If your afternoon break is at 3:12, surely your lunch starts at 11:42, not 11:45? (It's an artifact of the IBM time keeping system, which did everything by tenths of an hour...)
None of this fake electronic imitation mail, we had real mail, delivered into actual boxes! If you wanted to use electronic mail, punch cards would fit in them, but really only for freshman projects; upperclass projects usually needed more than the hundred or so cards you could fit into a dorm mailbox, though if your department gave you a mailbox in the classroom buildings, you could usually fit one or two 2000-card boxes in them, plus a printout or two.
And no, we usually didn't have to walk uphill both ways through the snow - the main freshman dorms and the nearby Collegetown slums were on the downhill side, so most students had to walk uphill through the snow to get to class and a steep slide back down afterwards, optionally using a "borrowed" cafeteria tray as a sled.
One special case I've seen for immigrants to the US is people from former Communist countries in Europe and the Asian parts of the former Soviet Union. People often had a strong technical education, but many of them couldn't have a decent life in their own country because their own country was a mess. Before the Fall, it was a mess they couldn't leave, and afterwards it was a mess they could leave.
That doesn't mean that everybody who stays home is lazy or incompetent, it just means that the people who are lazy do stay home, even if their mom doesn't have a basement, and the incompetent people might want to emigrate but can't do it successfully. Of course, the rich trustafarians also often hit the road, but you're going to find them hanging out in the bars and coffee shops in the cool cities, and maybe they'll turn into successful art gallery owners or software designers or artists, or start interesting restaurants if they're from places where that works.
Also there's the immigrant family connection thing. Back when I was in college, there was a local restaurant owned by Greek guy (as were most restaurants in upstate New York.) Johnnie said he wasn't really a good cook, he was really a good welder, but when he moved over to the US, every Greek had an uncle or cousin who worked in a restaurant, and you didn't need much English, so that's the job you got to start with, and if you were ok at it you stayed in the business. WIth a lot of the Mexicans in California, many of them came up here with connections from somebody else in their village, whether it was restaurants or farming, and there used to be towns in the Central Valley where the second language was Spanish (English was third; the main language might be some Oaxacan or Mayan dialect), just as there are now areas where there are a lot of Hmong or Sikhs or whoever farming.
Eric Schmidt said it was an identity service. I have enough social networks available, and don't see any need for an identity service (especially one where I'm the product, not the user), so I didn't join.
When you're talking about "users" are you talking about the content producers / eyeballs - the little people whose social networks are expressed in Facebook and who've invested thousands of hours in Farmville and Mafia Wars? Or are they and their social networks "the products", and "the users" are the advertisers who sell things to those people? I can see how the advertisers might lose lots of money if Facebook content producers get bored or annoyed and go somewhere else, or do something else.
But for one of the little people, I don't see how there's a "potentially huge cost" to them if they get bored and leave. Ideally, they'd like to back up the contact information for their actual friends, and for some of their other Facebook friends, and back up their photographs, but if they've gotten bored and left that's an indication that the value they're losing is near-zero. If they get mad at an obnoxious Facebook policy and leave, there's some positive value that they're losing that's balanced by the negative that's chasing them out, but it's still their call. There's a "potentially huge cost" to Facebook if their content producers and eyeballs wander off, because they've got less product to sell to advertisers, but that's a problem for Zuck and the stockholders, not for the people who left.
The problem with your suggestion is that often the data you want to preserve was created or discovered within the service, not externally. For instance, your Facebook friends lists, and the messages you've exchanged with people on Facebook, were probably created directly in Facebook, not exported from your home computer, unlike your photographs which you probably created and then uploaded. But even then, the captions for your photographs may well have been created directly in Facebook or Flickr, while your PC or phone thinks of them only as IMG00345.jpg.
So you need some way to back up your data from services that may not have been built for it. With Gmail, you can use IMAP to copy it down to your PC - does Facebook have anything better than screen captures available?
I'd rather not have politicians telling me what to read, thank you. It's worse when they expand their targets from the originally-announced "porn" to cover lots of politically significant content, which so far has happened in just about any of the places that have implemented systems like this. And that doesn't even count the sloppy and accidental misclassifications, like one blacklist that banned "terra.es", which was a Spanish site similar to what flickr is now.
They're not breaking into your houses trying to confiscate your porn, or breaking into ISPs taking theirs away. They're just censoring it in between.
But they're being dishonest idiots about it. The reason the "hands off the Internet" people are calling this proposed "change" "censorship" is that it's rather precisely meeting the definition of censorship. She wants to block material based on its content. If BT were to move everything onto wireless and tell you not to download big files because it'd interfere with VOIP latency, that wouldn't be censorship - it's independent of whether the content is porn, pirated movies, funny cat videos, or speeches by idiot Tory politicians.
Besides, it's "First they came for the porn. Then they came for the porn. After that they came for the porn. Now they're back, trying to get the porn again."
Of course that hands-off-the-internet people are saying that changes like this are censorship. That's because they are censorship - it's specifically preventing people from accessing certain kinds of content. If British Telecom were changing the internet access to deliver everything over wireless so everything's mobile and then telling you not to transfer big files because it would interfere with VOIP latency, that wouldn't be censorship, it would just be dubious technical change. But blocking access to specific content because it's politically incorrect is pretty much the definition of censorship.
I'm sorry, but I'd prefer to see a politician who's got the honesty to say that she wants to censor content because she knows what's best for us to read than a lying loon who says that it's not censorship when she's in charge of deciding what we can read.
I'm not familiar with a 24" rack standard - 19" racks are usually in 24" cabinets. What uses 24" racks? Telephony equipment uses 23" racks (I forget how wide the cabinets are, but they're wider than 24.) I work in the telecom industry, and we've usually got 23" racks in our labs because when we need a rack there's always some unused 23" rack in the back of a warehouse or storage closet somewhere, whereas getting real 19" rack means dealing with the purchasing department and capital budget. Of course, since routers and computers are all 19" gear, that means we end up buying shelves and stacking stuff randomly on top of them:-) But in practice there's enough non-rack-mountable gear out there that we were likely to do some of that anyway.
My group finally decided to bite the bullet and order a bunch of 19" racks, so we''ll end up ripping out four or five old 23" ones and putting in a couple more cabinets of 19" (and it's not just being cheapass on budget - it also means dealing with the building engineering people to rebuild the earthquake bracing because some of them are different heights, and getting new electricity because we were already pushing our capacity, etc.)
> > It would not eliminate accidental corruption, but attacks would be out of the question. > That deals with your comments about erroneous advertisements. If you don't read my posts, don't expect me to bother with more of a reply than what I've already said.
I read it. I contradicted it, and explained why you were wrong. IPSEC and its equivalents protect you from an attacker forging the network-layer origin of a message. They don't protect you from an attacker giving you a message with bogus contents. If your router 2001:1111:: is talking BGP-over-IPSEC with router 2001:2222::, the IPSEC will protect you against router 2001:3333:: impersonating your friend 2001:2222::, as you say. But it's not going to protect you against 2001:2222:: sending you a BGP announcement that's deliberately bogus, and it's not going to protect you against 2001:3333:: sending a bogus announcement to 2001:2222::, who's dumb enough to believe everything he reads, and 2001:2222:: appending his ASN to the bogus announcement and passing it on to you. So you're still going to get that message about YouTube's address block being hosted in Pakistan, and you're going to get it across a nice secure IPSEC connection that nobody can eavesdrop on.
I also spent a lot of time reading IPv6 standards docs back in the early 90s, and again from the mid-2000s on, though I didn't actually implement any of it until recently. When you're talking about
(the routers automatically redirected packets if you moved between networks)
are you talking about special-case mobile IPv6, or are you talking about real implementations of IPv6 that a typical business web-hosting server might use, or are you talking about the hopelessly optimistic science fiction that was being written into early standards documents? If you're talking about Mobile IPv6, some of that did get developed, and maybe even deployed, though I haven't seen much of it in a while.
But if you're talking about the kinds of commercial service that JoesGarage.com can buy today from BigISP1 and BigISP2, and Joe's access line to BigISP1 gets run over by a backhoe or either his premises router or his ISP's access router fails, are you saying that packets addressed to JoesGarage.com's BigISP1/48 address will automagically get rerouted over to his access line from BigISP2? And that it'll happen without Joe buying some Provider Independent address space? And without BigISP1 building a GRE or VPN tunnel from some server to Joe's port on BigISP2, or BigISP2 having a special arrangement with BigISP1 to carry each other's subnet routes for customers that want to pay extra for it? Tell me more, because I'm not seeing that in the market.
And yes, I picked BigISP1 and BigISP2, not SmallISP3, because I realize that you can get tunnels from Hurricane Electric across both of your big slow-moving ISPs. On the other hand, the kinds of failure scenarios we worried about in the early 90s included not only backhoes and access router failures, but also backbone failures on the part of the ISPs, which were one of the main reasons people dual-homed back then. Sprint and MCI occasionally just failed and fell off the rest of the net, and they were a large fraction of the commercial part of "the net". Trusting a single ISP meant you had to worry about technical failure and Chapter 11 Fade, though you might not be as scared of those today.
Sure, I realize that some people would rather have OpenBSD running on bare metal, without having untrustworthy layers underneath, but since in the grand scheme of things we're running just about everything on top of VMware these days (except stuff that needs hardware acceleration), how well does OpenBSD work on top of VMware? Is installing it straightforward, or does the disk partitioning get weird? Can I just hand VMware the ISO and tell it to install itself? Will the vmware tools install cleanly? I'm mainly interested in using the firewall bits and IPSEC tunnels, and maybe also the http servers for things that need security more than they need flashy content management.
Back in the 70s, when long-haul telecom cables were still made out of copper instead of fiber, there was a cable that failed due to electromagnetic effects of a solar flare. I don't remember the details well, but I think it was an L4 or L5 cable from Chicago to New York or something about like that; the department I was in at Bell Labs had a few physicists who were studying the results. (And yes, the study was prompted by EMP concerns from the military, as well as general reliability. We also had some people studying lightning effects.)
While that's not a significant risk for most parts of the telecom system, since we don't have a lot of 500-mile antennas any more, the electric power systems still use metal that's isolated from ground. So you could still get a significant voltage induced on a cable that could affect equipment at the end, unless you design to avoid it.
It's really about getting new funding for the US Military establishment and their friends in private-sector contracting businesses. It lets companies who don't make heavy iron or high-tech weaponry sell consulting and overpriced computer system designs, and lets military departments who don't have overpriced cool airplanes (or can't get their next generation of cool airplanes) get more money to hire people and buy shiny equipment from politically well-connected vendors.
That doesn't mean there aren't civil liberties issues also (and FBI and anybody who wants to become the Copyright Police expanding their surveillance technology.) But those are mostly the civilian police agencies, and the quasi-military "War on Terror" types, while "Cyber War" is the traditional military trying to scam money that's been going to civilians.
Depending on what kind of construction and design your house has, it may not be easy to run new connectivity to your rooms. But if you can do it (e.g. the guy building a new house), what you really should run is conduit. Sure, Cat6 Ethernet wire's going to be good for the next few years, but maybe you need HDMI cables instead, or fiber for your digital audio system, or TV coax, or whatever standard works 10 years from now. If you want to support wire, run whatever size conduit makes sense given your physical constraints, and if you need to run wire, run it inside the conduits. If you're lucky, you won't need them, because everything will be wireless, and if that happens you can use them for centralized vacuum systems or whatever.
(Of course, I've never done this myself:-) Back when I had a 2-story house, it had lath-and-plaster walls, and really antique phone wires, so the first floor got a few small holes in the floor to run phone wire to the basement, and the cable TV people punched through the outside wall into the living room. I'm currently in a condo, and all the data runs on wireless, most of the phones are cordless, and there are several generations of badly installed cable TV.)
Most likely the $100 is for the board itself, not counting the CPU or the memory. So by the time you add all the pieces, at late-2012 prices, you're probably looking at $300, plus disk. So it's 10x the price of a Raspberry Pi, much faster, and burns a lot more power; it's not the same market at all. But it might still be a good desktop computer or media box if it doesn't need a loud fan.
First of all, the destinations aren't individual addresses, they're blocks of addresses, so you don't necessarily know a working address in the block. And even if you do know an address of a machine in that block, you don't know if it's willing to answer pings from you. (Both of which are really annoying, when you're trying to debug by hand:-)
And as Urza9814 points out below, if it's a malicious attack, the Bad Guy can be sure to answer (e.g. the Pakistan PTT probably put up a web page saying "You're not allowed to watch YouTube in Pakistan!", even though their route advertisement went to the whole world.) On the other hand, the random misconfigured router that's advertising a route to a whole/8 probably didn't do that, even before all the traffic for that/8 melted its T1 or E1 line.
And ping/traceroute response times aren't very predictable, especially on routers which make those low priority processes, so if a router takes an extra 10ms to answer because its CPU is busy with more important work, that doesn't mean it's 1000 miles farther away.
And routing isn't symmetric, it's often asymmetric, especially if you're messing around with testing routes to see if they're valid - if Router Z's best route to you goes through Router B, and you sent your test ping out Router C, you're still going to get the answer on Router B if you get it at all.
BGP has lots of metrics - raw speed isn't the only one, and often it's not the best one. Maybe your T1 line is the shortest-ping-time route to YouTube, but you want to use your 100 Mbps Ethernet for YouTube traffic anyway because the T1 doesn't have enough capacity, or maybe you want to use the cheap DSL line for web browsing traffic and save the T1 for database queries. Using raw speed as a routing metric is highly likely to lead to route instability and congestion collapse, as well as routers spending all their time calculating route changes (and thus being slower to respond to pings), chaos, anarchy, dogs and cats living together...
There are boxes out there which actually do track packet response times and reliability and use that to do routing, most commonly in hosting environments, and some people really like them. But they're a game for multi-homed end-users, not Internet backbones.
You're misunderstanding how this works. It's not using DNS for routing. It's using the Reverse DNS tree to hang ASN ownership records onto IP address blocks, so you've got a mechanism for validating announcements about ASNs owning those blocks, and that ownership is already hierarchical, which is why there's a concept of "legitimate" here at all. The Reverse DNS tree has records about names such as 2.0.192.in-addr.arpa, which are about IP addresses 192.0.2.*, and is maintained (or not:-) by the people who actually own that address space. And ISPs do need to bite the bullet and administer their rDNS and DNSSEC already.
The problem we're trying to solve is that a "distributed trust network" makes it too easy to trust any random advertisement that comes down the wire, which breaks things if that advertisement is bogus. For instance, if some router says they've got a route to 192.0.2.0/24, you're going to look at it, see if it's better or worse than the route you've been using, and pass it along. But if they're lying, and they've got a better metric than your alternative routes, and you trust them, suddenly all your traffic for example.com is going into their black-hole or go to their man-in-the-middle server or whatever. This gives you a way to check whether their advertisement is plausible, and reject it if it's not. Every couple of years this happens with a big chunk of IP address space and some big ISP loses connectivity to South America or MAE-East or whatever, but it's probably happening on a small scale all the time.
This doesn't affect what governments and their henchpersons can do to the net. While we'd all like to believe that IP/IPv6 address space comes from the Internet Gods, in fact IANA, ARIN, RIPE, etc. are subject to interference by governments, though IP addresses and the corresponding rDNS names like 2.0.192.in-addr.arpa aren't very interesting to the Trademark Mafiaas and usually get left alone. But if they do decide to have a trademark lawsuit about who owns 31.3.3.7, or IPv6 2001:face:booc::/48, it's going to affect the IP address block, not just the DNS names 7.3.3.31.in-addr.arpa or c.0.0.b.e.c.a.f.ip6.arpa.
Harrumph. SLAAC wasn't a poor reimplementation of DHCP, kid. DHCP was that new stuff defined in 1993, though it was based on BOOTP and RARP (from 1984-1985, which let a workstation look up the IP address that was manually assigned to its MAC address.) SLAAC was based on the autoconfiguration capabilities in IPX and XNS, which were also around in the early 80s. If your office equipment didn't need to talk to anybody else, you could just plug everything in and it would Just Work. If you needed to talk between multiple subnets, either because you had multiple offices or distance limitations, you'd announce the subnet blocks, and everything would still Just Work. Compared to typing MAC addresses into RARP/BOOTP server tables, which is what we had to do for diskless workstations, or even compared to typing IP addresses into individual client PCs or diskful workstations, Autoconfiguration was really cool!
And NAT wasn't around until the mid-90s either, and took a while before it only broke lots of things instead of everything, and people stopped doing lots of the cool things that it broke.
That's not to say that SLAAC doesn't have its problems, such as protecting against bogus router advertisements, but bogus DHCP servers are also theoretically a threat.
First of all, IPSEC or its IPv6 equivalents don't help you here. The main problem is some router advertising "I've got a great route to ASN12345" or "My ASN 67890 owns 12.0.0.0/8" when that's not true, and some other router it's connected to believing those bogus advertisements and passing them along. If BGP were wrapped in IPSEC, that would mean that nobody could eavesdrop on the bogus advertisements, but the problem isn't protecting the transport layer for the bogus advertisements, it's verifying the advertisements themselves. IPSEC might be able to protect you against forged BGP messages on trusted connections, but that's a much less important attack. IPv6 itself does eliminate the "classful route autosummarization" version of fat-fingering that lets your antique Cisco router decide that since it sees two/24 subnets from a Class A/8 block, it should be efficient and advertise the Class A block to its upstream, which has resulted in things like MAE-East's traffic all pointing at one little incompetent ISP's T1 line or a small ISP in South America grabbing any connections from the rest of South America to AT&T (which is why most ISPs that do have a/8 block will also advertise a pair of/9s.)
The "everybody's going to happily use hierarchical addressing" concept never played out, because it didn't address business reality or other end user needs. Businesses need their incoming connections to be dual-homed for reliability, and even if they don't have their own Provider-Independent address space, they still need to advertise their PA space from ISP A on their ISP B connection and vice-versa, so the route tables are going to be almost as large from subnet advertisements even without PI space. Reliability was critical even before the whole world moved onto the Internet, and even though ISPs have become much more reliable than they were in 1995, IPv6 support was pretty much experimental and spotty until, well, yesterday or maybe tomorrow, so you still can't be sure that your connection to ISP A will reach everybody in the world when your connection to ISP B is down. Businesses had three main reasons for wanting to own their own IPv4 address space - dual-homing for reliability, convenience when switching ISPs for business/pricing/etc. reasons, and being sure they could get enough address space if they switched ISPs. IPv6 doesn't help the dual-homing issue, though it does fix the getting-enough-space problems, and makes renumbering easier (though RFC1918, NAT, and DNS have eliminated 99% of that problem.) Switching ISPs happens on a timescale of months or at least weeks, so you can deal with the time it takes for DNS caches to expire and browser sessions to close, and IPv6 lets you use multiple IP addresses on the same interface, so maybe a coordinated early effort by the big ISPs, ICANN, IANA, and IETF could have helped the politics, but the ISPs and ICANN were dragging their heels for decades, Jon Postel was dead, and Cisco was way late in supporting IPv6. So that didn't happen.
Eventually some people realized that dual-homing really really was important, and that no amount if "But IPv6 was meant to be used hierarchically" would get people to give up their PI space or route advertisements, and tried to do something about it, giving us the appallingly ugly breakage called shim6, and don't hold your breath waiting for every piece of software in the world to adopt it before anybody can give up dual-homing. Meanwhile, the equipment that's been most stubborn about renumbering is IPSEC tunnel servers and clients, which tend to have hard-coded addresses instead of using DNS or other servers to find out who to talk to - I'm not convinced that IPv6 gear of the same vintage wouldn't have had the same problems.
IPv6 didn't eliminate manual router configuration, though it theoretically lets you move some functions from routers onto other servers. Autoconfiguration meant that you didn't have to assign IP addresses
Slashdot Mirror
They get really pissed off if people use the m-word.
If your afternoon break is at 3:12, surely your lunch starts at 11:42, not 11:45? (It's an artifact of the IBM time keeping system, which did everything by tenths of an hour...)
None of this fake electronic imitation mail, we had real mail, delivered into actual boxes! If you wanted to use electronic mail, punch cards would fit in them, but really only for freshman projects; upperclass projects usually needed more than the hundred or so cards you could fit into a dorm mailbox, though if your department gave you a mailbox in the classroom buildings, you could usually fit one or two 2000-card boxes in them, plus a printout or two.
And no, we usually didn't have to walk uphill both ways through the snow - the main freshman dorms and the nearby Collegetown slums were on the downhill side, so most students had to walk uphill through the snow to get to class and a steep slide back down afterwards, optionally using a "borrowed" cafeteria tray as a sled.
One special case I've seen for immigrants to the US is people from former Communist countries in Europe and the Asian parts of the former Soviet Union. People often had a strong technical education, but many of them couldn't have a decent life in their own country because their own country was a mess. Before the Fall, it was a mess they couldn't leave, and afterwards it was a mess they could leave.
That doesn't mean that everybody who stays home is lazy or incompetent, it just means that the people who are lazy do stay home, even if their mom doesn't have a basement, and the incompetent people might want to emigrate but can't do it successfully. Of course, the rich trustafarians also often hit the road, but you're going to find them hanging out in the bars and coffee shops in the cool cities, and maybe they'll turn into successful art gallery owners or software designers or artists, or start interesting restaurants if they're from places where that works.
Also there's the immigrant family connection thing. Back when I was in college, there was a local restaurant owned by Greek guy (as were most restaurants in upstate New York.) Johnnie said he wasn't really a good cook, he was really a good welder, but when he moved over to the US, every Greek had an uncle or cousin who worked in a restaurant, and you didn't need much English, so that's the job you got to start with, and if you were ok at it you stayed in the business. WIth a lot of the Mexicans in California, many of them came up here with connections from somebody else in their village, whether it was restaurants or farming, and there used to be towns in the Central Valley where the second language was Spanish (English was third; the main language might be some Oaxacan or Mayan dialect), just as there are now areas where there are a lot of Hmong or Sikhs or whoever farming.
Eric Schmidt said it was an identity service. I have enough social networks available, and don't see any need for an identity service (especially one where I'm the product, not the user), so I didn't join.
When you're talking about "users" are you talking about the content producers / eyeballs - the little people whose social networks are expressed in Facebook and who've invested thousands of hours in Farmville and Mafia Wars? Or are they and their social networks "the products", and "the users" are the advertisers who sell things to those people? I can see how the advertisers might lose lots of money if Facebook content producers get bored or annoyed and go somewhere else, or do something else.
But for one of the little people, I don't see how there's a "potentially huge cost" to them if they get bored and leave. Ideally, they'd like to back up the contact information for their actual friends, and for some of their other Facebook friends, and back up their photographs, but if they've gotten bored and left that's an indication that the value they're losing is near-zero. If they get mad at an obnoxious Facebook policy and leave, there's some positive value that they're losing that's balanced by the negative that's chasing them out, but it's still their call. There's a "potentially huge cost" to Facebook if their content producers and eyeballs wander off, because they've got less product to sell to advertisers, but that's a problem for Zuck and the stockholders, not for the people who left.
The problem with your suggestion is that often the data you want to preserve was created or discovered within the service, not externally. For instance, your Facebook friends lists, and the messages you've exchanged with people on Facebook, were probably created directly in Facebook, not exported from your home computer, unlike your photographs which you probably created and then uploaded. But even then, the captions for your photographs may well have been created directly in Facebook or Flickr, while your PC or phone thinks of them only as IMG00345.jpg.
So you need some way to back up your data from services that may not have been built for it. With Gmail, you can use IMAP to copy it down to your PC - does Facebook have anything better than screen captures available?
I'd rather not have politicians telling me what to read, thank you. It's worse when they expand their targets from the originally-announced "porn" to cover lots of politically significant content, which so far has happened in just about any of the places that have implemented systems like this. And that doesn't even count the sloppy and accidental misclassifications, like one blacklist that banned "terra.es", which was a Spanish site similar to what flickr is now.
They're not breaking into your houses trying to confiscate your porn, or breaking into ISPs taking theirs away. They're just censoring it in between.
But they're being dishonest idiots about it. The reason the "hands off the Internet" people are calling this proposed "change" "censorship" is that it's rather precisely meeting the definition of censorship. She wants to block material based on its content. If BT were to move everything onto wireless and tell you not to download big files because it'd interfere with VOIP latency, that wouldn't be censorship - it's independent of whether the content is porn, pirated movies, funny cat videos, or speeches by idiot Tory politicians.
Besides, it's "First they came for the porn. Then they came for the porn. After that they came for the porn. Now they're back, trying to get the porn again."
Of course that hands-off-the-internet people are saying that changes like this are censorship. That's because they are censorship - it's specifically preventing people from accessing certain kinds of content. If British Telecom were changing the internet access to deliver everything over wireless so everything's mobile and then telling you not to transfer big files because it would interfere with VOIP latency, that wouldn't be censorship, it would just be dubious technical change. But blocking access to specific content because it's politically incorrect is pretty much the definition of censorship.
I'm sorry, but I'd prefer to see a politician who's got the honesty to say that she wants to censor content because she knows what's best for us to read than a lying loon who says that it's not censorship when she's in charge of deciding what we can read.
Yup. iPod in a baggie. And some kind of wall mount for it. If you decide you don't like it, you'll now have an iPod instead of a useless appliance.
I'm not familiar with a 24" rack standard - 19" racks are usually in 24" cabinets. What uses 24" racks? Telephony equipment uses 23" racks (I forget how wide the cabinets are, but they're wider than 24.) I work in the telecom industry, and we've usually got 23" racks in our labs because when we need a rack there's always some unused 23" rack in the back of a warehouse or storage closet somewhere, whereas getting real 19" rack means dealing with the purchasing department and capital budget. Of course, since routers and computers are all 19" gear, that means we end up buying shelves and stacking stuff randomly on top of them :-) But in practice there's enough non-rack-mountable gear out there that we were likely to do some of that anyway.
My group finally decided to bite the bullet and order a bunch of 19" racks, so we''ll end up ripping out four or five old 23" ones and putting in a couple more cabinets of 19" (and it's not just being cheapass on budget - it also means dealing with the building engineering people to rebuild the earthquake bracing because some of them are different heights, and getting new electricity because we were already pushing our capacity, etc.)
Sorry, didn't see your reply until today.
I read it. I contradicted it, and explained why you were wrong. IPSEC and its equivalents protect you from an attacker forging the network-layer origin of a message. They don't protect you from an attacker giving you a message with bogus contents. If your router 2001:1111:: is talking BGP-over-IPSEC with router 2001:2222::, the IPSEC will protect you against router 2001:3333:: impersonating your friend 2001:2222::, as you say. But it's not going to protect you against 2001:2222:: sending you a BGP announcement that's deliberately bogus, and it's not going to protect you against 2001:3333:: sending a bogus announcement to 2001:2222::, who's dumb enough to believe everything he reads, and 2001:2222:: appending his ASN to the bogus announcement and passing it on to you. So you're still going to get that message about YouTube's address block being hosted in Pakistan, and you're going to get it across a nice secure IPSEC connection that nobody can eavesdrop on.
I also spent a lot of time reading IPv6 standards docs back in the early 90s, and again from the mid-2000s on, though I didn't actually implement any of it until recently. When you're talking about
are you talking about special-case mobile IPv6, or are you talking about real implementations of IPv6 that a typical business web-hosting server might use, or are you talking about the hopelessly optimistic science fiction that was being written into early standards documents? If you're talking about Mobile IPv6, some of that did get developed, and maybe even deployed, though I haven't seen much of it in a while.
But if you're talking about the kinds of commercial service that JoesGarage.com can buy today from BigISP1 and BigISP2, and Joe's access line to BigISP1 gets run over by a backhoe or either his premises router or his ISP's access router fails, are you saying that packets addressed to JoesGarage.com's BigISP1 /48 address will automagically get rerouted over to his access line from BigISP2? And that it'll happen without Joe buying some Provider Independent address space? And without BigISP1 building a GRE or VPN tunnel from some server to Joe's port on BigISP2, or BigISP2 having a special arrangement with BigISP1 to carry each other's subnet routes for customers that want to pay extra for it? Tell me more, because I'm not seeing that in the market.
And yes, I picked BigISP1 and BigISP2, not SmallISP3, because I realize that you can get tunnels from Hurricane Electric across both of your big slow-moving ISPs. On the other hand, the kinds of failure scenarios we worried about in the early 90s included not only backhoes and access router failures, but also backbone failures on the part of the ISPs, which were one of the main reasons people dual-homed back then. Sprint and MCI occasionally just failed and fell off the rest of the net, and they were a large fraction of the commercial part of "the net". Trusting a single ISP meant you had to worry about technical failure and Chapter 11 Fade, though you might not be as scared of those today.
Sure, I realize that some people would rather have OpenBSD running on bare metal, without having untrustworthy layers underneath, but since in the grand scheme of things we're running just about everything on top of VMware these days (except stuff that needs hardware acceleration), how well does OpenBSD work on top of VMware? Is installing it straightforward, or does the disk partitioning get weird? Can I just hand VMware the ISO and tell it to install itself? Will the vmware tools install cleanly? I'm mainly interested in using the firewall bits and IPSEC tunnels, and maybe also the http servers for things that need security more than they need flashy content management.
Back in the 70s, when long-haul telecom cables were still made out of copper instead of fiber, there was a cable that failed due to electromagnetic effects of a solar flare. I don't remember the details well, but I think it was an L4 or L5 cable from Chicago to New York or something about like that; the department I was in at Bell Labs had a few physicists who were studying the results. (And yes, the study was prompted by EMP concerns from the military, as well as general reliability. We also had some people studying lightning effects.)
While that's not a significant risk for most parts of the telecom system, since we don't have a lot of 500-mile antennas any more, the electric power systems still use metal that's isolated from ground. So you could still get a significant voltage induced on a cable that could affect equipment at the end, unless you design to avoid it.
Aluminium foil simply doesn't work as well as real tin foil. That's why studies consistently show that tinfoil hats don't work.
Unless, of course, the Conspiracy has been stockpiling the real stuff for themselves...
It's really about getting new funding for the US Military establishment and their friends in private-sector contracting businesses. It lets companies who don't make heavy iron or high-tech weaponry sell consulting and overpriced computer system designs, and lets military departments who don't have overpriced cool airplanes (or can't get their next generation of cool airplanes) get more money to hire people and buy shiny equipment from politically well-connected vendors.
That doesn't mean there aren't civil liberties issues also (and FBI and anybody who wants to become the Copyright Police expanding their surveillance technology.) But those are mostly the civilian police agencies, and the quasi-military "War on Terror" types, while "Cyber War" is the traditional military trying to scam money that's been going to civilians.
Depending on what kind of construction and design your house has, it may not be easy to run new connectivity to your rooms. But if you can do it (e.g. the guy building a new house), what you really should run is conduit. Sure, Cat6 Ethernet wire's going to be good for the next few years, but maybe you need HDMI cables instead, or fiber for your digital audio system, or TV coax, or whatever standard works 10 years from now. If you want to support wire, run whatever size conduit makes sense given your physical constraints, and if you need to run wire, run it inside the conduits. If you're lucky, you won't need them, because everything will be wireless, and if that happens you can use them for centralized vacuum systems or whatever.
(Of course, I've never done this myself :-) Back when I had a 2-story house, it had lath-and-plaster walls, and really antique phone wires, so the first floor got a few small holes in the floor to run phone wire to the basement, and the cable TV people punched through the outside wall into the living room. I'm currently in a condo, and all the data runs on wireless, most of the phones are cordless, and there are several generations of badly installed cable TV.)
Most likely the $100 is for the board itself, not counting the CPU or the memory. So by the time you add all the pieces, at late-2012 prices, you're probably looking at $300, plus disk. So it's 10x the price of a Raspberry Pi, much faster, and burns a lot more power; it's not the same market at all. But it might still be a good desktop computer or media box if it doesn't need a loud fan.
First of all, the destinations aren't individual addresses, they're blocks of addresses, so you don't necessarily know a working address in the block. And even if you do know an address of a machine in that block, you don't know if it's willing to answer pings from you. (Both of which are really annoying, when you're trying to debug by hand :-)
And as Urza9814 points out below, if it's a malicious attack, the Bad Guy can be sure to answer (e.g. the Pakistan PTT probably put up a web page saying "You're not allowed to watch YouTube in Pakistan!", even though their route advertisement went to the whole world.) On the other hand, the random misconfigured router that's advertising a route to a whole /8 probably didn't do that, even before all the traffic for that /8 melted its T1 or E1 line.
And ping/traceroute response times aren't very predictable, especially on routers which make those low priority processes, so if a router takes an extra 10ms to answer because its CPU is busy with more important work, that doesn't mean it's 1000 miles farther away.
And routing isn't symmetric, it's often asymmetric, especially if you're messing around with testing routes to see if they're valid - if Router Z's best route to you goes through Router B, and you sent your test ping out Router C, you're still going to get the answer on Router B if you get it at all.
BGP has lots of metrics - raw speed isn't the only one, and often it's not the best one. Maybe your T1 line is the shortest-ping-time route to YouTube, but you want to use your 100 Mbps Ethernet for YouTube traffic anyway because the T1 doesn't have enough capacity, or maybe you want to use the cheap DSL line for web browsing traffic and save the T1 for database queries. Using raw speed as a routing metric is highly likely to lead to route instability and congestion collapse, as well as routers spending all their time calculating route changes (and thus being slower to respond to pings), chaos, anarchy, dogs and cats living together...
There are boxes out there which actually do track packet response times and reliability and use that to do routing, most commonly in hosting environments, and some people really like them. But they're a game for multi-homed end-users, not Internet backbones.
You're misunderstanding how this works. It's not using DNS for routing. It's using the Reverse DNS tree to hang ASN ownership records onto IP address blocks, so you've got a mechanism for validating announcements about ASNs owning those blocks, and that ownership is already hierarchical, which is why there's a concept of "legitimate" here at all. The Reverse DNS tree has records about names such as 2.0.192.in-addr.arpa, which are about IP addresses 192.0.2.*, and is maintained (or not:-) by the people who actually own that address space. And ISPs do need to bite the bullet and administer their rDNS and DNSSEC already.
The problem we're trying to solve is that a "distributed trust network" makes it too easy to trust any random advertisement that comes down the wire, which breaks things if that advertisement is bogus. For instance, if some router says they've got a route to 192.0.2.0/24, you're going to look at it, see if it's better or worse than the route you've been using, and pass it along. But if they're lying, and they've got a better metric than your alternative routes, and you trust them, suddenly all your traffic for example.com is going into their black-hole or go to their man-in-the-middle server or whatever. This gives you a way to check whether their advertisement is plausible, and reject it if it's not. Every couple of years this happens with a big chunk of IP address space and some big ISP loses connectivity to South America or MAE-East or whatever, but it's probably happening on a small scale all the time.
This doesn't affect what governments and their henchpersons can do to the net. While we'd all like to believe that IP/IPv6 address space comes from the Internet Gods, in fact IANA, ARIN, RIPE, etc. are subject to interference by governments, though IP addresses and the corresponding rDNS names like 2.0.192.in-addr.arpa aren't very interesting to the Trademark Mafiaas and usually get left alone. But if they do decide to have a trademark lawsuit about who owns 31.3.3.7, or IPv6 2001:face:booc::/48, it's going to affect the IP address block, not just the DNS names 7.3.3.31.in-addr.arpa or c.0.0.b.e.c.a.f.ip6.arpa.
Harrumph. SLAAC wasn't a poor reimplementation of DHCP, kid. DHCP was that new stuff defined in 1993, though it was based on BOOTP and RARP (from 1984-1985, which let a workstation look up the IP address that was manually assigned to its MAC address.) SLAAC was based on the autoconfiguration capabilities in IPX and XNS, which were also around in the early 80s. If your office equipment didn't need to talk to anybody else, you could just plug everything in and it would Just Work. If you needed to talk between multiple subnets, either because you had multiple offices or distance limitations, you'd announce the subnet blocks, and everything would still Just Work. Compared to typing MAC addresses into RARP/BOOTP server tables, which is what we had to do for diskless workstations, or even compared to typing IP addresses into individual client PCs or diskful workstations, Autoconfiguration was really cool!
And NAT wasn't around until the mid-90s either, and took a while before it only broke lots of things instead of everything, and people stopped doing lots of the cool things that it broke.
That's not to say that SLAAC doesn't have its problems, such as protecting against bogus router advertisements, but bogus DHCP servers are also theoretically a threat.
First of all, IPSEC or its IPv6 equivalents don't help you here. The main problem is some router advertising "I've got a great route to ASN12345" or "My ASN 67890 owns 12.0.0.0/8" when that's not true, and some other router it's connected to believing those bogus advertisements and passing them along. If BGP were wrapped in IPSEC, that would mean that nobody could eavesdrop on the bogus advertisements, but the problem isn't protecting the transport layer for the bogus advertisements, it's verifying the advertisements themselves. IPSEC might be able to protect you against forged BGP messages on trusted connections, but that's a much less important attack. IPv6 itself does eliminate the "classful route autosummarization" version of fat-fingering that lets your antique Cisco router decide that since it sees two /24 subnets from a Class A /8 block, it should be efficient and advertise the Class A block to its upstream, which has resulted in things like MAE-East's traffic all pointing at one little incompetent ISP's T1 line or a small ISP in South America grabbing any connections from the rest of South America to AT&T (which is why most ISPs that do have a /8 block will also advertise a pair of /9s.)
The "everybody's going to happily use hierarchical addressing" concept never played out, because it didn't address business reality or other end user needs. Businesses need their incoming connections to be dual-homed for reliability, and even if they don't have their own Provider-Independent address space, they still need to advertise their PA space from ISP A on their ISP B connection and vice-versa, so the route tables are going to be almost as large from subnet advertisements even without PI space. Reliability was critical even before the whole world moved onto the Internet, and even though ISPs have become much more reliable than they were in 1995, IPv6 support was pretty much experimental and spotty until, well, yesterday or maybe tomorrow, so you still can't be sure that your connection to ISP A will reach everybody in the world when your connection to ISP B is down. Businesses had three main reasons for wanting to own their own IPv4 address space - dual-homing for reliability, convenience when switching ISPs for business/pricing/etc. reasons, and being sure they could get enough address space if they switched ISPs. IPv6 doesn't help the dual-homing issue, though it does fix the getting-enough-space problems, and makes renumbering easier (though RFC1918, NAT, and DNS have eliminated 99% of that problem.) Switching ISPs happens on a timescale of months or at least weeks, so you can deal with the time it takes for DNS caches to expire and browser sessions to close, and IPv6 lets you use multiple IP addresses on the same interface, so maybe a coordinated early effort by the big ISPs, ICANN, IANA, and IETF could have helped the politics, but the ISPs and ICANN were dragging their heels for decades, Jon Postel was dead, and Cisco was way late in supporting IPv6. So that didn't happen.
Eventually some people realized that dual-homing really really was important, and that no amount if "But IPv6 was meant to be used hierarchically" would get people to give up their PI space or route advertisements, and tried to do something about it, giving us the appallingly ugly breakage called shim6, and don't hold your breath waiting for every piece of software in the world to adopt it before anybody can give up dual-homing. Meanwhile, the equipment that's been most stubborn about renumbering is IPSEC tunnel servers and clients, which tend to have hard-coded addresses instead of using DNS or other servers to find out who to talk to - I'm not convinced that IPv6 gear of the same vintage wouldn't have had the same problems.
IPv6 didn't eliminate manual router configuration, though it theoretically lets you move some functions from routers onto other servers. Autoconfiguration meant that you didn't have to assign IP addresses