out a Trillion addresses to every person, device, or object on the planet, and still be likely to have leftovers.  The TCP/IP Guide has a Section On IPv6 Address Space Size

IPv4 addresses are everywhere.  Dotted quad’s we call them.  4.2.2.1 — 127.0.0.1 … etc.  Largely people are ignorant of them, and they damn well should be.  Numbers are for computers.  Humans name things, computers number them, and computers are REALLY good at translating and mapping between the two.  DNS is the protocol that does this.  And in that it’s been so successful that the vast majority of Internet users have no clue whatsoever that IP addresses (v4 or v6 or otherwise) even exist!  DNS itself needs to be revamped as a protocol in order to support IPv6 (and it largely has been) — and then redeployed too, globally.  This is taking place bit by bit.

E-Mail.  Every mail server has an IP address (or more than one in many cases).  It receives connections on that address from other mail servers and mail clients asking them to receive mail for, or send mail to, a given email address (user at domain).  Spam filtering software.  Anti-Virus software.

All of this stuff is on the list of things that need to be modified, or replaced for IPv6 support. The list is huge.

Why Do We Need IPv6?

We’re running out of IPv4 addresses.  No one in the beginning could possibly imagine that there would be such a huge number of devices connected to the Internet.  Now almost every phone, game console, and electronic device has some form of Internet connectivity.  That doesn’t necessarily mean each of these devices needs a globally unique address, but it makes things easier, faster, more reliable, and cheaper if each device does.  The reason is that if you use NAT (many many homes do this) your private address has to be mapped to a public one at some point.  This device has to keep track of each and every connection from each and every device that it’s performing this mapping for.  Worse some protocols put IP addresses inside of their data, and so the NAT has to know about these protocols, identify them, and modify the information inside the packets for these protocols!  (FTP is one such protocol, HTTP is not).

Well why not reuse all those “Web 1.0″ addresses?

IPv4 is “Web 1.0.”  The media gave us all that term, and most people have no idea what it means.  Web 2.0 (Go ahead and look, we’ll wait here) really only describes a bunch of web browser, JavaScript,  and HTML technologies and says nothing about the actual core guts of the internet IP, DNS, BGP (this is the ISP to ISP route sharing protocol — every ISP “core” router HAS to speak this to other ISPs), OSPF (this is one of a number of ISP internal route sharing protocols, MPLS.  Nor anything about a lot of other core internet protocols like HTTP, SMTP, IMAP, etc.

So wow I will get my own unique addresses?!

No, not likely.  This is because of the way that “core routers” (there’s no such thing by the way, which I will try to address in a moment) have to keep track of each unique destination.  Right now, and for the foreseeable future with both IPv6 and IPv4 the ay this works is that a ISP get a BIG block of addresses (BIG being relative in the terms of IPv4 or IPv6 — with IPv6 they get a LOT more space…enough in fact to have an IPv6 address within their own network for each IPv4 address and still have a billion left)… So they tell the other ISPs they’re connected to about that one big block, not about individual customers or devices.  They say to their neighbor “I can deliver packets to addresses beginning with 127.0, pass it along.”   Another ISP might have 127.1 another might have 127.2.0-15, etc.  IPv6 does the same thing.  IPv6 addresses are just so much longer I’m not using them in this example.  The neighbors only know about and remember the big block of addresses, not the individual addresses or smaller blocks given to individual customers.

Now within an ISP they keep track of many more much smaller blocks of addresses, maybe even down to individual addresses.  Inside an ISP similar trading of information on what addresses are served by which of their routers happens (no this does NOT happen with the average end user!).  The difference here is that since they’re all internal addresses, and a router notices when two or more addresses or blocks occur contiguously, they are often aggregated into a single larger block.  Think of it like this.  Router A is connected to B C D and E, E is connected to F and G.  F has 1 2 and G has 3 4.  E knows this, instead of telling A about 1 2 3 4 (and A further telling B C and D about 1 2 3 4) it just tells A 1-4.  Imagine this for a few hundred, and you can see the savings.  Instead of passing along each individual number it just tells it a range of numbers.  There are restrictions on how these ranges are made up (for the geeks out there it has to be on a bit boundary), but that’s the basic idea.

Wait what’s so different about inside an ISP versus outside?!  — simple, inside the ISP they know the adjacent addresses STAY adjacent and are inside the same entity, themselves.  Out in the bigger internet you can’t do that.  You might own 1 and 2, but someone else is 3 and 4.  And you don’t want packets for 3 and 4 arriving at your doorstep, now do ya?  Well that’s what would happen if the big ISPs aggregated routes together like that, because once a route is aggregated it loses it’s own unique identity.

Whats so wrong with having lots of routes then?  Two things, memory and speed.  Memory is finite.  And the memory used in big “core routers” is far more expensive (and far faster too) than your desktop or laptop memory.  Speed is the other reason.  Big routers have less than a microsecond to decide where a packet is supposed to be going, and do something about it. They make a huge number of these decisions in parallel too, and each of these decisions have to reference some part of the database of what-goes-where that the router has built up for itself based on who it’s connected to, and what they say they are connected to.

Earlier you said there’s no such thing as a “core router”?

Indeed I did.  For this discussion, you don’t have a router.  Indeed we at ISPs call what you have CPE, Cutomer Premise Equipment, or an End User Gateway Device.  They’re meant to connect one machine, or a very small number of machines (4-5 at most typically) to the ISPs router and from there the internet at large.

The internet is a bit more like a web.  A cobweb.  Lots of different parts connected in lots of different ways.  You as a end user are only connected at one point, to your ISP via your cable modem, DSL line, satellite, smart phone, or, old fashioned dial up modem.  Your ISP, if it’s a small local ISP will be connected to 2 or more (usualy atleast 3 or 4) larger ISPs, and possibly some other small local ISPs or local business customers that have their own routers.  Each of these routers tell each other who they’re connected to.  As connections between ISPs are made, and broken, this changes.  Each of these changes ripples through the internet, so when an ISP in say Missoula, MT disconnects from another ISP here in Montana that has been telling everyone it’s connected to that it is connected to that ISP, every big ISP knows in seconds, and every small ISP in some seconds after that.  So what just happened in Missoula, MT is known in Beijing, China in very short order.

This is also another reason why individuals can’t have unique addresses that move between ISPs  You may not move from one ISPs territory to another very often, but there are billions of people out there.  Imagine now that those updates too have to be propagated and stored.  Starting to see the problem?

Larger businesses with dozens or hundreds or workstations, or on site servers, or other specil high reliability requirements connect to ISPs in much the same way as ISPs connect to each other, they just don’t say to ISP B “hey I am connected to ISP A so you can reach ISP  A through me” but they do tell both A and B that they have the addresses 6 7 and 8 say.  This is called multihoming.  Why?  Well think of an ISP as a “home” for an address.  Your address exists at multiple “homes” when you connect with multiple ISPs and advertise to each of them your block of addresses.  There’s an intentional barrier to entry here because ISPs do not want, and cannot support, an unlimited number of these connections, because each of these connections requires the Internet as a whole to see and remember the unique block of addresses assigned to that business.  And whenever that business disconnects (say they’re upgrading their network or have a long lasting power outage) from one ISP or the other, the whole Internet hears about it, each router tells all it’s neighbors about that change in connectivity.

There’s a LOT of research going on into better ways of dealing with the global routing table (that’s what it’s called…but there really isn’t one table, it’s more like each router has it’s own idea or ideas at what the routing table looks like right *now* and if you wait even half a second, it’s going to change, probably several times) but no one has found a silver bullet yet.  And even if/when they do, there’s still the same problem we have with IPv6, all the ISPs have to adopt and deploy it, everywhere.

If there’s interest I’ll go into TCP/IP, UDP/IP, DNS, and BGP/OSPF/Routing in a separate article (or articles).  How a connection is established, what NAT is, what a Firewall is/does and why NAT and firewalling are different, and why routing is different than those two.

Well I made the leap to Windows 7 after having to buy a new laptop (long story short the desktop is dead). Upon upgrading to Win7 RC1, as the laptop came with Vista, my Time Capsule disks stopped working with a mysterious username/password error number 86. I never was able to find out what the hell that meant, but I made an educated guess that Microsoft had disabled some of the old password standards, say NTLM maybe.

That turns out to be the case. These same instructions will probably get Windows XP and Windows 2000 shares to work with Vista and Win7.

Open the Local Security Policy MMC applet, you can do this by searching for Security in the start menu or from the command prompt by typing:

%windir%\system32\secpol.msc /s

Once there open the Local Policies folder, then the Security Options view. From there find “Network security: LAN Manager authentication level” – you will probably find this is set to “Send NTLMv2 response only” – change this to “Send LM & NTLM – use NTLMv2 session security if negotiated” – this does lower your security level but is pretty much required to work with anything pre-vista.

Further down you should see “Network security: Minimum session security for NTLM SSP based (including secure RPC) clients” – you may have to make sure that both require boxes there are unchecked as well.

This should get your Time Capsule, Airport Disks, and Pre-Vista SMB/CIFS shares working again!

I’ll try to keep this updated.

But Mr. SysOp, how lame are you that it’s going to take months to setup a machine?!  I have a day job folks.  A BUSY day job.  Doing SA work in my VERY limited spare time is hard, and not very attractive.  So yes it could take a while.  I might throw up Nexenta or the free ESX and find out I hate it.  I want to have time to play with those options before I commit to moving live services to it.  Once I do that I’ll be totally stuck with my choice, warts and all.

*sigh*

deactivate neighbor 216.x.y.z

commit

If a woman ever tells a man size doesn’t matter, she’s certainly not being truthful.  Similarly anyone talking about packet sizes is also spinning a yarn.

Tunnels can and will reduce your MTU.  A lot of consumer NAT devices don’t handle/pass along the ICMP Unreachable codes packet-too-big and cant fragment correctly.  This means people end up ‘broken’ trying to access your site.  PMTU extensions can maybe help in some cases, but if the messages are getting dropped nothing will help.

We’ve been experiencing such a state/problem.  The most obvious place having an issue is the Comcast Mail Servers and the RoadRunner Mail Servers.  Individuals have also been experiencing it.

Worse we’ve had a hard time narrowing down the problem path.  Because it’s intermittent.

*sigh* Epic Failure.

We’ve been seeing occasional problems with a tunnel “somewhere” on the internet getting into our path.  It shouldn’t be a problem except that it seems a lot of firewalls still filter ICMP Unreachable’s at the least.

DON’T DO THAT.