Feeds:
Posts
Comments

Ninjas and IT madness

July 30, 2008 by David Vuorio

It seems I am a little back(b)logged here. (Sorry.)

Anyway, here are some of many interesting recent events:

  • I went to Japan! I was there for 10 days with fellow Computer Science students; mostly in Tokyo, but my trip also included a short stop in Kyoto. If I should include any random thoughts about the journey, I would mention the Firefox ad in the metro, featuring a fox in a boxing ring. Very curious… πŸ™‚
  • When talking about Japan, I simply have to include a ninja reference, no? Well, here you go: watch Ask a Ninja, net neutrality.
  • The DNS bug. It can have many interesting security implications, as this Flash movie suggests. (Thanks to Xavier for pointing to this site.)
  • The patent establishment makes fools of themselves again: our beloved European Patent Office says that software is an “ambiguous” term. (I do not know about original references yet, sorry, maybe this is only available in printed form so far. Link.) Apparently some software is more equal than other software, and deserves Patents to cover it. Here is a Digital Majority post about this.

Enjoy!

Posted in dns, japan, net neutrality, patents | Leave a Comment »

Minimize downtime on OpenBSD with CARP

May 30, 2008 by David Vuorio

Update 2 Aug 2010 09:26: replaced two Wikipedia links.

… and how to avoid a pitfall on some Dell PowerConnect equipment. On that note, I haven’t yet managed to get this working in VMWare (Server 1.0.5, and Workstation 6.5 Beta, I believe) on Linux, using some host-only interfaces. It seems the switching mechanism gets things mixed up a bit.

So: in order to add redundancy to (say) firewalls, one could use such a protocol as VRRP. Unfortunately, Cisco has claimed patents on it, leading the OpenBSD developers to implement a similar system, called CARP.

The basics are relatively simple: instead of a primary and a secondary firewall to use their own MAC addresses for routing, we create virtual interfaces on each firewall, with corresponding MAC addresses that are used on both firewalls.

In the simple setup, only one firewall would be active at any time, meaning that you could bring down a firewall, upgrade it, and bring it back up, all without anyone noticing. Done right, the traffic is transparently routed through any of the two firewalls, and downtime is measured in seconds at the most.

Imagine a small example, where we want to replace one firewall with two network cards, with a redundant set of two similar ones; let’s say we have an external network (the Internet), and our internal network. We reserve some IP addresses for the new redundant set:

External addresses: (physical card: em0)


100.0.0.1 = Routing (CARP)
100.0.0.2 = Firewall 1 (master)
100.0.0.3 = Firewall 2 (backup)

Internal addresses: (physical card: em1)


200.0.0.1 = Routing (CARP)
200.0.0.2 = Firewall 1 (master)
200.0.0.3 = Firewall 2 (backup)

(In practice you may not need individual addresses on all interfaces with CARP, but let’s work with this for now.)

Addresses for pfsync: (assuming a crossover cable here, so basically any unique addresses can be used)


10.0.1.2 = Firewall 1
10.0.1.3 = Firewall 2

Note: pfsync does not keep track of the rules in pf.conf, only the actual user sessions registered on the firewalls.

We’ll need to edit numerous files in /etc on each firewall:

pf.conf – add:


pass quick on { em2 } proto pfsync keep state (no-sync)
pass on { em0 em1 } proto carp keep state

sysctl.conf – uncomment:

net.inet.carp.preempt=1

This ensures that if even one interface on a firewall fails, the second firewall (if intact) will take over.

hostname.em0 – add:

inet 100.0.0.2 255.255.255.0

to the first firewall, and:

inet 100.0.0.3 255.255.255.0

to the second; similarly for hostname.em1 use 200.0.0.2 and 200.0.0.3.

hostname.em2 – add:

inet 10.0.1.2 255.255.255.0

to the first firewall, and:

inet 10.0.1.3 255.255.255.0

to the second.

hostname.carp0 – add:

inet 100.0.0.1 255.255.255.0 vhid 1

to the first firewall, and:

inet 100.0.0.1 255.255.255.0 vhid 1 advskew 100

to the second; similarly for hostname.carp1 on both machines, but with 200.0.0.1 and vhid 2 instead. It is interesting to note that we don’t have to say that carp0 corresponds to em0, and carp1 to em1; OpenBSD can figure this out from the IP addresses and netmasks.

hostname.pfsync0 – add:

up syncif em2

on both machines. We can also get this running live without rebooting. Let’s kick in the backup node first: (it is assumed here that pf is already enabled and has rules loaded into memory, and also packet forwarding is in use on both firewalls)


firewall-2 # sysctl -w net.inet.carp.preempt=1
firewall-2 # sh /etc/netstart
firewall-2 # ifconfig carp

You should see that all CARP interfaces display MASTER, since firewall-1 isn’t up yet.


firewall-1 # sysctl -w net.inet.carp.preempt=1
firewall-1 # sh /etc/netstart
firewall-1 # ifconfig carp

Again, you should see that all CARP interfaces display MASTER (and, obviously, BACKUP on firewall-2), since it’s advskew is lower (0) than on the backup node (100). Note: setting the advskew to higher values than 240 will probably not work. You’ll see what I mean. 😎

Fun thing to try on another machine, when failing over from one firewall to another:


watch traceroute 100.0.0.1

There are some other things I could go into, but let me just make a note on Dell equipment:

As I mentioned, fail-over from one firewall to another is supposed to take seconds as the most (depending on advbase (default: 1) and advskew), even if you disconnect cables randomly from one firewall, cut the power to the machine, or attack it with a raygun. As soon as one firewall stops talking to the other on one of the interfaces, the second one will prepare to act in its stead.

Why, then, doesn’t it work on some Dell PowerConnect equipment, for instance? Well, it seems the RSTP mechanism gets confused by the shared MAC address, resulting in having (say) two master nodes, and the situation may take as much as 30 seconds to stabilize, if not more (or if at all).

The answer is that you should be able to turn it off for the ports where the firewalls are connected. Considering a case where both firewalls are connected to the same switch (using a different VLAN for each interface, for instance), it should be safe to do so.

Happy fail-overs!

Posted in bsd, redundancy, unix | Leave a Comment »

Microsoft FUD?

May 5, 2008 by David Vuorio

Is Microsoft admitting to using Fear, Uncertainty and Doubt? Either their Live.com engine is a bit weird, or there’s some curious honesty here. Judge for yourself… πŸ˜‰

Live.com

(Source: http://www.microsoft.com/en/us/default.aspx – search for “fud”. Tip from comm2k.)

Posted in fud, microsoft | Leave a Comment »

Silly geek joke

May 2, 2008 by David Vuorio

Some files were walking about in peace, when suddenly they started screaming:

– Watch out, watch out! /bin/dd is coming!

One of the files then said:

– I’m not afraid, I’m /dev/null !

The file stood alone as /bin/dd came closer. Finally, the program stood inode to inode with its enemy:

– You’re doomed!

– Don’t you know who I am? You can’t touch me!

There was a long silence, and then /bin/dd said with a dark voice:

– dd if=/dev/zero of=/dev/sda

(This is based on the ex theme from circles of mathematics – don’t say I didn’t warn you. (Apparently this is before the era of udev. On an additional note, no binaries were harmed in this excercise as they were located on a different drive.))

Posted in mathematics, unix | Leave a Comment »

The joy and freedom of flying

April 15, 2008 by David Vuorio

UserFriendly nails it again.

Posted in flying | Leave a Comment »

ACLU: abstract patents violates constitution

April 6, 2008 by David Vuorio

American Civil Liberties Union has filed a brief about free speech issues of an application for an abstract patent. FFII says hi; it’s great to see a major civil rights organization to bring this up in the patents sphere. With enough exposure, hopefully the insanity of business and software patents may come to an end some day…

Posted in aclu, censorship, ffii, patents, politics | Leave a Comment »

OOXML use cases

April 2, 2008 by David Vuorio

ISO has now rendered a decision, and the fight over OOXML could be over soon. Specifically, while there have been no reported irregularities, countries have available another two months to raise concerns. Apparently e.g. Norway has already done so, but I’m sure that misunderstanding will be cleared out shortly.

In any case, there are many good things about OOXML that I don’t know where to start. (I need to double-check the exact meaning of “open” and “XML”, but at least the “Office” part seems clear to me, which suggests a high quality work here.) Indeed, one of my favourite aspects of this standard is its simplicity. For instance, one can safely focus on its two major use cases, namely when:

  • you own Microsoft, or
  • Microsoft owns you.

Actually, this is a rather strong statement, since it has yet to be proven that anyone is currently using or implementing any version of OOXML – especially Microsoft themselves, who apparently are a bit slow on that. No worries though – it’s a standard now, so surely it’s not that important.

I wish ISO and Microsoft best of luck with all the upcoming, exciting standards projects. Clearly, we can expect even better processes that provide for a modernized approach with honest and high fidelity works. We can all thank ourselves for being part of this proud and happy family. πŸ™‚

Posted in iso, microsoft, ooxml | Leave a Comment »

Conspiracy meetings

February 18, 2008 by David Vuorio

(About the move of my blog: it was in part due to buggy Blogspot code, but now I also have a more flexible solution. Overkill at this point, maybe, but that’s me. πŸ™‚ )

I’ll go to FOSDEM this weekend (where the former President of the FFII will be speaking), and hopefully see Richard Stallman come here next Tuesday.

Next week is the BRM for OOXML, and I wouldn’t want to be in Alex Brown‘s shoes. Maybe the meeting itself won’t be so dramatic – no press allowed there, for one thing – but it’ll be interesting to see just how much bullying ISO national bodies are going to take from Microsoft, I mean ECMA. Basically, the strategy has changed from “OOXML is a perfect standard, and there isn’t even as much as a spelling error” to “look, since we’re good guys, we’ll include your idea too – now there are at least two ways to do everything”. To use a car analogy (sorry):

You: This car is not working, the engine is broken.
ECMA: How do you know? Let’s give it some time.
You: It is broken, alright.
ECMA: OK, look. We added a new one.
You: Doesn’t work.
ECMA: Yes it does. Start both engines.
You: I told you, the old one is broken. Why didn’t you just fix it?
ECMA: Come on, one of them is new, isn’t it great!

All that is missing is a press release from SCO that endorses OOXML. (Oh, is it flying pig season again? The fine company that made up random lawsuits about Linux, then went through bankruptcy proceedings, is now getting $100 million in support. Maybe I have been focused on the wrong career?)

Posted in brm, fosdem, linux, ooxml, sco, stallman | Leave a Comment »

OOXML meets EU antitrust

February 8, 2008 by David Vuorio

CNN notes that the EU is looking into the OOXML actions of Microsoft (the original article requires a subscription).

I wouldn’t count on the EU to show more backbone than last time, but I guess the company won’t be so happy about the timing, considering the BRM takes place in about two weeks from now. (By the way, isn’t all this bad press quite ridiculous? People keep confusing themselves with ideas such as “quality”, or “fair play”. It’s so annoying!)

After that, there’s another month for voting countries to present their final opinion, so I guess we’ll have to wait until the beginning of April for the actual outcome. (Would a rejection from ISO put an end to it, though? Or would an approval of OOXML be taken seriously?)

One thing is clear: both Microsoft and ISO will have to reshape – the length of the rubber stamping process demonstrates clear deficiencies on both ends. Let’s hope for the best.

Posted in eu, iso, microsoft, ooxml | Leave a Comment »

Mortal assumptions

February 3, 2008 by David Vuorio

Update 2 Aug 2010 09:27: correct year of said update now denoted. πŸ™‚
Update 2 Aug 2010 09:20: replaced a Wikipedia link.

(Warning: clear signs of philosophical tendencies follow.)

Humans. When will we ever learn?

Why could, say, sarcasm be so hard to convey at times? An audience would simply assume a message is serious, and for some reason – no matter how absurd the conclusions would seem – the assumptions are not the first to be questioned.

To make things worse, sometimes said conclusions are not communicated back, but maybe this is not a big deal in the long run? Or maybe it is?

Interpreting a message without trying to understand the context is like running a business without a strategy.

Incidentally, I suggest the more convinced you are that you know the context and the underlying motives, the more likely it is that you don’t. Just consider e-mail conversations.

Apparently, exercising the mind with openness means accepting that there are no simple answers. On the other hand, it should bring you closer to the truth, so it seems like a logical choice. Inconvenient, maybe, but logical.

What, then, is worse than one assumption? Software patents, of course! (Oops, I meant: “several assumptions”.)

Now and then, I see people who argue heavily for one cause one day, and the opposite the next. Repeat this process any number of times, without any tangible attempts of understanding what went wrong, or even the mere awareness of having changed their mind (a possible side effect of using the gut).

So, how many assumptions did you just engage in when reading this post? (Don’t forget to count the idea that they can be counted in the first place.)

Posted in human factor | Leave a Comment »

« Newer Posts - Older Posts »