Pushing a new crypto algorithm that has not been extensively vetted is a usually a bad idea... but if there's one person you can trust to pull it off, that's djb. Here, DNSsec's RSA-1024 is the bad idea. We already know it's breakable to a determined enough attacker, now. And the prize is huge. What happened to the principle of having a significant margin of security? That's idiotic. I'm guesstimating wildly, but today a million-strong botnet could break it in months; in five year's time a 10-million strong botnet of low-end 16 core destops could do it in in days.
I really doubt that the US is ready to go there. Too many boogie men in that basement. It is much easier to paper up the problem, stick the police on it and hide your head in the sand.
The prison business is big in the US, and, just like the militaro-industrial complex president Eisenhower warned you about, it's a self perpetuating cancerous leech on your society.
Look at the numbers, just like the US spends several times more per inhabitant on its military, even adjusted for GDP, it has 10x more prisoners than other nations. In fact it has more than any other nations.
So what's happening? There is an industry around providing prison-related "services", and they provide plenty of campaign money to influence policy the right way.
There is basically no adoption of IPv6 because there's no point to it so far, because, today, if you have IPv6, you also have IPv4, and you end up using anyway, even when talking to other IPv6 hosts.
DNS is the solution to the problem you're describing; but the current common tools are probably not practical enough. What would be needed would be something based on mDNS, whereby each machine on the network would announce its name, and a DNS server would collect that information and distribute it as needed. Well it appears that avahi kind of does that (try avahi-resolve-host-name -6 hostname.local, assuming that IPv6 was enabled in avahi.conf), but it doesn't integrate automagically with standard hostname resolution AFAIK. But I might just be missing something.
Is it such a pain to deal with such long addresses that admins who would be configuring v6 "just because" don't? Those of you who have v6 networks, are there automated tools that keep you from ever having to key in an address, do you have the address range printed on your t-shirt, or what?
There isn't much entropy in most IPv6 addresses. The first 32 bits don't change much, you share most of it with everyone on the same continent, and then ISP. The lower 48 bits are usually mapped to the mac address. The lower 48 to 63 bits are basically free for you to do your own in-house routed network, so unless you have a router inside your network (not the one connecting to the outside world), it's 0.
So far all intents and purposes, when you're managing a few machines, you will mostly pay attention the lower 48 bits.
Would it have been better to use a smaller (40? 48?) bit range, and perhaps supplement that with an "extension" mechanism that could be appropriately sized for the network involved?
No, the extended size allows for great flexibility in routing.
The main problem with IPv6's slow adoption is that no transition scenario was ever devised. The protocol was spec'd, implemented, debugged and... that's it. Nobody ever asked the question, who's gonna switch and why? Currently, if you want to use the Internet, you need to be on IPv4. The only existing transition mechanisms are those which allows an IPv4 host to emulate IPv6 on top of it. And 100% of any other hosts you might be interested in talking to are on IPv4, even if they happen to also be on IPv6. So basically, in the rare cases where you can use IPv6, you can also use IPv4 to do the exact same thing. So there's no point. What's missing here (and has been missing since the beginning of IPv6) is a mechanism whereby an IPv6-only host can talk to an IPv4 host. I believe there's something called "nat64" that's being worked on, but it's in preliminary stages. Here's how it's going to happen: for a veeery long time (10, 20 years), most corporate networks will remain IPv4 only. They have no reason to switch. It's not just network stacks, it's networking equipment, firewall rules, inertia but also stupidity and incompetence. Consider this: right now, there are major websites still incompatible with Explicit Congestion Notification. It's not that they just don't implement it; it's that their networking equipment suffers from a 10+ year old bug that prohibits hosts with ECN enabled to access them. Non-buggy stacks just ignore the bit and let packets through, buggy ones silently drop the packets and cause the connection to hang. This used to be the case on www.cnn.com up until a few months ago, and is still happening on www.afp.com. Instead, it's mobile networks that will implement IPv6. There is not even enough addresses in a class A (10.0.0.0/24) to even give addresses to all mobiles phones in an European country. It's trivial to implement proxies for HTTP and other common protocols, so that those mobile devices will be able to see CNN.com. But obviously, it would be much better to have a way to NAT those devices onto IPv4.
Have you ever looked at the specs? Did you understand anything?
I thought so.
Here's a simple case where you can't argue there's enough IPv4. Soon all mobile phones will be IP capable. Each having a unique address would be nice. BOOM! Impossible with IPv4. Not even enough room in 10.0.0.0/24 *right now* to put all mobile phones.
The European Court of Human Rights (which is not an EU institution, but close enough) acts as a last measure in many cases, much like the SCOTUS but w/o Adolf, err Antonin Scalia. They forced many positive changes in our disturbingly creepy judicial practices. In other matters the Commission forced the break up of the former telecom monopoly, which resulted in one of the highest broadband penetration in the world. They might next save us from the current oligopoly in the mobile phone network industry, which holds firmly in place because corrupt motherfucker Sarkozy is best buddies with many a stakeholder.
They're mostly on the side of angels. Seriously. Maybe the fact that they don't have that much actual power forces them to act more responsibly. I don't know. But they usually side with the good guys.
How insightful of you to point this out. Someone's gotta pay for it! No way! Get out! Do you seriously believe that nobody realizes that? That's not the damn point. The point of something being free of charge is that you don't pay to use it. Take WikiPedia. Even if you didn't pay to use it, it's free for everyone else to use. Yet dozens of thousands of people donated something to keep it going. Is that not free? So what if the gov't is paying for it. It pays for the roads, doesn't it? Even the most retarded Ayn Rand fetishist libertarians have to admit that having tolls on every road wouldn't be very practical. Yes you pay for it through taxes, and it's certainly more efficient than the alternative. I'm not saying this is a great idea, but yes, it's free. As in beer.
There wouldn't be enough IPv4 to provide such a large scale service. Just make the all thing IPv6, possibly with proxies to access the IPv4; that would instantly provide a massive incentive for third parties to start supporting IPv6.
Every single relevant administrative authority, consultative board, industry assoc (besides MAFIAAs of course) and independent judicial entities have given it the thumbs down, be it from a technical point of view or a judicial point of view. The Conseil d'Etat (~ SCOTUS in some respects) shot most of it down preemptively with respects to due process concerns. CNIL (Data privacy board) shot basically all of it down based on privacy breach concerns, and risks of false positives. The European Parliament has voted amendment 138 which preemptively states the fucking obvious against this fucking nonsense. The European Commission accepted amendment 138 against Sarko's request (that was a nice jab btw, accepting the amendment means that a 2/3 majority at the Council of Ministers would be required to remove it).
But they're ramming it through. All those advisories can't technically stop the law from being passed. If things keep going this way, the law will be adopted by the parliament, and a EU directive opposing it will also be adopted a few months later. (Note that customarily member states are tacitly supposed to refrain from legislating at the local level while a matter is being handled at the European level, but Sarko's decided THIS is more important than respecting our european partners)
In the end law would be challenged on at least three front, at the Conseil d'Etat (which, I believe, has the power to change implementation details so as to basically render the whole thing pointless), at the Conseil Constitutionnel (if enough socialist deputes get their head out of their asses and petition), and then at the European level, at the European Court of Justice.
But they're pushing that shit through so hard, it's some sort of foot-in-the-door in the door technique. And even though it looks like it's going to be quashed from above, they will probably try and try again to pass that crap through. Lobbyists for big media have nothing else to do, basically, and pols want big media's love, esp. an attention whore like Sarko. Whatever they get, they will come back for more. At this point it looks like we have to win every single legal / legislative battle to stop this plan from going forward.
The sinister "three strike law" pushed by Sarkonazy and his subordinates creates a new category of "crime", that of "not securing properly one's connection", I shit you not. That way you can't use the defense of having been infected by a virus or having your router hax0red, it's your fault, you should have been a master sysadmin. Nevermind that megacorporations themselves can't be fucked to secure all their systems, you, Joe SixPC, are supposed to one up PCI/DSS or FIPS whatever, or you can't be allowed to the interwebs. Of course it's a massive pack of FAIL on so many levels, but that's what GWB's BFF has in store for us.
1. It's very complicated. 2. It's error prone 3. It's not even going to protect you against many attacks 4. It's coming from the people who wrote bind 4.x, the steaming pile of dung that preceded bind 8.x, the rotting carcass that preceded bind 9.x, the most bloated decomposing corpse of a beached whale of the internet 5. Even sendmail looks better than bind nowadays 6. Last I heard you have to give some more money to Verisign. Sigh. 7. It took them, what, 12 tries to get it "right"? I mean last time they said it was going to be the right one. How do we know this time it's good?
Our fucktard in chief, AKA Naboleon, is pushing for his three-strike law to please his big content buddies. I talked to the fine people fighting this nonsense, and that much is clear: beyond the obvious evil motivations, the main feature of these assholes is their complete lack of understanding. It's not just that they don't get it -- and they certainly don't get it. It's that they don't even care. Sure they order surveys from academics and various government agencies; but they quickly proceed to ignore them, or claim the opposite of what they say. The list is mind boggling. Every single government-related agency with a modicum of technical or legal expertise and a minimal amount of political independence has rejected their proposals in surprisingly frank terms:
The European Parliament passed amendment 138 which condemns the proposed law
The European Commission accepted said amendment in spite of Sarko's protests
The Commission on Data Privacy (CNIL) delivered a completely negative evaluation, and even went as far as to ostensibly leak the report because the Bush's BFF wouldn't let them publish it
And the dumbass in charge of this nonsense, Christine Albanel, basically claims they all support her position. Conveniently, the afore-mentioned career civil servants and jurists are prohibited to respond publicly. It's just insanity. It's not yet quite as retarded as the aussie's anti-porn filter, but we're closing in.
Crocodilians do not come from dinosaurs, although they are related, i.e. their earliest common ancestor was neither a dinosaur nor a crocodilian. On the other hand, the earliest common ancestor of birds was a dinosaur.
The oldest known marsupial is Sinodelphys, found in 125M-year old early Cretaceous shale in China's northeastern Liaoning Province. The fossil is nearly complete and includes tufts of fur and imprints of soft tissues.
So now you admit this was a regulation. But it appears you have changed the question, and therefore my answer isn't appropriate anymore. What is it you want this time?
Slashdot Mirror
Pushing a new crypto algorithm that has not been extensively vetted is a usually a bad idea ... but if there's one person you can trust to pull it off, that's djb.
Here, DNSsec's RSA-1024 is the bad idea. We already know it's breakable to a determined enough attacker, now. And the prize is huge. What happened to the principle of having a significant margin of security? That's idiotic. I'm guesstimating wildly, but today a million-strong botnet could break it in months; in five year's time a 10-million strong botnet of low-end 16 core destops could do it in in days.
I really doubt that the US is ready to go there. Too many boogie men in that basement. It is much easier to paper up the problem, stick the police on it and hide your head in the sand.
The prison business is big in the US, and, just like the militaro-industrial complex president Eisenhower warned you about, it's a self perpetuating cancerous leech on your society.
Look at the numbers, just like the US spends several times more per inhabitant on its military, even adjusted for GDP, it has 10x more prisoners than other nations. In fact it has more than any other nations.
So what's happening? There is an industry around providing prison-related "services", and they provide plenty of campaign money to influence policy the right way.
There is basically no adoption of IPv6 because there's no point to it so far, because, today, if you have IPv6, you also have IPv4, and you end up using anyway, even when talking to other IPv6 hosts.
DNS is the solution to the problem you're describing; but the current common tools are probably not practical enough. What would be needed would be something based on mDNS, whereby each machine on the network would announce its name, and a DNS server would collect that information and distribute it as needed.
Well it appears that avahi kind of does that (try avahi-resolve-host-name -6 hostname.local, assuming that IPv6 was enabled in avahi.conf), but it doesn't integrate automagically with standard hostname resolution AFAIK. But I might just be missing something.
Is it such a pain to deal with such long addresses that admins who would be configuring v6 "just because" don't? Those of you who have v6 networks, are there automated tools that keep you from ever having to key in an address, do you have the address range printed on your t-shirt, or what?
There isn't much entropy in most IPv6 addresses. The first 32 bits don't change much, you share most of it with everyone on the same continent, and then ISP. The lower 48 bits are usually mapped to the mac address. The lower 48 to 63 bits are basically free for you to do your own in-house routed network, so unless you have a router inside your network (not the one connecting to the outside world), it's 0.
So far all intents and purposes, when you're managing a few machines, you will mostly pay attention the lower 48 bits.
Would it have been better to use a smaller (40? 48?) bit range, and perhaps supplement that with an "extension" mechanism that could be appropriately sized for the network involved?
No, the extended size allows for great flexibility in routing.
The main problem with IPv6's slow adoption is that no transition scenario was ever devised. The protocol was spec'd, implemented, debugged and ... that's it. Nobody ever asked the question, who's gonna switch and why?
Currently, if you want to use the Internet, you need to be on IPv4. The only existing transition mechanisms are those which allows an IPv4 host to emulate IPv6 on top of it. And 100% of any other hosts you might be interested in talking to are on IPv4, even if they happen to also be on IPv6. So basically, in the rare cases where you can use IPv6, you can also use IPv4 to do the exact same thing.
So there's no point.
What's missing here (and has been missing since the beginning of IPv6) is a mechanism whereby an IPv6-only host can talk to an IPv4 host. I believe there's something called "nat64" that's being worked on, but it's in preliminary stages.
Here's how it's going to happen: for a veeery long time (10, 20 years), most corporate networks will remain IPv4 only. They have no reason to switch. It's not just network stacks, it's networking equipment, firewall rules, inertia but also stupidity and incompetence. Consider this: right now, there are major websites still incompatible with Explicit Congestion Notification. It's not that they just don't implement it; it's that their networking equipment suffers from a 10+ year old bug that prohibits hosts with ECN enabled to access them. Non-buggy stacks just ignore the bit and let packets through, buggy ones silently drop the packets and cause the connection to hang. This used to be the case on www.cnn.com up until a few months ago, and is still happening on www.afp.com.
Instead, it's mobile networks that will implement IPv6. There is not even enough addresses in a class A (10.0.0.0/24) to even give addresses to all mobiles phones in an European country. It's trivial to implement proxies for HTTP and other common protocols, so that those mobile devices will be able to see CNN.com. But obviously, it would be much better to have a way to NAT those devices onto IPv4.
Do remember how long it took /. to move from a tablefest of tagsoup to a CSS-based design? A good 10 years, give or take.
IPv6?
Have you ever looked at the specs? Did you understand anything?
I thought so.
Here's a simple case where you can't argue there's enough IPv4. Soon all mobile phones will be IP capable. Each having a unique address would be nice. BOOM! Impossible with IPv4. Not even enough room in 10.0.0.0/24 *right now* to put all mobile phones.
Hence the use of the word "opportunity" instead of "requirement."
... is largely symbolic. It only gives more exposure, not more power, and no way it gives a "free hand." That's just nonsense.
The European Court of Human Rights (which is not an EU institution, but close enough) acts as a last measure in many cases, much like the SCOTUS but w/o Adolf, err Antonin Scalia. They forced many positive changes in our disturbingly creepy judicial practices.
In other matters the Commission forced the break up of the former telecom monopoly, which resulted in one of the highest broadband penetration in the world. They might next save us from the current oligopoly in the mobile phone network industry, which holds firmly in place because corrupt motherfucker Sarkozy is best buddies with many a stakeholder.
They're mostly on the side of angels. Seriously. Maybe the fact that they don't have that much actual power forces them to act more responsibly. I don't know. But they usually side with the good guys.
How insightful of you to point this out. Someone's gotta pay for it! No way! Get out!
Do you seriously believe that nobody realizes that?
That's not the damn point. The point of something being free of charge is that you don't pay to use it. Take WikiPedia. Even if you didn't pay to use it, it's free for everyone else to use. Yet dozens of thousands of people donated something to keep it going. Is that not free?
So what if the gov't is paying for it. It pays for the roads, doesn't it? Even the most retarded Ayn Rand fetishist libertarians have to admit that having tolls on every road wouldn't be very practical. Yes you pay for it through taxes, and it's certainly more efficient than the alternative.
I'm not saying this is a great idea, but yes, it's free. As in beer.
There wouldn't be enough IPv4 to provide such a large scale service.
Just make the all thing IPv6, possibly with proxies to access the IPv4; that would instantly provide a massive incentive for third parties to start supporting IPv6.
Routers deeper inside the network cannot keep tabs on millions of IPs and who uses how much, they already have much to do.
Every single relevant administrative authority, consultative board, industry assoc (besides MAFIAAs of course) and independent judicial entities have given it the thumbs down, be it from a technical point of view or a judicial point of view.
The Conseil d'Etat (~ SCOTUS in some respects) shot most of it down preemptively with respects to due process concerns. CNIL (Data privacy board) shot basically all of it down based on privacy breach concerns, and risks of false positives. The European Parliament has voted amendment 138 which preemptively states the fucking obvious against this fucking nonsense. The European Commission accepted amendment 138 against Sarko's request (that was a nice jab btw, accepting the amendment means that a 2/3 majority at the Council of Ministers would be required to remove it).
But they're ramming it through. All those advisories can't technically stop the law from being passed. If things keep going this way, the law will be adopted by the parliament, and a EU directive opposing it will also be adopted a few months later. (Note that customarily member states are tacitly supposed to refrain from legislating at the local level while a matter is being handled at the European level, but Sarko's decided THIS is more important than respecting our european partners)
In the end law would be challenged on at least three front, at the Conseil d'Etat (which, I believe, has the power to change implementation details so as to basically render the whole thing pointless), at the Conseil Constitutionnel (if enough socialist deputes get their head out of their asses and petition), and then at the European level, at the European Court of Justice.
But they're pushing that shit through so hard, it's some sort of foot-in-the-door in the door technique. And even though it looks like it's going to be quashed from above, they will probably try and try again to pass that crap through. Lobbyists for big media have nothing else to do, basically, and pols want big media's love, esp. an attention whore like Sarko. Whatever they get, they will come back for more. At this point it looks like we have to win every single legal / legislative battle to stop this plan from going forward.
The sinister "three strike law" pushed by Sarkonazy and his subordinates creates a new category of "crime", that of "not securing properly one's connection", I shit you not. That way you can't use the defense of having been infected by a virus or having your router hax0red, it's your fault, you should have been a master sysadmin.
Nevermind that megacorporations themselves can't be fucked to secure all their systems, you, Joe SixPC, are supposed to one up PCI/DSS or FIPS whatever, or you can't be allowed to the interwebs.
Of course it's a massive pack of FAIL on so many levels, but that's what GWB's BFF has in store for us.
My late grand father used to do that, too, when he was a kid. In fact I believe his own father had done that, too.
I am. And it's spelled "you're".
Is there anyway to turn it on?
And I'm French.
1. It's very complicated.
2. It's error prone
3. It's not even going to protect you against many attacks
4. It's coming from the people who wrote bind 4.x, the steaming pile of dung that preceded bind 8.x, the rotting carcass that preceded bind 9.x, the most bloated decomposing corpse of a beached whale of the internet
5. Even sendmail looks better than bind nowadays
6. Last I heard you have to give some more money to Verisign. Sigh.
7. It took them, what, 12 tries to get it "right"? I mean last time they said it was going to be the right one. How do we know this time it's good?
Our fucktard in chief, AKA Naboleon, is pushing for his three-strike law to please his big content buddies. I talked to the fine people fighting this nonsense, and that much is clear: beyond the obvious evil motivations, the main feature of these assholes is their complete lack of understanding.
It's not just that they don't get it -- and they certainly don't get it. It's that they don't even care. Sure they order surveys from academics and various government agencies; but they quickly proceed to ignore them, or claim the opposite of what they say.
The list is mind boggling. Every single government-related agency with a modicum of technical or legal expertise and a minimal amount of political independence has rejected their proposals in surprisingly frank terms:
And the dumbass in charge of this nonsense, Christine Albanel, basically claims they all support her position. Conveniently, the afore-mentioned career civil servants and jurists are prohibited to respond publicly.
It's just insanity.
It's not yet quite as retarded as the aussie's anti-porn filter, but we're closing in.
Non-placental mammals are mammals now. They were mammals then.
"Dinosaurs and mammals did not coexist." -- nope, sorry.
I know, I know. Hard to believe. I, too, had to go through the five stages of grief upon learning this.
Crocodilians do not come from dinosaurs, although they are related, i.e. their earliest common ancestor was neither a dinosaur nor a crocodilian. On the other hand, the earliest common ancestor of birds was a dinosaur.
Also, mammals existed at least 125Mya:
The oldest known marsupial is Sinodelphys, found in 125M-year old early Cretaceous shale in China's northeastern Liaoning Province. The fossil is nearly complete and includes tufts of fur and imprints of soft tissues.
So now you admit this was a regulation.
But it appears you have changed the question, and therefore my answer isn't appropriate anymore. What is it you want this time?