Slashdot Mirror

Port control protocol is also very close to being reality. It's a bit like a combination of UPnP and DHCP that allows static IPv4 ports to be requested by and allocated to an end user like IP addresses are now.

Humans' ability to create complex and convoluted workarounds for problems that have been foreseen for 20 years and have had a solution for equally as long simply waiting for a bit of investment in infrastructure amazes me. If people spent even half the amount of effort in implementing IPv6 as they do finding assbackwards workarounds to easily solvable problems then the world would be a much better place.

Your ISP should at least be giving you a block of static ports on a static public IPv4 address so that you can just map them on your home router afterwards. It's called "port block allocation". See this slide deck for more details.

Port control protocol is also very close to being reality. It's a bit like a combination of UPnP and DHCP that allows static IPv4 ports to be requested by and allocated to an end user like IP addresses are now.

You should pester your ISP about these two services monthly until they have a satisfactory response for you. Frankly it's irresponsible on their part if they don't have a FAQ explaining this stuff and a policy for helping customers deal with these things. To do otherwise is demeaning to their customers.

This library has a 3945.

Somebody at Cisco must have made quite a bonus...

The 3945 is also used to heat the building in the winter.

This library has a 3945.

Somebody at Cisco must have made quite a bonus...

I would agree with you if not for the growing trend of collaborative spaces in the IT industry.

You mean like thisor this?

You need to collaborate to ensure everyone is on the same page and going in the same direction but you don't need to do it M-F 9-5. In fact, the more you collaborate the less time you have to execute.

I assume you would like to look less like an idiot in the future, so I will provide information with references for your education.

"There is no such thing as a half bit"

In communications, a half bit is a signal that is on the wire for half of the time of a full bit. Here is a datasheet from a UART manufacturer. On page 4 they describe the 'line control register' which sets how many stop bits there are: 1, 1.5, or 2. A simple search will return many references to start/stop bits in async communications.

"Ethernet does not have packets"
The IEEE, Cisco, Wikipedia, and Wireshark would all disagree with that, as would anyone who knows anything at all about networking.

Your little quote you posted provides no support for your position at all. Nobody ever said maximum numbers (such as data lengths) were not going to be in powers of two, or that calculations such as CRC would not be in powers of two. What I said was that data is not naturally (or even usually) transmitted in power of two increments, and you have shown absolutely nothing to disprove that.

It is exactly what Cisco said see here: http://www.cisco.com/en/US/prod/vpndevc/annual_security_report.html

there is an overwhelming perception that people get compromised for 'going to dumb sites,

Like this one? http://homestore.cisco.com/en-us.htm

I could RTFA but that would be against the true spirit of /. so I will just ask. Is there something about the new 802.11ac standard that makes it better for use inside buildings and other structurally dense environments?

Well, I could quote what Cisco's whitepaper has to say about it:

802.11ac, the emerging standard from the IEEE, is like the movie The Godfather Part II. It takes something great and makes it even better.

The whitepaper doesn't say anything about walls though.

It's not as easy as you think. I spent a long time researching this, and I had a Mathematics PHd on staff helping me. I was able to get granularity down to about 15-20ft, when I saw about 20 access points. But 15-20 ft is still pretty big if you are trying to get spatial orientation between people...

And even then, even when I saw 20+ AP, I was still able to find points inside our building where I got matching signal-strength profiles from the APs as another location pretty far away. Remember, proximity detections is not the same as location tracking. I can get unique profiles from contiguous location blocks, but I can't guarantee the same for non-contiguous blocks.

A Cisco MSE will get your location down to around 3 - 5 meters, with 4 or 5 nearby AP's

http://www.cisco.com/en/US/products/ps9742/products_tech_note09186a00809d1529.shtml

Cisco's acquisition of ThinkSmart Technologies was all about leveraging WiFi for customer analytics. http://www.cisco.com/web/about/ac49/ac0/ac1/ac259/thinksmart.html

It's more than just tracking who goes in and out of a store- it's about dwell time, product placement and spot marketing.

Cisco switches are manufactured in China since 2011 per this press release: http://newsroom.cisco.com/press-release-content?articleId=442243

I'm with you right up to using the same channel. Hell no! This is suicide. Avoid co-channel interference.

Lay out your wifi install and figure out your channel plan. Survey for placement. I have several sites where RRM did a horrid job, and I've had to statically assigned channels to get performance up. Cisco design docs are available, google is your friend.

While WPA2/PSK works, and I use it at home for a 3 AP network, you actually can get faster roaming using 802.1X with key caching between APs.

Many clients do not fast roam. They drop and reassociate. This can lead to performance issues, but you can't solve it at the AP. it is a clien side issue. I've worked with Dell/Broadcom to fix drivers roaming issues plaguing our fleet deployment, and it is a pain. Finding a USB stick adapter that roams well is very hard.

A question like yours could be easily answered by a visit to Google.

How about strait from Ciscos documentation?
http://www.cisco.com/en/US/docs/ios/12_2sb/feature/guide/ht_ssi.html

Microsoft Denys they put a backdoor into Windows, but the NSA worked directly with them on development of every OS since XP:
http://www.computerworld.com/s/article/9141105/NSA_helped_with_Windows_7_development
The NSA doesn't generally help private companies with their products, and Microsoft doesn't generally take advice from their customers on their design. I doubt that whatever the NSA was really doing to help with the product was anything we'd consider good.

"I don't think you answered to that PBR question already." - by Anonymous Coward on Sunday December 16, @04:52PM (#42308779)

Now that YOU answered, I will as I said I would: That type of advanced routing & the data branchings are done by network hardware vendors like Cisco.

I.E.-> Using route-map config in IOS you can influence normal routing done by lookup to the routing table.

See here -> http://www.cisco.com/en/US/docs/ios/12_0/qos/configuration/guide/qcpolicy.html Configuring Policy-Based Routing

MORE IMPORTANTLY - because of your attempts @ "patronizing me", boy?

You evaded questions here -> http://it.slashdot.org/comments.pl?sid=3319303&cid=42308415

Especially @ the very end of THAT post, completely...

Additionally: I utterly BURNED YOU here, point-by-point & rather easily -> http://it.slashdot.org/comments.pl?sid=3319303&cid=42308415

(Answer me that...)

---

"Also if you ever looked and beyond that knew how useful /proc is under Linux when you are in trouble (running out of resources, tuning the system, salvaging file accideltally deleted but still recoverable because program using it was not quitted yet etc.) so many things that where most of the stuff under /proc is very usefull and an I haven't found anything like that so easy to use from windows." - by Anonymous Coward on Sunday December 16, @04:52PM (#42308779)

Really? Never heard of taskmgr.exe?? How about ProcessExplorer.exe??? Both are MS products, & come with the OS &/or are free MS tools respectively.

FACT - since you're showing us that much already:

You don't KNOW your Windows that well!

---

"It might be that the environments where you been working you are free to download and install any program you find from the net but it's not complete story." - by Anonymous Coward on Sunday December 16, @04:52PM (#42308779)

WTF? AGAIN - Quit *trying* to play "senior" & patronize/look down your nose @ ME, BOY!

I doubt you can prove you've been there...

ME? I've actually worked for Lockheed Martin (before that when they were GE), the U.S. Military, & more in the Fortune 100-500 on contracts, as both a system admin, tech, + developer since 1994 professionally.

You came in here, talking your "25 yrs. of bullshit" as far as I am concerned - since you are UNWILLING TO BACK IT UP below...

(My guess? You can't... and you KNOW it!).

---

"Once you work for military, big telecoms datacenters etc." - by Anonymous Coward on Sunday December 16, @04:52PM (#42308779)

See above blowhard... & quit trying to "patronize me", Mr. nobody "ne'er-do-well" that's done zero he can show for his words!

Hell - You can't even BACKUP your b.s. below!

Evasions & patronizing me? I strongly DISLIKE your attitude... especially trying to "patronize me" from someone that can't back up their b.s. & face it:

YOU fucked up LARGE, here -> http://it.slashdot.org/comments.pl?sid=3319303&cid=42308415

---

"I think the question was that wether Windows hinders you more (than Linux) having a well kept and secure system or not" - by Anonymous Coward on Sunday December 16, @04:52PM (#42308779)

Are you HIGH? Did you see my 1st post?? "Great Security there" (not) -> http

line of sight = visual line to the object.

line of site = can be Radio line of site where the path can be obstructed but the signal waves still pass through to destination. Cisco uses this in some of there documentation. (page 2 - http://www.cisco.com/web/partners/downloads/765/tools/quickreference/aironet.pdf).

line of site can also mean a line from the artillery source to target. Where you draw a straight line between the two points but the artillery actually arcs above obstructions.

From (emp mine) http://www.cisco.com/en/US/prod/vpndevc/ps10128/ps10154/dlp_overview.html

Data loss prevention (DLP) poses a serious issue for companies, as the number of incidents and the cost to businesses continues to increase. Whether it is intentionally malicious or inadvertent, data loss can diminish a company's brand, reduce shareholder value, and damage the company's goodwill and reputation.

Cisco gear does have backdoors. Google "Cisco lawful intercept". No doubt there are more.

http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/lawful_intercept/76LIch1.html

This isn't really a backdoor, just something ISPs and college campus networks are required to have available. The ISP is still responsible for having it properly set up and accessible. Even then, it's enabled on a case by case basis with cooperation from the ISP.

Additionally, the actual collection of information from a LEA is performed on a separate device, usually a server they send you for a period of time. See http://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act

An example of a real backdoor would be a way for the FBI / NSA to gain access to networks behind a Cisco device owned by an ISP without an ISP's network admin being aware of the access.

what makes you think that Cisco equipment don't come with backdoors?

Cisco gear does have backdoors. Google "Cisco lawful intercept". No doubt there are more.

http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/lawful_intercept/76LIch1.html

I suspect this was JPEG 2000, not just "MJPEG". CESNET has previously done 4K IP streaming with JPEG 2000.

JPEG 2000 is the standard for digital cinema, and has the advantage of having limited loss in multi-generations of decode/recode.

Many TV networks use JPEG 2000 at 100-150 Mbps for IP transmission contribution to the network centers from major sports stadiums.

Cisco has a device to do up to 12 channels of HD video over IP as uncompressed (1.5 Gbps) or JPEG 2000.

It depends on the ISP and how you connect, but in many cases the ISP will enable configuration so that if you try and use an IP address other than the one they gave you it will fail. This if for no other reason that a compromised or busted device sending promiscuous ARP with bogus addresses acts as a denial of service attack. See this cisco document for how this works on some equipment.

It's different because Cisco publicly announces their security advisories and publishes security bug information. Full disclosures:
http://www.cisco.com/en/US/products/products_security_advisories_listing.html

Other companies (such as Juniper) are a bit less public, but seem to offer more information than Huawei to their customers too:
http://s-tools1.juniper.net/support/security/report_vulnerability.html

It's really not hard to find them with Cisco gear managed by Cisco Wireless Control System. WCS will automatically triangulate them so you can physically locate them and you can even block/disable rogue APs (talk to legal before blocking/disabling Wifi APs, re:FCC & unlicensed spectrum). I've used it this last week to track down 3 rogue APs which were permanently installed by employees for personal employee use (turns out they BYOI from a WISP and then share with those who want to chip in and only use with their personal devices, not work devices). Additionally, WCS will alert if any of those "rogue" APs' MAC addresses ever show up on the Corporate network and will also track all authorized work clients to make sure they don't connect to rogue APs. It will also track and make sure non-authorized APs never use a "legitimate" SSID (disallowing any impersonation of our real APs).

I've yet to play with it, but WCS' replacement, NCS, does this as well: Rogue AP Details.

It's really not hard to find them with Cisco gear managed by Cisco Wireless Control System. WCS will automatically triangulate them so you can physically locate them and you can even block/disable rogue APs (talk to legal before blocking/disabling Wifi APs, re:FCC & unlicensed spectrum). I've used it this last week to track down 3 rogue APs which were permanently installed by employees for personal employee use (turns out they BYOI from a WISP and then share with those who want to chip in and only use with their personal devices, not work devices). Additionally, WCS will alert if any of those "rogue" APs' MAC addresses ever show up on the Corporate network and will also track all authorized work clients to make sure they don't connect to rogue APs. It will also track and make sure non-authorized APs never use a "legitimate" SSID (disallowing any impersonation of our real APs).

I've yet to play with it, but WCS' replacement, NCS, does this as well: Rogue AP Details.

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect25/android-user/guide/android-acug.pdf

(Parent here, posting a proper link, because this always annoys me when I come across one whilst reading Slashdot on a mobile device.)

Lawful Intercept, aka your friendly neighborhood backdoor. As used by law enforcement officials and black hats alike.

The term "lawful intercept" describes the process by which law enforcement agencies conduct electronic surveillance of circuit and packet-mode communications as authorized by judicial or administrative order.

http://www.cisco.com/en/US/tech/tk583/tk799/tsd_technology_support_protocol_home.html

"As far as I can tell there is no upside for Cisco in this."

You're just not looking at things from their perspective. Would you like to? Here. This pretty much sums up today's Cisco.

http://www.cisco.com/en/US/prod/collateral/ps7045/ps6129/ps6133/ps6150/prod_qas0900aecd8041c9d4_ps6151_Products_Q_and_A_Item.html

As you might notice (it isn't that hard to read between the lines in the Q & A), they are discussing a solution to control our connections to the internet--as opposed to merely facilitating it--and do so purely in terms of monitization. Cisco no longer just sells routers, they sell the people using them. There is also stated concern for the interests of both the RIAA and the MPAA on the part of Cisco in that Q & A I linked to.

The shareholders.......duh.

Who runs it? The board. http://investor.cisco.com/directors.cfm

But Cisco is the top-level company....not a subsidiary.

Cisco addresses this issue in a blog: http://blogs.cisco.com/home/answering-our-customers-questions-about-cisco-connect-cloud/ The blog states, in part: "Cisco prides itself on offering the best customer experiences, and privacy and security are at the core of everything we do. That goes for Cisco Connect Cloud too. When a customer signs up for a Cisco Connect Cloud account, personal information is used only to establish an account in order to provide customer support. Consistent with Cisco's practices, Cisco Connect Cloud does not actively track, collect or store personal info or usage data for any other purposes, nor is it transmitted to third parties. We also wanted to clear up any confusion about Cisco's `opt in' practices. Cisco Connect Cloud was delivered only to consumers who opted in to automatic updates. While we hope this reminder of our standard company practices will allay any concerns, customers who do not wish to establish a Cisco Connect Cloud account and would prefer to revert back to the traditional Linksys setup and management software can do so by calling the Linksys customer support line at 1-800-326-7114. One of our agents will walk you through the process."

Downgrade procedure posted on Cisco support forum. http://homecommunity.cisco.com/t5/Wireless-Routers/Smart-Wi-Fi-Routers-How-to-downgrade-your-firmware-back-to/td-p/538010 Firmware now available on the support site.

http://www.cisco.com/web/siteassets/legal/connect_cloud_supp.html

I especially like how they get to keep your Internet history. Why do you think this is a good idea Cisco?

Your new Cloud Connect contract ...When you use the Service, we may keep track of certain information related to your use of the Service, including but not limited to the status and health of your network and networked products; which apps relating to the Service you are using; which features you are using within the Service infrastructure; network traffic (e.g., megabytes per hour); Internet history; how frequently you encounter errors on the Service system and other related information ("Other Information"). We use this Other Information to help us quickly and efficiently respond to inquiries and requests, and to enhance or administer our overall Service for our customers. We may also use this Other Information for traffic analysis (for example, determining when the most customers are using the Service) and to determine which features within the Service are most or least effective or useful to you. In addition, we may periodically transmit system information to our servers in order to optimize your overall experience with the Service. We may share aggregated and anonymous user experience information with service providers, contractors or other third parties to assist us with improving the Service and user experience, but any shared information will be consistent with Cisco's overall Privacy Statement and will not identify you personally in any way....

Cisco is presently moving to IOS-XE which is the classic IOS binary blob running under a Linux kernel, which strikes them a balance between stability/portability (Linux) and features (IOS).

Of course, it's somewhat disingenuous to describe IOS-XE as "Linux" as it's really using it as a hardware layer - more like a heavy hypervisor which can host other applications.

What is wrong with just using wireless instead of dragging more cable? Of course you are talking to a small business person. I'm just wondering why an N-based wireless system couldn't be just as secure in a small place if configured properly or is this not yet possible? If jamming is an issue, I think there are products out there but I am not sure? I know the old ones are still around and not secure at all but it seems like they could be.

http://www.cisco.com/en/US/products/ps9948/index.html

Just a dumb question I guess.

Honestly, $22K isn't that bad for a decent edge router. It looks to me like a Cisco 7603, so with a service contract, that's not really that bad of a deal.

Article says Cisco 3945, which at least is marketed as a client-side router. If they're supposed to go to Gbps fiber, a case could be made. It would be full of holes, of course.

Incidentally, searching for cisco 3945 on the net gives https://supportforums.cisco.com/thread/2146460 which seems to be the reporter behind TFA looking for background.

It's not clear from the paper whether packet dropping is per-flow, in some fair sense, or per link. There's a brief mention of fairness, but it isn't explored. It sounds like the new approach has no built-in fair queuing.

Without fair queuing, whoever sends the most gets the most data through. Windows (especially) starts up TCP connections by sending as many packets as it can at connection opening. There used to be a convention in TCP called "slow start", where new connections started up sending only two packets, increasing if the round trip time turned out to be good. That was too pessimistic. But Windows now starts out by blasting out 25 or so packets at once. This hogs the available bandwidth through everything with FIFO queues.

If the routers at choke points (where bandwidth out is much less than bandwidth in, like the entry to a DSL line) do fair queuing by flow, the problem gets dealt with there, as the excessive sending fights with itself, trailing packets on the biggest flows are sent last, and everything works out OK.

"Bufferbloat" is only a problem when a small flow gets stuck behind a big one. A flow getting stuck behind the preceding packets of the same flow is fine; you want those packets delivered. Packet reordering is better than packet dropping, although more computationally expensive. Most CIsco routers offer it on slower links. Currently, this means links below 2Mb/s, which is very slow by modern standards. That's why we still have kludgy solutions like RED. This new thing is a better kludge, though.

As far as I know there is not an AnyConnect client.

cf. Cisco AnyConnect For Multiple Platforms

Virtualization is a great tool that offers tremendous flexibility and reduced costs, but it is not a magic bullet to solve every problem.

Exactly: blades not an anti-thesis to a 4U overbuilt VM host with a mess of cables pouring out the back. Depending on how much RAM you can stuff into a given box will tell you just how much consolidation you can get. If a few more blades each holding more RAM/U than the hefty ultra-deep-dish-pizza boxes, then blades may be an alternative.

For example, virtualization struggles with I/O heavy workloads, which are becoming increasingly important with the meteoric rise of data warehousing and distributed computing.

CISCO UCSes are blade server enclosures that designed specifically with virtualization in mind. They are reported (*cough* marketing *cough*) to have pretty good I/O. The price is not nice, of course.

However, if you want virtualization and I/O, then try IBM LPARs on Power hardware. Pretty much a blade-like system. You just shove $$$ money at IBM and they flip extra capacity "on" for you.

Just watch out that you don't end up like the IBM Power architecture with expansion cabinets that look like the nest of the Flying Spaghetti Monster.

Cisco has a white paper pushing the G.722 codec which is a 16-bit sampling from 150Hz to 7kHz.
http://www.cisco.com/en/US/prod/collateral/voicesw/ps6788/phones/ps379/ps8537/prod_white_paper0900aecd806fa57a.html
Keep in mind, part of the reason for the white paper is that they want to sell their newest 79xx series VOIP phones.

when I first saw its presentation (almost 2 years ago) I was impressed.

http://www.cisco.com/en/US/products/ps11156/index.html

never seen anybody using it unfortunately.

Hmm, the problems you note are certainly issues with VOIP using consumer equipment on a shared Internet connection (such as my Ooma device over my Comcast Internet, or your Skype box), but I had assumed AT&T's telephone IP backbone probably has dedicated bandwidth allocations, generous bitrates, and cut-through routing to avoid the inherent latency of store-and-forward packet switching.

http://www.cisco.com/en/US/products/ps6386/tsd_products_support_series_home.html

Properly configured Cisco 2700-series wireless location appliance, 6500-series wireless lan controller, and certain Cisco AP's together can locate RFID tags, and track them using a wireless control server.

That came out in 2006 I think...

Came close to recommending it as an absentee system for private schools, but we couldn't overcome the practicalities of students swapping shoes, ties, bags, students cards, etc. All a student needs to do is hand their tagged item of clothing or equipment to someone else to drag to school, and the absenteeism would slip the school by and subject the administration to duty of care questions.

I have a great Android phone that does everything an iPhone can do and more.

Do you know if Android phones work with IPsec / Cisco VPN's now? One of my co-workers wasn't able to get his to work with our setup, but maybe that's just our error. For medium/large businesses, things such as VPN access are very important. Googling it just now, I see articles such as these http://communities.cisco.com/thread/17118 .

And, yes, before you ask -- the iPhone / iPad supports this out of the box.

It was iOS as well then...

http://blogs.cisco.com/news/cisco_and_apple_agreement_on_ios_trademark/

Have you seen the requirements for the VMware VCDX and Cisco Certified Architect certifications that require prospectives to submit an application, have suitable experience shown, be accepted, build a design to certain requirements, and then defend their design choices in front of a panel?

Why on earth would anyone do this, other than if they actually like what they do? Finishing an MBA sounds easier than this AND gets you a larger salary and better promotion aspects. For someone with a college degree in IT and several years of technical experience in industry, the MBA is a better option. It offers more bang for buck, and having a business-level manager with technical experience in an organisation probably makes for a star-performer employee.

There are really own two certs I respect: Cisco's CCIE and Oracle's OCM. Both require hands-on lab demonstrations of skill. (Is RedHat doing that now, too?)

Microsoft MCM certifications require hands-on lab demonstrations of skill. And there are plenty of other IT certs with similar requirements, that are not simple "pass a test, get the cert".

Have you seen the requirements for the VMware VCDX and Cisco Certified Architect certifications that require prospectives to submit an application, have suitable experience shown, be accepted, build a design to certain requirements, and then defend their design choices in front of a panel?

They kind of make Oracle OCM and IE look like like 'easy' certs by comparison.

There are also things like CISSP-ISSMP, where applicants actually must have 2 years of job experience specifically related to the knowledge base and positive references to certify, in addition to passing tests, and they must show a fair number of hours of continuing education every year to stay certified; so holding the papers there takes a lot more than just passing a test too.

At a recent event, we utilized Cisco's *cha-ching* Wireless Access Controller. We are an all-Cisco *cha-ching* house, so it was an easy choice.

http://www.cisco.com/en/US/products/ps6302/Products_Sub_Category_Home.html *cha-ching*

Cisco. *cha-ching*

At a recent event, we utilized Cisco's Wireless Access Controller. We are an all-Cisco house, so it was an easy choice.

http://www.cisco.com/en/US/products/ps6302/Products_Sub_Category_Home.html

various OSs now randomize the mac to prevent leaking mac addresses, not that it actually protects you at home, only maybe on a large campus with loads of other people to share the blame.
for many organisations, the bigger issue is preventing rogue route advertisements; similarly to stopping rogue DHCP servers; it allows people to conduct a MITM.
Cisco switches can mitigate this: http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/CampIPv6.html

The launch site includes a list of participating home router vendors, where Cisco and D-Link are both listed with links where they list what routers of theirs currently have IPv6 support.
The Cisco list has several Linksys E-series routers.
Not to say it isn't about bloody time. Selling non-IPv6 network equipment in this day and age is practically a scam.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/l2trace.html

RFC1112 muticast space needs L2/L3 multicast mapping traceroute utilities which has been around longer than I would like to admit... grrr.. i'm old...