IPv6 doesn't come with the base image for a lot of Cisco gear.
That's the biggest complaint I've had recently with Cisco for IPv6 rollouts. They refuse to put IPv6 into their base image, on the assumption that if your networking needs include more advanced protocols, then you are a carrier and should be paying for IPservices or IPkitchensink images. It's one of the biggest roadblocks on IPv6 rollout in the world. They've been shamed at technical conferences, their customers are abandoning them in droves for shit like this, and they have their heads so far up their asses they can't even respond.
I doubt a tiny post 6 levels deep on a techie website will make any difference, but since I haven't even talked to a Cisco rep in over a year, it's the only channel I have to give them feedback. Juniper and Foundry now have IPv6 as a basic service on all their recent hardware, and since IPv6 is just a command away from activation, all the ISPs who are moving away from Cisco are discovering how much more painless networking becomes with non-Cisco kit.
Current allocation rate of IPv4 addresses worldwide is the equivalent of one/8 every 4.5 weeks, and accelerating. Last year the rate was one/8 every 5.5 to 6 weeks. Calculations of May 2010 are assuming that the rate doesn't accelerate any more.
When I said ALL big blocks being reclaimed into the available pool, that included all the remaining/8 allocations, including HP's 2x/8, MIT's/8, and all the others. Even with reclaiming all those/8s, it will extend the pool by 23 months at most.
The block allocated for Amateur radio operations was reclaimed a couple years ago, as well as the ones for Interop and other early networking groups. Those allocations are either already gone or back in the free pool.
HP has already announced plans to rent their addresses to customers who buy their big servers with a maintenance/service plan, and put the servers in partner data centres. So, in a few years, all those companies who want to get on the internet and can't wait a year or more for their allocation request to be fulfilled, they can throw a lot of money at HP and be up and running much faster. At least, that's what HP is counting on. If you think HP is going to willingly return any of their allocations when they can make US$10/month per IP address, you must be smoking some strong belly lint.
FT/Orange is state owned? Since when? The government cut those losers loose around 1995. Sure, they're the incumbent, but despite that overwhelming advantage, they don't even have 50% of the broadband market, and its only the incompetence of their competitor's customer support that have graced them with such a large market share.
The two biggest competitors are Neuf and Free, with a half dozen smaller competitors fighting over 4th place.
Free.fr rolled out IPv6 last week to all their customers nationwide [pdf warning] if you can read french. Neuf is preparing their rollout, they've been flappi^Wannouncing their v6 network more often since a few weeks ago. Orange has had a few test areas for their IPv6 offering, but they don't talk about it.
In Germany, T-online has rolled out IPv6 widely internally, but haven't announced yet when end users will have connectivity. Probably when one of their competitors does it first, they aren't known for their technical leadership.
There are at least 200 IPv6 networks announced in Europe from a quick check of some looking glasses.
has anyone here on/. actually upgraded a network to be IPv6 compliant and what can you tell us about real world experience.
I've done it. And now that I have a couple of posts in this thread banging the drum FOR IPv6 and correcting serious misconceptions, I'll use this thread to trash IPv6:-)
On most networking equipment, turning on IPv6 is no more complex than a global "ipv6 routing" and setting the address on interfaces just like you do for IPv4. I'll use a pseudo-cisco example interface Gig0/0
ip address 223.123.40.1 255.255.224.0
ipv6 address 2001:1a1:98b5:1::1/64
After that, most modern OSes on that segment will recognize the router announcements, autoconfigure, and start using IPv6. That's the easy part.
All routers and switches introduced to the market in the last two or so years seem to support v6 traffic, in VLSI hardware for the higher end kit. In fact, I haven't seen one new product announcement in at least two years that didn't have wire speed IPv6, no more passing unknown packets to CPU. But new kit is only put in slowly, and old kit has a useful lifespan of around a decade. Try passing IPv6 traffic on an older layer2 switch over a dedicated vlan, and many older switches can't deal with production traffic levels.
Once you start climbing the protocol stack you run into more problems.
With the sole exception of OpenBSDs pf firewall, there isn't a firewall out there that does IPv6 fully. Many firewall manufacturers will announce IPv6 support, but all that means is they have a rule for detecting IPv6 packets and either dropping them or passing them. They can't filter on address ranges or higher level protocols. One big manufacturer of firewalls now claims they support IPv6 because although their equipment doesn't yet support it, their tech support will take feature requests. Network security software (types like nmap) have little to no support, mostly because the authors have no real world examples to code around.
Services vary in their v6 support. Bind is fantastic. Apache kind of supports it, but many modules in Apache2 choke when it's turned on. The web programming languages are all a mess in their support; perl, PHP, java, python and the rest are a complete gamble, and even when support is mostly there, bugs crop up all over the place. The databases used behind many websites, such as MySQL and Postgres have spotty support, and if you don't go back and clean up your database code, they'll return all kinds of shit if the webserver starts passing in IPv6 addresses where someone hardcoded 4 bytes. Some of the freeware/GPLed/opensource projects like ircd and jabberd seem to have full support, and there are very few service daemons that don't at least acknowledge IPv6 existence.
Up at the application level, all modern browsers will use IPv6 correctly. Many apps written for Apple OSX make use of IPv6 if it's present, the only exception I know of is skype. All my networks, and most of my client's networks are dual stacked, so I never even notice that all my SSH sessions are over IPv6, as are all my web connections to nagios or cacti machines, our instant messenger traffic and most everything else. At least at the user application level, there has been years of preparation and it shows. On Vista, what little playing around I've done shows almost no application level support except IE7 which works as well as IE7 possibly can.
Small networking appliance support is almost non-existant. Except for Apple's wireless networking box, there isn't a DSL or cable modem on sale in the west that has support. In China, Korea, Japan and a few other south-east asian countries, most CPE boxes have IPv6 support, because most ISPs are forced to use it as they can't get enough IPv4 addresses for their end users. Much of the IPv6 web traffic I see outside my own little European island is to sites in the far east, where support is widespread.
plenty of unused space can be reclaimed from horribly overbooked holders
The last of the freely available/8's will be allocated from IANA/ICANN to the RIRs in May 2010. It will take approximately 9-15 months for those freely available address to be allocated to end users. After that point, all new allocations will come from reclaimed space.
If all the unused/unannounced/reserved/8 blocks were to be reclaimed without any difficulties, like law suits, it would extend the allocation pool by a maximum of 23 months.
The uneducated people on/. really need to look at the numbers. There isn't decades worth of IPv4 out there, there are 2 to 3 years at which point there will be longer and longer delays to get on the old IPv4 internet.
All the RIRs changed their IPv6 policies recently, and it's growth has really taken off.
Every major OS has IPv6 installed and enabled. Vista and XP, MacOS-X, all the BSDs, all the major Linux distros, Solaris. Older OSes like XP-SP1 or Win2k can get IPv6 installed or enabled with little trouble. It's a package install on Linux if it isn't there already.
Every major networking equipment supplier has IPv6 support on their product lines, although some still charge for turning it on. All the high-end Cisco routers and switches support it natively, but charge extra for the IOS image that can use it. Foundry's current product line supports it everywhere. Juniper has pretty much always had IPv6. Working down the list of less popular suppliers shows most of them have some level of IPv6 support. Sure, most of the older networking equipment can't deal with v6 traffic, and the useful life for old kit is long enough that it's still probably 70% of the installed base.
Most internet enabled mobile phones have IPv6 built in, but it tends to be invisible to the user because the phone companies are only using it for local communications, if at all. All the Nokias support IPv6 in their network stack, but I haven't seen one system that takes advantage, yet. iPhones and iPod Touches have v6 enabled by default, and if they connect to a WiFi system that has v6 router announcements, they'll autoconfigure and Safari will use it transparently.
Where IPv6 support falls down is in super-cheap consumer networking products. All those little $40 DSL modem+firewall+4 port switch boxes just don't support v6 at all. The only good news is from when I was in discussions with the Chinese company behind many of these boxes. The versions released in China are all IPv6, it's only the versions sold outside China where they just don't include it because there is no market demand.
The only real problem right now is with ISPs. Until the engineering staff inside ISPs and hosting companies take the responsibility to start turning it on, sales and marketing will remain blissfully unaware that it can be sold.
One of the largest IPSs in Europe turned on IPv6 to all 8 million users this week. They've done the right thing and made it opt-in for now, their customers have to go to their control panel web page and turn it on, but almost 50,000 people did in the first 24 hours. They turned it on, and their Macs and Win machines started using IPv6 with no need to do anything other than tell Firefox and Tbird to start using IPv6 for DNS lookups. Because this one major ISP did this, their main competitor has been forced to make plans to enable IPv6 in January. After that, any ISP that doesn't have IPv6 turned on will be branded as "obsolete" or "incompetent".
Beacon also uses Adobe Flash "stored data" space to write cookie style information, that can be read and written to by any site with a flash bug.
This was the buzz all this week at a conference on how to make money from internet tracking. Adobe controls the settings on how much information can be written to your local hard drive, and they sell the ability to anyone willing to pay. There is a global setting that users can turn to "off", but Adobe ignores it if they are given enough money. Since Flash tends to be installed system-wide and on all browsers on a machine, it doesn't matter if you clear out browser cookies or try blocking tracking sites. If a partner site sticks a 1x1 pixel flash bug on their site, it has the ability to read tracking info from any other site, and to write back additional information.
Beacon is clever because it creates a large enough "cookie" that many sites can write into the cookie without changing the size taken on disk. Beacon also defines exactly how to parse the information, and how to write new info without changing the total cookie size.
Of course, I was just watching a canned demo of this, so the company claiming to be behind Beacon could be making it all up, but the sales pitch was pretty convincing. I haven't the time or inclination to verify this, as I don't ever look at face book, and generally don't allow flash on my machines (which leaves the web looking very poorly these days)
I hung around my local used book shop so much I ended up friends with them. I fix their computer from time to time, they let me take home as many books as I can read. When I'm done, I put them back on the shelves. It's as if my personal library has 65,000 books, and it doesn't take up any space in my house.
Just hanging around a used book shop and chatting with the clientele is a great way to learn what other people like or hear about good things to read.
Did that ever work? It worked in a film - Wargames, but what about in real life?
Yeah, it worked. I hated when War Games came out, because it spoiled a little known trick. A trick I, um, read about in a technical journal or somewhere.
Pay phones on the old Ma Bell network (at least up through the 4ESS switch series installed to the end of the '70s) used a signaling method known as ground start to signal when coins had passed the counter. Being as the phones were mostly armored, as well as the first few feet of wiring, there were two methods for faking a ground start signal, either find a place where you could get to ring&tip on the wires (which might not have a ground readily available), or by poking a needle into the mouthpiece and shorting it to the chassis of the phone. A sharpened paper clip was the favored innocuous tool of phreaks in the '70s.
this will destroy Channel 4... Channel 4 is totally unrelated to the BBC, not in any way subsidized by the 'license fee'
This is where you are wrong. The whole of the terrestrial broadcast system is financed by the license fee. All of those towers, the microwave links, the property easements and rights-of-way negotiations are entirely financed by the public. Channel 4, ITV and all the other 'non-beeb' stations use that network for very, very, cheap. A long time ago it was realised that some infrastructure that provided a service to as many of the public as possible would be prohibitively expensive for any private company. So, in what turned out to be a good move for the public, the government created a radio and later TV broadcast network that covered most of the country. It didn't finance it from the tax base, it taxed only those who could make use of it, and those were the ones who owned either a radio or TV.
C4 and ITV would never build out a terrestrial network to cover all those rural areas, they would just put up a transmitter in the middle of every large metropolitan area and call it quits if they could get to the easiest 40% of the population. Getting from 40% to 97% is costly, and requires a government working for the people and not for corporations.
It's fairly obvious that the commission chairman (CEO of a music retailer) put in whatever was good for him
Oh, YES! This commission was clearly an action by retailers like FNAC, and a few ISPs to get the law changed in their favor. Business as usual in France (and many other countries, but it's more blatantly obvious to the public in France).
The main ISPs in France are pushing hard on this, because it will be cheaper than upgrading their networks to cope with P2P and other new protocols that change traffic patterns. Currently, it is very difficult for an ISP to disconnect a client for just using a little too much traffic, there has to be a clear violation of the ToS. ISPs ToS statements are public, and carefully scrutinized by consumer protection groups like Que Choisir, so the terms are not too onerous.
When (not if, its already been paid for) this accord becomes a poorly worded law, ISPs will be able to disconnect any user who uses too much traffic, without any need to prove anything like "copyright violation". Users running a perfectly legal linux ISO torrent server, or streaming video 24/24 from their home can be disconnected with impunity. There is much rejoicing within the 3 largest ISPs in France, who already have lists of users to be dropped.
The best part of this commission is it appears to be a death knell for DRM on French content. The rights holders don't get any "disconnect this user" powers until they free their entire catalogs from DRM. It also means that non-French rights holders can't pursue actions in France unless their entire digital catalog is available to the French public in a non-encumbered format. Of course, the law will be written so poorly that many different interpretations will be possible, but the anti-DRM parts are quite strongly worded.
Then you need a crash course in the state of the art in DWDM technology.
Start here {PDF warning!}. You can skip the first part and start at page 23, the first part was covered on slashdot before. [Peter, you win the bandwidth DSW for now, I'll reclaim my crown soon]
There is an accompanying video {quicktime warning!}. The 4th year university physics course material starts at about 12 minutes in. This is basically a good summary reduced to MTV-generation attention span length.
I wrote a much longer post further down the list, and made care to not mention the v6 word anywhere in it. Sure, IPv6 will help, and adoption is inevitable, but IPv4 is not going away just because the free pool will be used up in two years. What is going to happen from 2011 onwards is longer and longer delays from asking for more IPv4 address space, and finally getting it.
Can your internet business wait for 2 to 3 years before getting more legit IPv4 space? Of course, IPv6 allocations will happen almost instantaneously, a properly justified request takes about a week to fulfill.
The subject worrying the IGF, and discussed to death at every Network Operator Group and RIR meeting in the last year, is the anarchy that will occur if the IANA/ICANN can't master allocations and provide a secure way of authenticating the reverse DNS structure. Once companies get desperate for IPv4 space and don't want to wait a year or two, they'll start hijacking prefixes. As soon as that happens, de-aggregation and routing table pollution will occur on a massive scale.
Which of the dozen ISPs announcing slashdot's netblock is the correct one? Will your ISP know which AS is the correct one to put in their forwarding tables, and will every carrier between you and slashdot make the same good choice? If not, you can't get to slashdot no matter how hard you try.
The solution is called DNSSEC, and will be integral to cryptographically certifying the routing tables (both v4 and v6) so that network hijacking doesn't propagate far. The down side to having a cryptographic hierarchy of certificates is that someone, somewhere, must hold the root certificate. Without one central controlling authority, each region could have its own certificate authority, and claim ownership of other region's networks.
The smooth transfer of internet traffic all around the world only works now because of a trust system. There are few, rather feeble, technical systems in place to prevent routing table pollution, such as bogon lists. When, or if, DNSSEC is widely adopted, it will have to be out of the hands of groups shown to be hostile or incompetent. This means no US government, no UN, ITU or WTO or ICANN. None of them will be trusted, and the only solution at this point is to find a trustworthy alternative.
it would help if the US government would just stay the fuck out of ICANN decisions..xxx was rejected on technical grounds
ICANN rejected.xxx officially on three different occasions claiming technical problems. The third application was as clean and technically correct as all the other TLD applications at the time, all of which were accepted. ICANN rejected.xxx because of direct pressure by the US government, which itself regularly yields to a very tiny but vocal minority of religious fanatics. ICANN has candidly admitted on many occasions that it will in all situations act on behalf of american interests, no matter what the damage to the internet.
What worries most countries is what will happen if the ICANN turns over control of address re-allocation to a private, for profit, company. Expect a situation like with NetSol/Verisign, where everyone has to pay yearly rental fees which will be exorbitant, and there will be no competition allowed by the US government. That's what the IGF, and everyone else working on the internet today is worried about. If a private US company starts charging billions of dollars per year in rent, the internet will fracture into several non-communicative pieces, but at least IPv6 will minimize address space collisions so all the non-US controlled parts will continue to interoperate.
I have been talking quite a bit with an economist who was in Rio all this week at the IGF. His take is more of watching what the economic situation will be when artificial, monopoly based, scarcity is introduced into the system. I can't wait to hear his take on the brazillian brawl this week.
Specifically, what happens to IPv4 address allocation when there is no longer any freely available netblocks. (Pay special attention to pages 27&29, and watch the accompanying video). New allocations will come from returned address pools, so a queuing system will have to be implemented at the RIR level. Starting up a new ISP, or expanding your customer base and need more address space after 2010, and your request will go into a FIFO queue.
Now, economists see two distinct futures for a market based on scarcity. One is where cooperation and fairness ensure that everyone gets along, which is the current internet model, and the other is known as the "University of Chicago School of Free Market Uber Alles^W^W^W^WEconomics" government enforced monopoly, where a few select companies are allowed to charge whatever the market will bear with no real competition or alternatives. Maybe a US government sanctioned company called IPbay will become the sole broker to trade netblocks.
In the first scenario, the internet continues to function as it does now, companies needing new addresses will have longer and longer waits and will have to adjust their business plans accordingly. Into a system like this, where address space could be traded, stolen, pirated or worse, RIRs have no real powers to stop it falling into total anarchy. Except, the IETB, IANA, the RIRs, have a new tool in their arsenal to combat anarchy, called DNSSEC.
In the second scenario, one, or a very few, private companies based in the US, of course, take over the entire market for buying and selling IPv4 address space. Want to keep that nice/16 you are using? It will cost you $BIGNUM/month in rental fees, or we give it to someone else. Those controlling companies will also use DNSSEC to control who has the right to announce a prefix.
For router engineers, those who work with BGP and AS numbers on a regular basis, things have been pretty quiet until now. A few bogon filters, and you just generally believe whatever gets fed to you. The internet is mostly "best effort" and if some traffic doesn't reach it's goal, there isn't much that can be done beyond some simple tuning. There is some routing data in the routing registries, but it's rarely up to date and the accuracy depends on whatever random person did the update.
But in a few years, when companies start to get desperate for IPv4 address space NOW!, and can't wait for a proper allocation, they'll steal or buy a prefix. Companies with a large allocation not completely used will renumber internally, and sell the right to announce half their prefix to they highest bidder. Or companies will just find part of an unused block and announce it. Total anarchy! The most conservative estimates for 2012 with rampant de-aggregation and without DNSSEC is that the routing table will exceed 2,000,000 prefixes. Not much routing equipment out there today will be able to cope with that.
With DNSSEC, there will be cryptographically signed certificates [pdf warning]for every allocation from an RIR[quicktime warning]. When you build your routing table in BGP, you will verify every prefix for origin and valid neighbors based on certificates stored in the RIR whois/routing registry. This will prevent the anarchy part of stealing a prefix and announcing it in the wrong AS. This wil
Only halfway kidding on that. At a recent conference on IPv4 address exhaustion,/. got called out by name when the main speaker said that IPv6 wouldn't take off until Slashdot supported it.
I had started to write a question for the "Ask Rob" story, but ended up wandering off before hitting submit. In short, it was a question on future technologies, and whether there was any youthful geekiness left in the/. crowd.
But then, there was Rob's excellent response to similar question.
"I think the single biggest threat to Slashdot is for us to try to be something we're not."
Which is why slashdot still has legions of followers after 10 years. The moderation systems, the layout, the filtering systems are quite good for what slashdot is. The addition of RSS feeds, CSS, and the few other improvements over a decade shows that slashdot grows as necessary, too much too fast would only hurt.
That being said, there is a part of me that wonders if adding some AJAX navigation or publishing an API so people doing mashups can make a/.++, would hurt much. Certainly, IPv6 would add some tech cred without any damage. A working API like google maps or facebook have might be interesting just to see what new ideas are floating around.
Rob, do you even have time to play with new technologies like AJAX, or look at what other places are doing with their APIs and mashups? Do you get out to conferences or trade shows (I know, with a new baby, probably not much)?
I'm not really asking for slashdot2.0, the newest paradigm for a social mashup avatar-driven search engine portal, because I probably would never use (or be able to use) it.
Gmail's IMAP is broken for any messages in a non-american 7-bit character set, which is why they only enable it for people who declare their default language as EN_US.
I just tried one of my IMAP enabled accounts again, and accented characters (ISO-8859-1 and -14) either show up as a ?, are replaced by the 7 bit equivalent (é becomes i), or are missing. There is a lot of work to shoehorn real-world language support into the IMAP protocol. It's an area I've actively avoided, but could be why the rollout is only for people likely to receive only US-ASCII or CodePage=437.
Chicks? But of course. There are lots more women working in technology than basement dwelling/.ers would admit to. The Lyon, France party was mostly organized by the French Women in Free Computing group.
Since I just screwed up the links to their site, I'll post to the Linux Chix in France site here, since replying to correct my own post would be bad netiquette.
There were parties in Paris and Lyon, with reasonably good turnout. The party in Lyon profited from having some good organizers who knew each other. They had a Duke Nukem release party:-)
In Paris we attempted all the typical "geek" or "nerd" activities; drank Guinness, played wii games, ate a good meal, compared our DSLR cameras, had a DSW over who had been using computers the longest, and finally took some photos. Those are just mine, either I'll grab the other people's photos and add them, or let them post a link in a followup posting.
Which goes to show the difference in professionalism between an individual with l33t hacking skills and a corporation that does bugging/tracking as a business model.
The tracking companies hire ex-police detectives to speak "cop" when asking for an investigation to be opened with a police force. They are experienced in providing testimony before a court, filing paperwork, and saying the right thing to the right person to start a case. You, and all of slashdot, really, REALLY, want to maintain the current situation where an ISP only turns over customer records in a validated and ongoing criminal investigation, and under no other conditions. If it weren't for the necessity of a properly framed investigation, the MAFIAA would run rampant over file sharer's rights.
One company I know of in the UK specialises in contacting police forces for high-tech crimes. That's all they do, get the police to open a case for something as obvious as a stolen router or to report an employee downloading p0rn onto his laptop. Police forces know about things like stolen cars, burglaries, or murders. Anything falling outside their extremely narrow scope of daily activities might as well not exist. Any crime involving the internet or computers tends to be ignored by police forces, because they know they have no officers capable of understanding what, if anything, might have happened to break the law. Being able to speak "cop" and "tech" is apparently much more lucrative than even the highest paying hi-tech jobs.
The problems with a fake RST detector are two-fold. The RST bits are being set on TCP traffic sent in both directions on a connection, so even if you ignore RST teardowns, the other side will tear down the connection. What Sandvine boxes do is just flip the RST bits on TCP packets flowing through them, so the sequence numbers will appear correct in the connection tracking table because the TCP packet is a valid one from the other side of the connection.
If Comcast truly is using Sandvine boxes, then this could be a network controller station with the preset examples still in place. The Sandvine sales presentation shows how to load up the system with all the prefixes from AS36561, and then interfere with a tiny percentage of TCP traffic after the first few hundred packets are transferred. What this does is provide a way of denying they are completely blocking those packets, but will blow away any connection hoping to do streaming video or cruise around on a web page heavy in graphic content like a mapping function.
The business model after installing Sandvine boxes is to then extort regular payments from large content providers to allow access to their network. Comcast, SBC/ATT and a few other monopolistic ISPs would like to see both sides of a connection pay for traffic in both directions, not the current economic model where each side pays for their own access or transit.
What Sandvine boxes do is break the end-to-end model of the internet. Even a tiny percentage of broken connections will put an end to all the cool applications everyone is currently enjoying. Streaming video and audio sessions, VoIP calls, file downloads, p2p exchanges, search engines, mapping and geolocation, and heavy web content sessions like social networking sites. The only traffic that can survive this kind of interference are from applications that make repeated attempts at connection in case of unexpected interruptions, like SMTP.
P2P protocol designers are pretty agile and clever. In the face of regular faked TCP RST bits on a connection, they'll evolve the protocol to make shorter connections, and to make repeated attempts to reconnect when an unexpected RST is received. Expect tuning "knobs" in clients very soon now, on how resilient to make the connections or how many bytes to transfer before tearing down and rebuilding the connection. There could also be a way to limit the numbers of attempted connections so as to fly under the radar of systems like this. I can open any bittorrent client with a single popular file, and see over 1000 completed TCP connections within 2 to 3 minutes. Limiting the number of new connections per minute could throw a spanner in Sandvine's current design.
Thanks to Vinz, we had a reasonably good party. Drinking Guinness in an Irish pub, a few attempts at video gaming with a wii, a nice dinner in a good restaurant, then attempts to get some classy photos of Paris with the slashdot logo. Much comparing of geekiness, what techie universes we travel in, a DSW of who has used computers the longest, and generally a good time had by all.
Only 8 of the 18 who signed up managed to make it. There was a serious transport strike during the first attempt at a party, as well as competing with crowds of drunken Rugby fans for space in an Irish pub. So the Paris party was delayed one week which cost us in participation. But I also know several/.ers who just didn't want to be photographed in the crowd of geeks.
A few of my photos I've put up on Flickr, and I'll try to get more of them processed and up later when time permits.
A quick request for everyone posting photos to sharing sites that support tags, can you add the tag "slashdot" or "slashdotparty" so we can find them later.
If Comcast is using Sandvine, then what the boxes are doing is setting the RST bit in a TCP header of an expected packet, or perhaps the RST bits in TCP packets heading in both directions. This is how they get the connection torn down. The boxes don't do much deep packet inspection, so encrypting traffic may not do much.
Sandvine's sales slime gave me quite a bit of insight into their boxes a while back. Their sales model is to approach the senior decision makers in large ISPs and Hosting Centres to promote the idea of stopping "bad", i.e. costly, traffic. They don't have a large marketing presence, they try to fly under the radar just like a band of criminals. Much of what their boxes do may violate various laws, and could re-focus the American net neutrality debate onto the real danger of breaking end-to-end communications without the appearance of blocking traffic. They put very little into print.
Their boxes appear as a bridge, and as long as the network is designed to pass IP traffic through it, they can analyze traffic based on a whole bunch of things like destination prefix and connection counts. When the box sees lots of connections from a single IP address on one of its downstream ports, there is the assumption that the machine is "infected". The boxes can also keep track of traffic counts per host so when someone reaches pre-set limit they move into a "penalty" level of interference.
There is a dedicated management box somewhere on the network, that can push out white lists and black lists and various reactions to "infected" traffic patterns. The reaction can be anywhere from flip a TCP RST bit on 0.1% of connections, up to dropping 100% of packets from a protected host.
What Sandvine sells as a cool feature is the ability to interfere with a tiny percentage of packets heading towards a certain number of prefixes. Their sales pitch uses all the prefixes from an AS considered to be hosting bad or expensive content, they used AS36561 in their example. Their demo showed how dropping 1 TCP connection in 1000 wouldn't cause a problem for simple web page views, but if a video started playing it wouldn't get far before hanging. ISP customers wouldn't blame the ISP, because they would see web pages and low traffic content, but high bandwidth content would die and the blame would fall on the content provider. A simpler solution than investing in costly infrastructure upgrades.
Sandvine boxes can also be used to interfere with P2P traffic, by looking for large numbers of destination addresses. If torrent users can limit their client software to only a handful of external connections at a time, there may be a level below which Comcast's Sandvine boxes don't react.
I was shopping for transit in the U.S. this summer, and those were the reasonable prices from companies that I also work with here in Europe. I don't know of any tier-1 who will bother with 1Mbps, most tier-2's won't either. My "standardized" quote is for 100Mbps commit on a GigEthernet port, that can handle sustained traffic of 800Mbps. This lets me compare without giving away details of my clients before contracts and NDAs can be signed.
However, I had a strange split in quotes I received. Some were in the range I expected, from about US$10 for a 100 Mbps commit (minimum bill about US$1000) up to around US$20-$25/Mbps. Then there was a huge jump up to the $500/Mbps range you speak of. Companies that were obviously not one of the tier-1 or 2 players, just resellers of tier-2 bandwith, but who didn't seem capable of competing.
Quite a few places seemed to think they could obfuscate the quote by refusing to deal in Mbps/month, and instead would offer traffic totals of 100 Gigabytes for inbound+outbound together. There were others who offered peak+offpeak or other ways to hide the usual Mbps/month quote.
One place was offering GigE ports, but I discovered later their internet transit was just a pair of 100M copper links. They sold their traffic as a package but when you calculate out 50 Gigabytes in one month into a traffic figure, you come up with something like 1-2 Mbps, for the low price of US$500. This may be where you are getting your quotes from.
As a very general rule of thumb, the tier-1s don't want to deal with a monthly bill of less than US$10,000, the tier-2s don't want anything less than US$1,000, and the tiny resellers will try to sell you everything they can (rackspace, metered electricity, port costs, traffic) to try to keep the bill upwards of $300-$500/month.
Just for comparison, even with the US dollar in free fall this summer, US prices were well over twice what we pay in Europe for internet transit.
No photos allowed is pretty much blanket policy at every data center.
But if you ask, they generally have no problem of you taking photos of your own installation. Having a reputation and being on a first name basis with the security guards is a big plus.
What they are trying to avoid is documenting their own infrastructure or other people's kit. There are enough competitive forces out there that a few photos of new tech or a clever design could give someone an edge they wouldn't normally have.
There is also the physical security aspect of data centers, some amount of "security by obscurity" is built in to give a random level of risk to anyone hoping to do bad things. Publishing photos of exact locations of security cameras could give bad guys the extra information they think they need to pull off a heist.
Poking through my photo archives, I have shots of my installations at 1 Wilshire, several different companies at 60 Hudson, 111 8th, NOTA, plus many centres around Europe. The only places that flat out denied my requests were phone companies, where the installation was inside an incumbent's facilities. Military and aerospace installations are areas I never even bother asking.
One thing I've learned from the folly of some fool, is to never use a flash inside a data center. Tape over it with black electrical tape just to make sure. Flashes have enough infrared component to set off fire detectors, which lead to evacuation alarms, halon discharge (whatever they use these days), power cuts, and the eventual lawsuit and bannination. When you ask in advance, data center managers will tell you to tape over your flash and make sure it is off or removed.
Slashdot Mirror
IPv6 doesn't come with the base image for a lot of Cisco gear.
That's the biggest complaint I've had recently with Cisco for IPv6 rollouts. They refuse to put IPv6 into their base image, on the assumption that if your networking needs include more advanced protocols, then you are a carrier and should be paying for IPservices or IPkitchensink images. It's one of the biggest roadblocks on IPv6 rollout in the world. They've been shamed at technical conferences, their customers are abandoning them in droves for shit like this, and they have their heads so far up their asses they can't even respond.
I doubt a tiny post 6 levels deep on a techie website will make any difference, but since I haven't even talked to a Cisco rep in over a year, it's the only channel I have to give them feedback. Juniper and Foundry now have IPv6 as a basic service on all their recent hardware, and since IPv6 is just a command away from activation, all the ISPs who are moving away from Cisco are discovering how much more painless networking becomes with non-Cisco kit.
the AC
Current allocation rate of IPv4 addresses worldwide is the equivalent of one /8 every 4.5 weeks, and accelerating. Last year the rate was one /8 every 5.5 to 6 weeks. Calculations of May 2010 are assuming that the rate doesn't accelerate any more.
/8 allocations, including HP's 2x /8, MIT's /8, and all the others. Even with reclaiming all those /8s, it will extend the pool by 23 months at most.
When I said ALL big blocks being reclaimed into the available pool, that included all the remaining
The block allocated for Amateur radio operations was reclaimed a couple years ago, as well as the ones for Interop and other early networking groups. Those allocations are either already gone or back in the free pool.
HP has already announced plans to rent their addresses to customers who buy their big servers with a maintenance/service plan, and put the servers in partner data centres. So, in a few years, all those companies who want to get on the internet and can't wait a year or more for their allocation request to be fulfilled, they can throw a lot of money at HP and be up and running much faster. At least, that's what HP is counting on. If you think HP is going to willingly return any of their allocations when they can make US$10/month per IP address, you must be smoking some strong belly lint.
the AC
FT/Orange is state owned? Since when? The government cut those losers loose around 1995. Sure, they're the incumbent, but despite that overwhelming advantage, they don't even have 50% of the broadband market, and its only the incompetence of their competitor's customer support that have graced them with such a large market share.
The two biggest competitors are Neuf and Free, with a half dozen smaller competitors fighting over 4th place.
Free.fr rolled out IPv6 last week to all their customers nationwide [pdf warning] if you can read french. Neuf is preparing their rollout, they've been flappi^Wannouncing their v6 network more often since a few weeks ago. Orange has had a few test areas for their IPv6 offering, but they don't talk about it.
In Germany, T-online has rolled out IPv6 widely internally, but haven't announced yet when end users will have connectivity. Probably when one of their competitors does it first, they aren't known for their technical leadership.
There are at least 200 IPv6 networks announced in Europe from a quick check of some looking glasses.
the AC
has anyone here on /. actually upgraded a network to be IPv6 compliant and what can you tell us about real world experience.
:-)
I've done it. And now that I have a couple of posts in this thread banging the drum FOR IPv6 and correcting serious misconceptions, I'll use this thread to trash IPv6
On most networking equipment, turning on IPv6 is no more complex than a global "ipv6 routing" and setting the address on interfaces just like you do for IPv4. I'll use a pseudo-cisco example
interface Gig0/0
ip address 223.123.40.1 255.255.224.0
ipv6 address 2001:1a1:98b5:1::1/64
After that, most modern OSes on that segment will recognize the router announcements, autoconfigure, and start using IPv6. That's the easy part.
All routers and switches introduced to the market in the last two or so years seem to support v6 traffic, in VLSI hardware for the higher end kit. In fact, I haven't seen one new product announcement in at least two years that didn't have wire speed IPv6, no more passing unknown packets to CPU. But new kit is only put in slowly, and old kit has a useful lifespan of around a decade. Try passing IPv6 traffic on an older layer2 switch over a dedicated vlan, and many older switches can't deal with production traffic levels.
Once you start climbing the protocol stack you run into more problems.
With the sole exception of OpenBSDs pf firewall, there isn't a firewall out there that does IPv6 fully. Many firewall manufacturers will announce IPv6 support, but all that means is they have a rule for detecting IPv6 packets and either dropping them or passing them. They can't filter on address ranges or higher level protocols. One big manufacturer of firewalls now claims they support IPv6 because although their equipment doesn't yet support it, their tech support will take feature requests. Network security software (types like nmap) have little to no support, mostly because the authors have no real world examples to code around.
Services vary in their v6 support. Bind is fantastic. Apache kind of supports it, but many modules in Apache2 choke when it's turned on. The web programming languages are all a mess in their support; perl, PHP, java, python and the rest are a complete gamble, and even when support is mostly there, bugs crop up all over the place. The databases used behind many websites, such as MySQL and Postgres have spotty support, and if you don't go back and clean up your database code, they'll return all kinds of shit if the webserver starts passing in IPv6 addresses where someone hardcoded 4 bytes. Some of the freeware/GPLed/opensource projects like ircd and jabberd seem to have full support, and there are very few service daemons that don't at least acknowledge IPv6 existence.
Up at the application level, all modern browsers will use IPv6 correctly. Many apps written for Apple OSX make use of IPv6 if it's present, the only exception I know of is skype. All my networks, and most of my client's networks are dual stacked, so I never even notice that all my SSH sessions are over IPv6, as are all my web connections to nagios or cacti machines, our instant messenger traffic and most everything else. At least at the user application level, there has been years of preparation and it shows. On Vista, what little playing around I've done shows almost no application level support except IE7 which works as well as IE7 possibly can.
Small networking appliance support is almost non-existant. Except for Apple's wireless networking box, there isn't a DSL or cable modem on sale in the west that has support. In China, Korea, Japan and a few other south-east asian countries, most CPE boxes have IPv6 support, because most ISPs are forced to use it as they can't get enough IPv4 addresses for their end users. Much of the IPv6 web traffic I see outside my own little European island is to sites in the far east, where support is widespread.
Mandatory IPSec security is a joke, many v6 n
plenty of unused space can be reclaimed from horribly overbooked holders
/8's will be allocated from IANA/ICANN to the RIRs in May 2010. It will take approximately 9-15 months for those freely available address to be allocated to end users. After that point, all new allocations will come from reclaimed space.
/8 blocks were to be reclaimed without any difficulties, like law suits, it would extend the allocation pool by a maximum of 23 months.
/. really need to look at the numbers. There isn't decades worth of IPv4 out there, there are 2 to 3 years at which point there will be longer and longer delays to get on the old IPv4 internet.
The last of the freely available
If all the unused/unannounced/reserved
The uneducated people on
All the RIRs changed their IPv6 policies recently, and it's growth has really taken off.
the AC
Every major OS has IPv6 installed and enabled. Vista and XP, MacOS-X, all the BSDs, all the major Linux distros, Solaris. Older OSes like XP-SP1 or Win2k can get IPv6 installed or enabled with little trouble. It's a package install on Linux if it isn't there already.
Every major networking equipment supplier has IPv6 support on their product lines, although some still charge for turning it on. All the high-end Cisco routers and switches support it natively, but charge extra for the IOS image that can use it. Foundry's current product line supports it everywhere. Juniper has pretty much always had IPv6. Working down the list of less popular suppliers shows most of them have some level of IPv6 support. Sure, most of the older networking equipment can't deal with v6 traffic, and the useful life for old kit is long enough that it's still probably 70% of the installed base.
Most internet enabled mobile phones have IPv6 built in, but it tends to be invisible to the user because the phone companies are only using it for local communications, if at all. All the Nokias support IPv6 in their network stack, but I haven't seen one system that takes advantage, yet. iPhones and iPod Touches have v6 enabled by default, and if they connect to a WiFi system that has v6 router announcements, they'll autoconfigure and Safari will use it transparently.
Where IPv6 support falls down is in super-cheap consumer networking products. All those little $40 DSL modem+firewall+4 port switch boxes just don't support v6 at all. The only good news is from when I was in discussions with the Chinese company behind many of these boxes. The versions released in China are all IPv6, it's only the versions sold outside China where they just don't include it because there is no market demand.
The only real problem right now is with ISPs. Until the engineering staff inside ISPs and hosting companies take the responsibility to start turning it on, sales and marketing will remain blissfully unaware that it can be sold.
One of the largest IPSs in Europe turned on IPv6 to all 8 million users this week. They've done the right thing and made it opt-in for now, their customers have to go to their control panel web page and turn it on, but almost 50,000 people did in the first 24 hours. They turned it on, and their Macs and Win machines started using IPv6 with no need to do anything other than tell Firefox and Tbird to start using IPv6 for DNS lookups. Because this one major ISP did this, their main competitor has been forced to make plans to enable IPv6 in January. After that, any ISP that doesn't have IPv6 turned on will be branded as "obsolete" or "incompetent".
the AC
Beacon also uses Adobe Flash "stored data" space to write cookie style information, that can be read and written to by any site with a flash bug.
This was the buzz all this week at a conference on how to make money from internet tracking. Adobe controls the settings on how much information can be written to your local hard drive, and they sell the ability to anyone willing to pay. There is a global setting that users can turn to "off", but Adobe ignores it if they are given enough money. Since Flash tends to be installed system-wide and on all browsers on a machine, it doesn't matter if you clear out browser cookies or try blocking tracking sites. If a partner site sticks a 1x1 pixel flash bug on their site, it has the ability to read tracking info from any other site, and to write back additional information.
Beacon is clever because it creates a large enough "cookie" that many sites can write into the cookie without changing the size taken on disk. Beacon also defines exactly how to parse the information, and how to write new info without changing the total cookie size.
Of course, I was just watching a canned demo of this, so the company claiming to be behind Beacon could be making it all up, but the sales pitch was pretty convincing. I haven't the time or inclination to verify this, as I don't ever look at face book, and generally don't allow flash on my machines (which leaves the web looking very poorly these days)
the AC
I hung around my local used book shop so much I ended up friends with them. I fix their computer from time to time, they let me take home as many books as I can read. When I'm done, I put them back on the shelves. It's as if my personal library has 65,000 books, and it doesn't take up any space in my house.
Just hanging around a used book shop and chatting with the clientele is a great way to learn what other people like or hear about good things to read.
the AC
Did that ever work? It worked in a film - Wargames, but what about in real life?
Yeah, it worked. I hated when War Games came out, because it spoiled a little known trick. A trick I, um, read about in a technical journal or somewhere.
Pay phones on the old Ma Bell network (at least up through the 4ESS switch series installed to the end of the '70s) used a signaling method known as ground start to signal when coins had passed the counter. Being as the phones were mostly armored, as well as the first few feet of wiring, there were two methods for faking a ground start signal, either find a place where you could get to ring&tip on the wires (which might not have a ground readily available), or by poking a needle into the mouthpiece and shorting it to the chassis of the phone. A sharpened paper clip was the favored innocuous tool of phreaks in the '70s.
the AC
this will destroy Channel 4 ... Channel 4 is totally unrelated to the BBC, not in any way subsidized by the 'license fee'
This is where you are wrong. The whole of the terrestrial broadcast system is financed by the license fee. All of those towers, the microwave links, the property easements and rights-of-way negotiations are entirely financed by the public. Channel 4, ITV and all the other 'non-beeb' stations use that network for very, very, cheap. A long time ago it was realised that some infrastructure that provided a service to as many of the public as possible would be prohibitively expensive for any private company. So, in what turned out to be a good move for the public, the government created a radio and later TV broadcast network that covered most of the country. It didn't finance it from the tax base, it taxed only those who could make use of it, and those were the ones who owned either a radio or TV.
C4 and ITV would never build out a terrestrial network to cover all those rural areas, they would just put up a transmitter in the middle of every large metropolitan area and call it quits if they could get to the easiest 40% of the population. Getting from 40% to 97% is costly, and requires a government working for the people and not for corporations.
the AC
It's fairly obvious that the commission chairman (CEO of a music retailer) put in whatever was good for him
Oh, YES! This commission was clearly an action by retailers like FNAC, and a few ISPs to get the law changed in their favor. Business as usual in France (and many other countries, but it's more blatantly obvious to the public in France).
The main ISPs in France are pushing hard on this, because it will be cheaper than upgrading their networks to cope with P2P and other new protocols that change traffic patterns. Currently, it is very difficult for an ISP to disconnect a client for just using a little too much traffic, there has to be a clear violation of the ToS. ISPs ToS statements are public, and carefully scrutinized by consumer protection groups like Que Choisir, so the terms are not too onerous.
When (not if, its already been paid for) this accord becomes a poorly worded law, ISPs will be able to disconnect any user who uses too much traffic, without any need to prove anything like "copyright violation". Users running a perfectly legal linux ISO torrent server, or streaming video 24/24 from their home can be disconnected with impunity. There is much rejoicing within the 3 largest ISPs in France, who already have lists of users to be dropped.
The best part of this commission is it appears to be a death knell for DRM on French content. The rights holders don't get any "disconnect this user" powers until they free their entire catalogs from DRM. It also means that non-French rights holders can't pursue actions in France unless their entire digital catalog is available to the French public in a non-encumbered format. Of course, the law will be written so poorly that many different interpretations will be possible, but the anti-DRM parts are quite strongly worded.
the AC
I don't really know how they work
Then you need a crash course in the state of the art in DWDM technology.
Start here {PDF warning!}. You can skip the first part and start at page 23, the first part was covered on slashdot before. [Peter, you win the bandwidth DSW for now, I'll reclaim my crown soon]
There is an accompanying video {quicktime warning!}. The 4th year university physics course material starts at about 12 minutes in. This is basically a good summary reduced to MTV-generation attention span length.
the AC
I wrote a much longer post further down the list, and made care to not mention the v6 word anywhere in it. Sure, IPv6 will help, and adoption is inevitable, but IPv4 is not going away just because the free pool will be used up in two years. What is going to happen from 2011 onwards is longer and longer delays from asking for more IPv4 address space, and finally getting it.
.xxx was rejected on technical grounds
.xxx officially on three different occasions claiming technical problems. The third application was as clean and technically correct as all the other TLD applications at the time, all of which were accepted. ICANN rejected .xxx because of direct pressure by the US government, which itself regularly yields to a very tiny but vocal minority of religious fanatics. ICANN has candidly admitted on many occasions that it will in all situations act on behalf of american interests, no matter what the damage to the internet.
Can your internet business wait for 2 to 3 years before getting more legit IPv4 space? Of course, IPv6 allocations will happen almost instantaneously, a properly justified request takes about a week to fulfill.
The subject worrying the IGF, and discussed to death at every Network Operator Group and RIR meeting in the last year, is the anarchy that will occur if the IANA/ICANN can't master allocations and provide a secure way of authenticating the reverse DNS structure. Once companies get desperate for IPv4 space and don't want to wait a year or two, they'll start hijacking prefixes. As soon as that happens, de-aggregation and routing table pollution will occur on a massive scale.
Which of the dozen ISPs announcing slashdot's netblock is the correct one? Will your ISP know which AS is the correct one to put in their forwarding tables, and will every carrier between you and slashdot make the same good choice? If not, you can't get to slashdot no matter how hard you try.
The solution is called DNSSEC, and will be integral to cryptographically certifying the routing tables (both v4 and v6) so that network hijacking doesn't propagate far. The down side to having a cryptographic hierarchy of certificates is that someone, somewhere, must hold the root certificate. Without one central controlling authority, each region could have its own certificate authority, and claim ownership of other region's networks.
The smooth transfer of internet traffic all around the world only works now because of a trust system. There are few, rather feeble, technical systems in place to prevent routing table pollution, such as bogon lists. When, or if, DNSSEC is widely adopted, it will have to be out of the hands of groups shown to be hostile or incompetent. This means no US government, no UN, ITU or WTO or ICANN. None of them will be trusted, and the only solution at this point is to find a trustworthy alternative.
it would help if the US government would just stay the fuck out of ICANN decisions.
ICANN rejected
What worries most countries is what will happen if the ICANN turns over control of address re-allocation to a private, for profit, company. Expect a situation like with NetSol/Verisign, where everyone has to pay yearly rental fees which will be exorbitant, and there will be no competition allowed by the US government. That's what the IGF, and everyone else working on the internet today is worried about. If a private US company starts charging billions of dollars per year in rent, the internet will fracture into several non-communicative pieces, but at least IPv6 will minimize address space collisions so all the non-US controlled parts will continue to interoperate.
the AC
I have been talking quite a bit with an economist who was in Rio all this week at the IGF. His take is more of watching what the economic situation will be when artificial, monopoly based, scarcity is introduced into the system. I can't wait to hear his take on the brazillian brawl this week.
/16 you are using? It will cost you $BIGNUM/month in rental fees, or we give it to someone else. Those controlling companies will also use DNSSEC to control who has the right to announce a prefix.
Specifically, what happens to IPv4 address allocation when there is no longer any freely available netblocks. (Pay special attention to pages 27&29, and watch the accompanying video). New allocations will come from returned address pools, so a queuing system will have to be implemented at the RIR level. Starting up a new ISP, or expanding your customer base and need more address space after 2010, and your request will go into a FIFO queue.
Now, economists see two distinct futures for a market based on scarcity. One is where cooperation and fairness ensure that everyone gets along, which is the current internet model, and the other is known as the "University of Chicago School of Free Market Uber Alles^W^W^W^WEconomics" government enforced monopoly, where a few select companies are allowed to charge whatever the market will bear with no real competition or alternatives. Maybe a US government sanctioned company called IPbay will become the sole broker to trade netblocks.
In the first scenario, the internet continues to function as it does now, companies needing new addresses will have longer and longer waits and will have to adjust their business plans accordingly. Into a system like this, where address space could be traded, stolen, pirated or worse, RIRs have no real powers to stop it falling into total anarchy. Except, the IETB, IANA, the RIRs, have a new tool in their arsenal to combat anarchy, called DNSSEC.
In the second scenario, one, or a very few, private companies based in the US, of course, take over the entire market for buying and selling IPv4 address space. Want to keep that nice
For router engineers, those who work with BGP and AS numbers on a regular basis, things have been pretty quiet until now. A few bogon filters, and you just generally believe whatever gets fed to you. The internet is mostly "best effort" and if some traffic doesn't reach it's goal, there isn't much that can be done beyond some simple tuning. There is some routing data in the routing registries, but it's rarely up to date and the accuracy depends on whatever random person did the update.
But in a few years, when companies start to get desperate for IPv4 address space NOW!, and can't wait for a proper allocation, they'll steal or buy a prefix. Companies with a large allocation not completely used will renumber internally, and sell the right to announce half their prefix to they highest bidder. Or companies will just find part of an unused block and announce it. Total anarchy! The most conservative estimates for 2012 with rampant de-aggregation and without DNSSEC is that the routing table will exceed 2,000,000 prefixes. Not much routing equipment out there today will be able to cope with that.
With DNSSEC, there will be cryptographically signed certificates [pdf warning]for every allocation from an RIR[quicktime warning]. When you build your routing table in BGP, you will verify every prefix for origin and valid neighbors based on certificates stored in the RIR whois/routing registry. This will prevent the anarchy part of stealing a prefix and announcing it in the wrong AS. This wil
I hadn't looked at that in a long time. My bad.
The correct notation would be
http://[::1]/subtlety/is/not/my/strongpoint.html
the AC
the slashdot filter doesn't like IPv6 address notation in the URL field, but I know you typed it correctly and got pwn3d by the filter
Only halfway kidding on that. At a recent conference on IPv4 address exhaustion, /. got called out by name when the main speaker said that IPv6 wouldn't take off until Slashdot supported it.
/. crowd.
/.++, would hurt much. Certainly, IPv6 would add some tech cred without any damage. A working API like google maps or facebook have might be interesting just to see what new ideas are floating around.
I had started to write a question for the "Ask Rob" story, but ended up wandering off before hitting submit. In short, it was a question on future technologies, and whether there was any youthful geekiness left in the
But then, there was Rob's excellent response to similar question.
"I think the single biggest threat to Slashdot is for us to try to be something we're not."
Which is why slashdot still has legions of followers after 10 years. The moderation systems, the layout, the filtering systems are quite good for what slashdot is. The addition of RSS feeds, CSS, and the few other improvements over a decade shows that slashdot grows as necessary, too much too fast would only hurt.
That being said, there is a part of me that wonders if adding some AJAX navigation or publishing an API so people doing mashups can make a
Rob, do you even have time to play with new technologies like AJAX, or look at what other places are doing with their APIs and mashups? Do you get out to conferences or trade shows (I know, with a new baby, probably not much)?
I'm not really asking for slashdot2.0, the newest paradigm for a social mashup avatar-driven search engine portal, because I probably would never use (or be able to use) it.
the AC
Gmail's IMAP is broken for any messages in a non-american 7-bit character set, which is why they only enable it for people who declare their default language as EN_US.
I just tried one of my IMAP enabled accounts again, and accented characters (ISO-8859-1 and -14) either show up as a ?, are replaced by the 7 bit equivalent (é becomes i), or are missing. There is a lot of work to shoehorn real-world language support into the IMAP protocol. It's an area I've actively avoided, but could be why the rollout is only for people likely to receive only US-ASCII or CodePage=437.
the AC
Chicks? But of course. There are lots more women working in technology than basement dwelling /.ers would admit to. The Lyon, France party was mostly organized by the French Women in Free Computing group.
Since I just screwed up the links to their site, I'll post to the Linux Chix in France site here, since replying to correct my own post would be bad netiquette.
the AC
There were parties in Paris and Lyon, with reasonably good turnout. The party in Lyon profited from having some good organizers who knew each other. They had a Duke Nukem release party :-)
Lyon party photos from Zopeuse and more from the pterjan, and the Logiciel Libre crowd.
In Paris we attempted all the typical "geek" or "nerd" activities; drank Guinness, played wii games, ate a good meal, compared our DSLR cameras, had a DSW over who had been using computers the longest, and finally took some photos. Those are just mine, either I'll grab the other people's photos and add them, or let them post a link in a followup posting.
the AC
Which goes to show the difference in professionalism between an individual with l33t hacking skills and a corporation that does bugging/tracking as a business model.
The tracking companies hire ex-police detectives to speak "cop" when asking for an investigation to be opened with a police force. They are experienced in providing testimony before a court, filing paperwork, and saying the right thing to the right person to start a case. You, and all of slashdot, really, REALLY, want to maintain the current situation where an ISP only turns over customer records in a validated and ongoing criminal investigation, and under no other conditions. If it weren't for the necessity of a properly framed investigation, the MAFIAA would run rampant over file sharer's rights.
One company I know of in the UK specialises in contacting police forces for high-tech crimes. That's all they do, get the police to open a case for something as obvious as a stolen router or to report an employee downloading p0rn onto his laptop. Police forces know about things like stolen cars, burglaries, or murders. Anything falling outside their extremely narrow scope of daily activities might as well not exist. Any crime involving the internet or computers tends to be ignored by police forces, because they know they have no officers capable of understanding what, if anything, might have happened to break the law. Being able to speak "cop" and "tech" is apparently much more lucrative than even the highest paying hi-tech jobs.
the AC
The problems with a fake RST detector are two-fold. The RST bits are being set on TCP traffic sent in both directions on a connection, so even if you ignore RST teardowns, the other side will tear down the connection. What Sandvine boxes do is just flip the RST bits on TCP packets flowing through them, so the sequence numbers will appear correct in the connection tracking table because the TCP packet is a valid one from the other side of the connection.
If Comcast truly is using Sandvine boxes, then this could be a network controller station with the preset examples still in place. The Sandvine sales presentation shows how to load up the system with all the prefixes from AS36561, and then interfere with a tiny percentage of TCP traffic after the first few hundred packets are transferred. What this does is provide a way of denying they are completely blocking those packets, but will blow away any connection hoping to do streaming video or cruise around on a web page heavy in graphic content like a mapping function.
The business model after installing Sandvine boxes is to then extort regular payments from large content providers to allow access to their network. Comcast, SBC/ATT and a few other monopolistic ISPs would like to see both sides of a connection pay for traffic in both directions, not the current economic model where each side pays for their own access or transit.
What Sandvine boxes do is break the end-to-end model of the internet. Even a tiny percentage of broken connections will put an end to all the cool applications everyone is currently enjoying. Streaming video and audio sessions, VoIP calls, file downloads, p2p exchanges, search engines, mapping and geolocation, and heavy web content sessions like social networking sites. The only traffic that can survive this kind of interference are from applications that make repeated attempts at connection in case of unexpected interruptions, like SMTP.
P2P protocol designers are pretty agile and clever. In the face of regular faked TCP RST bits on a connection, they'll evolve the protocol to make shorter connections, and to make repeated attempts to reconnect when an unexpected RST is received. Expect tuning "knobs" in clients very soon now, on how resilient to make the connections or how many bytes to transfer before tearing down and rebuilding the connection. There could also be a way to limit the numbers of attempted connections so as to fly under the radar of systems like this. I can open any bittorrent client with a single popular file, and see over 1000 completed TCP connections within 2 to 3 minutes. Limiting the number of new connections per minute could throw a spanner in Sandvine's current design.
the AC
Thanks to Vinz, we had a reasonably good party. Drinking Guinness in an Irish pub, a few attempts at video gaming with a wii, a nice dinner in a good restaurant, then attempts to get some classy photos of Paris with the slashdot logo. Much comparing of geekiness, what techie universes we travel in, a DSW of who has used computers the longest, and generally a good time had by all.
/.ers who just didn't want to be photographed in the crowd of geeks.
Only 8 of the 18 who signed up managed to make it. There was a serious transport strike during the first attempt at a party, as well as competing with crowds of drunken Rugby fans for space in an Irish pub. So the Paris party was delayed one week which cost us in participation. But I also know several
A few of my photos I've put up on Flickr, and I'll try to get more of them processed and up later when time permits.
http://www.flickr.com/photos/16904799@N05/
A quick request for everyone posting photos to sharing sites that support tags, can you add the tag "slashdot" or "slashdotparty" so we can find them later.
the AC
If Comcast is using Sandvine, then what the boxes are doing is setting the RST bit in a TCP header of an expected packet, or perhaps the RST bits in TCP packets heading in both directions. This is how they get the connection torn down. The boxes don't do much deep packet inspection, so encrypting traffic may not do much.
Sandvine's sales slime gave me quite a bit of insight into their boxes a while back. Their sales model is to approach the senior decision makers in large ISPs and Hosting Centres to promote the idea of stopping "bad", i.e. costly, traffic. They don't have a large marketing presence, they try to fly under the radar just like a band of criminals. Much of what their boxes do may violate various laws, and could re-focus the American net neutrality debate onto the real danger of breaking end-to-end communications without the appearance of blocking traffic. They put very little into print.
Their boxes appear as a bridge, and as long as the network is designed to pass IP traffic through it, they can analyze traffic based on a whole bunch of things like destination prefix and connection counts. When the box sees lots of connections from a single IP address on one of its downstream ports, there is the assumption that the machine is "infected". The boxes can also keep track of traffic counts per host so when someone reaches pre-set limit they move into a "penalty" level of interference.
There is a dedicated management box somewhere on the network, that can push out white lists and black lists and various reactions to "infected" traffic patterns. The reaction can be anywhere from flip a TCP RST bit on 0.1% of connections, up to dropping 100% of packets from a protected host.
What Sandvine sells as a cool feature is the ability to interfere with a tiny percentage of packets heading towards a certain number of prefixes. Their sales pitch uses all the prefixes from an AS considered to be hosting bad or expensive content, they used AS36561 in their example. Their demo showed how dropping 1 TCP connection in 1000 wouldn't cause a problem for simple web page views, but if a video started playing it wouldn't get far before hanging. ISP customers wouldn't blame the ISP, because they would see web pages and low traffic content, but high bandwidth content would die and the blame would fall on the content provider. A simpler solution than investing in costly infrastructure upgrades.
Sandvine boxes can also be used to interfere with P2P traffic, by looking for large numbers of destination addresses. If torrent users can limit their client software to only a handful of external connections at a time, there may be a level below which Comcast's Sandvine boxes don't react.
the AC
I was shopping for transit in the U.S. this summer, and those were the reasonable prices from companies that I also work with here in Europe. I don't know of any tier-1 who will bother with 1Mbps, most tier-2's won't either. My "standardized" quote is for 100Mbps commit on a GigEthernet port, that can handle sustained traffic of 800Mbps. This lets me compare without giving away details of my clients before contracts and NDAs can be signed.
However, I had a strange split in quotes I received. Some were in the range I expected, from about US$10 for a 100 Mbps commit (minimum bill about US$1000) up to around US$20-$25/Mbps. Then there was a huge jump up to the $500/Mbps range you speak of. Companies that were obviously not one of the tier-1 or 2 players, just resellers of tier-2 bandwith, but who didn't seem capable of competing.
Quite a few places seemed to think they could obfuscate the quote by refusing to deal in Mbps/month, and instead would offer traffic totals of 100 Gigabytes for inbound+outbound together. There were others who offered peak+offpeak or other ways to hide the usual Mbps/month quote.
One place was offering GigE ports, but I discovered later their internet transit was just a pair of 100M copper links. They sold their traffic as a package but when you calculate out 50 Gigabytes in one month into a traffic figure, you come up with something like 1-2 Mbps, for the low price of US$500. This may be where you are getting your quotes from.
As a very general rule of thumb, the tier-1s don't want to deal with a monthly bill of less than US$10,000, the tier-2s don't want anything less than US$1,000, and the tiny resellers will try to sell you everything they can (rackspace, metered electricity, port costs, traffic) to try to keep the bill upwards of $300-$500/month.
Just for comparison, even with the US dollar in free fall this summer, US prices were well over twice what we pay in Europe for internet transit.
the AC
No photos allowed is pretty much blanket policy at every data center.
But if you ask, they generally have no problem of you taking photos of your own installation. Having a reputation and being on a first name basis with the security guards is a big plus.
What they are trying to avoid is documenting their own infrastructure or other people's kit. There are enough competitive forces out there that a few photos of new tech or a clever design could give someone an edge they wouldn't normally have.
There is also the physical security aspect of data centers, some amount of "security by obscurity" is built in to give a random level of risk to anyone hoping to do bad things. Publishing photos of exact locations of security cameras could give bad guys the extra information they think they need to pull off a heist.
Poking through my photo archives, I have shots of my installations at 1 Wilshire, several different companies at 60 Hudson, 111 8th, NOTA, plus many centres around Europe. The only places that flat out denied my requests were phone companies, where the installation was inside an incumbent's facilities. Military and aerospace installations are areas I never even bother asking.
One thing I've learned from the folly of some fool, is to never use a flash inside a data center. Tape over it with black electrical tape just to make sure. Flashes have enough infrared component to set off fire detectors, which lead to evacuation alarms, halon discharge (whatever they use these days), power cuts, and the eventual lawsuit and bannination. When you ask in advance, data center managers will tell you to tape over your flash and make sure it is off or removed.
the AC