DevOpsDownUnder – Day 2 – John Ferlio

John Ferlio – Commit Early, Deploy Often

Flickr claim to deploy multiple times per day, not for everybody

Various ways to deploy, tarballs, versions control, packages

Usaing Package management to deploy

  • Treat internal apps same as external apps
  • Works with config management
  • Use CM and VMs to give devs a sample of production on their laptop
  • Devs can then develop directly to what prod looks like

Example for Deploy for Ruby Apps

  • Use bundle to setup ruby dependencies for app
  • Simple makefile to install install bundle and run it. Bundle installs apps and then compiles them. Then files put in right dirs (prod and stating versions)
  • dh_make to create base deb env
  • delete unwanted extra debian template files.
  • create staging and a production package, basic fill in of debian control files to buuild packages
  • Package contains whole website and files. Maybe 200MB. More advanced users might want to split some stuff off.
  • He has little bit to put the bzr revision in a file in the package for later reference.

Lauchpad PPAs – lets you build your source for various debian distributions/archetectires. He Blogged about a simplier system he created (you can host locally) this a month or two back.

Use to deploy rubu-on-rails and WordPress apps.

  • Don’t have to compile things on box, don’t have to install gems, don’t have to svn update.
  • Maybe use pre-init script to stop app server during the upgrade nd restart afterwards
  • Some talk about how to sync deployment of updated app and new database schema that it requires. Thoughts seem to be that new app version should be able to handle the old schema during the transition.
  • Rails libararies evolve so fast which is why libraries need to be bundled. Other languages can sometimes use OS provided libraries
Share

NZ National Party claims copyright of Diplomat’s photos?

Last night I posted about how copyright of photographs of New Zealand Prime Minister John Key are owned by the New Zealand National party. In the post I assumed that the photos that were being claimed by National were taken by political staffers in the Prime Minister’s office.

However looking though the a New Zealand Herald’s photogallery of a John Key’s recent visit to Washington I noticed that the photos 5 and 6 in this gallery match these two photos on the “National Party” flickr page.

However the photo’s in the Herald are credited to “Tania Garry” who appears ( from a bit of googling) to be a career New Zealand diplomat currently posted to Washington.

So what is happening here? A New Zealand diplomat takes a photograph which is released to some news media (with full rights to publish it commercially I assume) but somehow the National Party is allowed to put it on their website/flickr under their own conditions?

So who owns the copyright for this photo? Who released a copy under what conditions and to who?

From my point of view it appears that a NZ diplomat takes a photo and then it’s made available to “friendly” news media for publication (but not the New Zealand public) before copyright is claimed by the National Party?

Like I said in my previous post, photos and other material like this should not be claimed by Political parties but should be released under a liberal license for use by anyone (which includes commercial use like newspapers).

Share

Who owns John Key’s history?

The current Prime Minister of New Zealand is John Key , he’s a nice (well most people say so) guy who leads the right-of-centre National Party in parliament.

As a 21st century politician he has staff members who look after a twitter feed , he has a video blog on youtube and photos from his activities go on flickr.

The problem is that the copyright of images and videos of John key taken in the course of his official duties don’t appear to belong to the country or even be released into the public domain but are in fact claimed by The National Party.

Presumably this claim comes about because the persons recording the material are politically appointed staffers (although the salary is paid for by the New Zealand taxpayer) and they in turn have given their copyright to the National party (hopefully this is a formal arrangement and not some ah-hoc thing).

The problem is that while some photos and other material are posted to flickr under a restrictive license (which I’ll admit is more than previous PMs appear to have done) ownership and control of the material resides with a political party rather than the public.

So while the Whitehouse flickr stream allows photographs to be downloaded, reprinted and used in websites and media a photograph of John Key meeting the US Agriculture Secretary is locked down to Attribution-Noncommercial-No Derivative Works . Even worse attempts to contact the National Party Flickr person and ask if specific photos can be used have been universally rejected.

So my big questions are:

  1. What are photos of the Prime Minister performing his official duties, taken by staff members owned by a political party rather than the government (or the people)
  2. Why is used of the photos so harshly restricted?
  3. How does it help promote New Zealand and New Zealand culture when photographs of our politicians can’t be used or reproduced by sites such as wikipedia?
  4. What happens in 50 years when future historians want photographs of our politicians and they don’t exist or the ownership is unclear since they were not correctly transferred to the National party (if it still exists) by the original photographer or got lost at some point?

But really all I’m after is for the photographs to be released under a more liberal license much like the photographs from the Whitehouse. As a New Zealander I really shouldn’t have to wait till a New Zealand politician meets the US president before a free photograph of him is released and our PM’s wikipedia article doesn’t have him wearing a Green Tie.

Share

NZNOG 2010 – Day 2 – Session 4

Metro WDM for the fiscally prudent – Simon Blake

  • CWDM – Split into various bands – uncooled lasers –
  • Single mode fibre – G.652c ideally – coloured optics – components
  • DOM/DDM support (SFF-8472) – query SFP and see what signal level it’s getting (over or under strength )
  • 1-8 Channel MUX/demux – 8 channels 1471-1611 over a pair of fibre
  • Cisco 8 port mux/demux $6k/end ,
  • ebay 8 port mux/demux $800-1000/end
  • Direct import 8 port mux/demux $US 550/end
  • 2 x 10GE on one pair – 2 channel 1310-1550 CWDW splitter (mux not a splitter) – $40 kit on direct import – vs numbers above
  • 1x10GE on single fibre- optical circulators $NZ 1000k , $US14 imported
  • 6 node network, 4 dark fibres – $27K
  • Trying to solve problem with lots of small hops, upstream building losing power (unpowered gear)
  • Pros: Multiprotocol, Perf/Security/reliability
  • Cons: Short Haul (sub 120km) , only 18 channels , Doesn’t do >10GE per channel, You need fibre
  • Direct Import Pro: cheaper , especially in bulk – design flexability
  • Direct Import con: No support except swaps – Freight – Language/Culture chellenges
  • traps – Waterpeak , Wideband receivers , Near end reflection , Avaibility of 10GE optics – DOM (ask for it) and untrusted optics – Measurement equipment/Circuits recording – Link Budgets and insertion loss

Monkeying around on the APE – Michael Jager

  • Plug in new port at APE and found things very open
  • PAcket sniffer + APE – should see boracast and traffic desinted for me
  • What did sniffer see – lots of APE for non-APE address space – DHCP
  • Borrowing transit – see how many networks will accept packets – 46 out of 75 will accept frame from unknown address detinated for their MAC
  • 3 ports provide proxyarp for random address
  • How many networks have an interface in your mngt network?
  • 6 will accept for 192.168.1.254
  • Customer can try and grab as many packaets as possible across cheap APE link rather than expensive transit link
  • Possible things untried – ARP spoofing – responding to un-answered ARP requests (old BGP session of removed neighbour ) – respond to DHCP requests
  • Speaking OSPF to OSPF-speaker – sending TCP RSTs – sending IPv6 RAs and answering IPv6 RS (like DHCP but for v6)
  • Read IM2tubes slide from Jonny and Philip’s slides from Monday
  • AMS-IX configuration guide
  • Don’t take packet from IXP if you arn’t expecting it
  • Don’t announce IXP network from anywhere
Share

NZNOG 2010 – Day 2 – Session 3

Announcement at start of session that Telecom New Zealand now has an official Interconnect/Paid Peering Policy and Contact. Details to be Published. Ask Greg from Telecom for help.

Internetnz Update – Jordan Carter

  • General updates and new structure, new CEO
  • 4 main areas ( Openness, rights and responsibilities, security)
  • IPv6 Task force , replace steering group
  • Copyright – replacement policy looks better, but sneaky changes might come back
  • ACTA – Key concern , lack of transparency, http://www.acta.net.nz
  • DIA filtering – voluntary and uses BGP . Give webpage, can report false alarm
  • Filter – only http, erodes end-to-end , privacy concerns , might be later abused (scope creep)
  • Filter – Send signal that “The government has made the Internet safe”
  • Internet opposed – DIA unhappy with that angle
  • Fibre Stuff – “Last day for 1.5 billion lolly scramble”
  • Regional Networks or one big National Network
  • Hard to tell what will happen – Similar exercise in Aus and Govt went back to drawing board
  • What happens to International Bandwidth?
  • Please join, followon twitter http://twitter.com/internetnz

APNIC update and much more – Elly Tawhai

  • Over 2000 members
  • 1400+ monthly helpdesk enquiries ( 55% growth since last year)
  • Allocations around 100 per month
  • Various Policy changes coming up – Prop-050 (xfering address space ) , Prop-073 (sinple IPv6 allocations – 1 click) , Prop-074 (32 bit ASNs treatment same as 16 bit ones pushed back a year) , Prop-075 (recover historical ASNs)
  • Policies under discussion – Prop-78 ( Final /8 , only people deploying ipv6) , Prop-079 (abuse contact info in objects ) , Prop-080 ( Removal of IPv4 prefix exchange policy )
  • Several more allocation policies in pipeline
  • Recent Survey leading to priorities
  • Various my.apnic updates (web services even), support of research
  • More DNS root servers (Taiwan , Mongolia)
  • Please Participate

RIPE News – Tools and news – George Michaelson

  • RIPE used to be a research place and then became a RIR. RIPE labs is a return to the past
  • http://labs.ripe.net
  • Platform to test and evaluate new tools, feedback cycle
  • INRDB – big cloud of assignments, table dumps, dumps
  • Resource explainer
  • Various measurements , visualisation and links to tools. DNS reply size tester
  • Why – fast turnaround, engagement, no service g’tees

IPv6 flow chart – Nathan Ward

  • Make decission which IPv6 or IPv4/Ipv4 translation technology you should use
  • Tunnel Broker, 6to4, 6RD, Teredo, Dual stack lite, Double NAT, Dual stack
  • Other stuff that I wasn’t paying attention two
  • IPv6 addressing schemes
  • Sparse allocations
  • gives a sample which I won’t copy, look at his slides
  • Customer assignmesnt. Nathan likes /56s or RFC recomended /48. Take your pick

Andy is Curious – Andy Linton

  • Are Universities turning out the right people?
  • Good at turning out applications programmers not systems programmers
Share

NZNOG 2010 – Day 2 – Session 2

DNSSEC at the root zone – Joe Abley

  • ICANN – Manges the Ket-signing-key (KSK) – accepts DS records from zone operators – sends update to DoCfor auth and to veriSign for implimentation
  • DoC auth changes and Verisign impliments the change
  • New process has Verisign signs the keys. V gets a few weeks of of KSKs that Doc signs in batches beforehand
  • DNSSEC Practice Statement – describes procedures, currently drafts
  • Around 20 Community Trusted Representative ( TCR ) have an active roll in the mangement of the KSK
  • 2 copies of the Keys, west coats and east coast. Plus distributed backup
  • “ceromony” for each step in procedure, required what you do and how many people and which people are present.
  • Similar to what x.509 CAs do
  • KSK is 2048 RSA key rolled every 2-5 years ( RFC 5011 but not all have that support) –  Signature using SHA-256
  • ZSK is 1024 RSA key – signed with NSEC – rolled 4 times year – Signature is SHA-256
  • Time cycle every 90 days – ZSK overlap of a couple of weeks
  • Root trust Anchor – published in XML document with constant URL – plain DNS record – PKCS#10 cert CSR , as self signed pub key, signable by others if they want
  • DO=1 part of EDNS0 – says client wants DNSSEC – many clients set bit even though most won’t really want them right now – will cause all queries to jump in size
  • Hard to sign root and then rollback
  • Staged deployment – Start servering DNSSEC for 1 root server at a time – L-Root first, then A, then the others with J last
  • DURZ – Unverifiable key published as placeholder
  • Measurement – Packet captures , diologue with operators – wide range of pre-testing with various software – test with clients that drop large packets
  • DS change requests – TLD procedure to be decided – DS requests 1-2 months before zone published
  • http://www.root-dnssec.org
  • Timeline – Test key signing Dec 2009 – Jan 2010 . Jan – July 2010 roll out signed roots . July 2010 Full Production
  • Lots of documentation on website
  • Indication of big jump in tcp queries presumably because udpreplies are too big

ENUM – Jay Daley

  • Why Doesn’t telephony work like email?
  • Email you choose how to published your email record, where to host, what emails to accept, can outsource, totally in control
  • So IP telephony should be easy too?
  • Unfortunately not
  • Non site-local numbers MUST go to telcoto get delivered
  • Missing – single , global directory linking telephone nmbers to voip numbers
  • This is ENUM . Telephone Number -> Domain Name – Simple Algorithm – e164.arpa – 04 931 6970 -> 0.7.9.6.1.3.9.4.4.6.e164.arpa
  • Won’t be typed, Translation done by a device – people still type out over fashon numbers
  • Register your number, create zone. Add NAPTOR records to DNS zone. Special records to specifiy endpoints (usually sip records), receive calls
  • NAPTO records do interesting stuff . eg “dig +short nsrs.tel naptr”
  • how? Option 1-  enable on your VOIP PBX that is internet connected
  • Option 2 – on session border controller – “enterprise”
  • Option 3 – ENUM proxy ( if existing SBC doesn’t handle enum)
  • Registration process – not same as for domains since numbers already registered – needs authentication
  • Various methods of authentication in different places
  • No ENUM in NZ . Available in UK, Holland, Ireland, Germany, Austria but not significant takeup
  • Reasons for lack of takeup in those countries – lack of mindshare – hostility from telcos
  • Why not in NZ – TCF 2006 report – Privacy issues (but only publish what you like) – Emergancy services access (no idea where callers are) (but all VOIP has problem ) – Polcy/Goverance – “Carrier Issues”
  • ENUM isabout control – movingit from carrier to you
  • Key users – Call centres , ENUM instead of 0800 – Large supply chains (mandate VOIP ) – Multiple sites , simplyfy provisioning
  • Won’t happen without demand
  • “On the Internet voice is just another application”
  • Significant political and commercial resistence from Telcos

Day in the Life of the Internet – Sabastian Castro

  • 4 years of DNS data
  • DITL motivation – network measurement – collection of data from DNS root servers – yearly since 2006
  • More and more root servers, Alt root servers, gTLDs etc passive traces, 48-72 hours
  • concentrate on root server data
  • Pick best 24 hours out of total window
  • 4-8 billion queries, 3-6 million unique clients – sm5-12% recursive queries
  • Mostly A queries, AAAA increasing due to gluerecords being added (why are IPv4 clients sending AAAA queries when they probably won’t/can’t use)
  • 70% of clients are EDNS are capable ( 90% of these are D0 enabled )
  • However clients sending lots of of queries (probably broken) have good support – But clients that query less have lover level of support
  • 10 invalid TLDs represent 10% of queries ( .local , .localdomain , wpad , invalid , home , belkin , corp , lan )
  • Impossible to track down
  • Most queries from NZgoing to Auckland root and Brisbane root but some going to overseas servers (those might be use simple round-robin picking)
  • Lessons – Data collection is hard – clock skew , dat loss , wrong command line options , bad network taps
  • Data management – moredat , more participants – more formats – big effortto normalize data , fill gaps , fix clock skew .
Share

NZNOG 2010 – Day 2 – Session 1

Lightning Talk

  • Geoff Huston – Stateless TCP and DNS
  • TCp limitations – Rough a high load
  • UDP Limitations – Requires IP fragmentation
  • Problems when response bigger than MTU , Fragments of UDP IPv6 often dropped. Switching to TCP drives up load again
  • Simulate UDP with TCP – do minimal crappy respose to fill headers
  • Ignore options, server doesn’t retransmit, ignore anything else from client, just closes connection
  • No reliability, No Flow Control, bad Idea but seems to work
  • Olof Kasselstrant – IXOR
  • Small IX in Malmo and Copenhagen (2nd site being looked at)
  • DIX only IX in Denmark
  • Sponsors for Fibre and Equipment
  • Exchange in 2 countries. Does it affect “must peer in 4 countries” agreement.
  • Dream to be in 4 sites soon
  • CCIP – Barry Brailey
  • Getting out of rewriting Microsoft patch notices
  • “investigation and analysis” function being dropped
  • Infomation and Alerting – website , newsletter, alerts – alerts targetted and highish threshold –
  • Outreach and partnering – main function – lease with overseas certs – talk to various groups – Education: presentation, newsletters, exercises (CyberStorm III – volenteers )
  • Security Information exchanges – Various groups – traffic light protocol – Looking at some new forums – Maybe ISP SIE
  • Cloud Computing for Service Providers – Richard Wade
  • As a service provider – should I care?
  • Infrastructure Foundation (Cisco, EMC, HP)
  • Infrastructure as a service (Amazon , Sun , Savvis )
  • Platform as a swervice (Amazon, MS Azure )
  • Software as a Service ( Salesforce, Google apps)
  • Integrate mngt ( network, servers, hypervisor, storage ) – unified fabric
  • Why and Why Should I care
  • Customer Ads – Eliminate Capex – Reduce Opex – IT as a utility
  • Customer Probs – No LAN apps (overseas often) – WAN now biz critical – Operational relationship with overseas provider – Legal jurisdiction of data
  • Service Provider ads – Understand managed services – Existing datacentres and infrastructure – OSS , process staff and contacts – SLAs – Domestic provider
  • Sp Probs – Managed cust revenue declining – Race to bottom? – Increase International transit – High expectations of quality and relaibility
  • Lame aternative IX Update technique – Simon Blake
  • New system to update filter lists for IXs
  • Citylink can instead download list of networks from customer URL
  • Pulls list daily
  • If diff email for confirmation or action it immediately
  • ALTO – LLyod
  • Helping p2p users select local/nearby peers
  • GeoIP and anycasting – rough
  • ALTO allows ISP to provide application, localtion, routing information, charging information, performance.
  • ISP puts on network some servers (itrackers) that deliver to p2p client the policy information
  • p2p caches (very close to edge) can be advertised
  • No currently in use in the wild
  • IPv6 taskforce – Dean Pemberton
  • Internetnz+ MED
  • TechSIG – 3 Hui in 2009 – Aimed at CIO/CTO – Went really well
  • Looking at more training (session in 2009 already)
  • Other things Task Force can do?

Building a Datacentre for less than $1 million – Gerald Creamer

  • When it’s your own money you care so much more
  • Had to move datacenter to another building
  • Short is that you can’t do it for less than $1m
  • Significant cost areas – Physical – power – cooling – network – time
  • The right building – 18 m search – 100 sites looked at – 7 sites investigated – 4 site due diligence
  • Engineers – “consultation” vs “converstaion”
  • First culling – all concrete – Not ground , not top floor – Strong 5kPa – high stud – no sprinklers – built between 50 and mid-80s – CBD fringe
  • $400 per m2 to strength building
  • 2nd culling – close to street transformer – shorter power cables runs in building – shorter pipes for colling – outdoor space – generater space – near data networks
  • Useful – friendly landlord – nice bank – recession (kean landlord)
  • Save money – quality pre-owned hardware – “free” stuff – Ask experts – do some stuff yourself – Get experts to do others
  • Cables up abandoned lift shaft
  • 2nd hand generator – not as large as final requirement but bigenough for current build
  • Room to upgrade UPS, generator, cables and space spec’d for more
  • domestic meters to measure power in each rack
  • Process Coolers (cheaper) 28KW each $1500/KW cost – $70k of aircon for $7k – check serial number with manufacter to find product history
  • Seismic Bracing – $30k
  • Helped corps clear out datacenters they were moving out of rooms ( “make good” on leases) and picked up some equipment
  • Citylink and Telstra provisioned fibre. Telecom less helpful.
Share

NZNOG 2010 – Day 1 – Session 4

IPv6 deployment scenarios – Brian Carpenter

  • Assumed v6 deployed by v4 ran out
  • change transition model
  • More internetworking than original ipv6 design originally anticipated. Assume v6 clients will need to access v4 servers forever
  • Tunnels – Dual Stack Lite ( share ipv4 addr amung custs by combining UPv4-in-IPv6 and NAT, Driven by Comcast BB model ) – 6rd ( blend of 6to4 and ISTAP providing atumatic tunning of IPv6-in-IPv4 to ISP subscribers. Deployed by Freenet.fr)
  • Older mesh and hub+spoke models also documented.
  • NAT64 – old NAT-PT deprecated
  • NAT64 – millions of IPv6-only custs needing access to IPv4-only services
  • NAT64 only solves 1 problem – cannot be met my dual-stack – DNS64 dns server creates AAAA of site only with A record. Packets to NAT64 box and translated
  • Various problems. 7 ietf drafts. Only solving since case
  • V6OPS WG- Emerging Service Provider Scenarios for IPv6 Deployment – ID and survey ISPs then publish draft 03/2010

Rapid IPv6 Deployment in ISp Network – Skeeve Stevens

  • AIM – Get people to use IPv6
  • eintellego runs ISPs
  • What stopping ISps implimenting IPv6
  • Why not? – Too expensive , bigger ISPs yes, smaller ISPs perhaps not, NOT expensive to do enough to be able to play with it
  • Why not? – Too Hard – Lack of internal skills – IPv6 is NOT hard, cisco admin should be basic IPv6 in 2h and IPv6 BGP in under a day – Play now or else you will be overwhelmed later when everybody is yelling
  • Why Not? – Don’t know where to start – Start with a external co-lo box in the US – Allocate small amount of time – Get access to a lab – Start at the border
  • Why Not? – No one asking for it – True enough – Don’t know about Ipv4 exhaustion, but they will
  • Why Not? – Little vendor support – improving – DSL CPE equipment getting better – Carrier Grade NAT ( CGN/LSN)
  • Why Not? – What is IPv6? – From Many IT professionals – Integrators have minimal experience
  • Why Not? – Who can help me? – commerially, very few people – Some training courses – Community helps
  • IPv6 is big, break it down into stages
  • Experiment Externally
  • Get allocation from APNIC
  • Enable your Edge (BGP)
  • Enable Core
  • Enable desktop
  • Enable your hosting
  • Enable Operation Support Systems
  • One hosting company just took 1 week
  • Very rapid training, just a couple of days
  • Simplified addressing – short to medium term – rapid deployment – format – 2406:9800::F:203.18.102.99 – Use F0 instead of”F” for next pop – Using /128s will increase routing table – “chazwazza” is ipv6 equiv of “octet”
  • We use /64 for all end customer assignments – static routes to make v4-in-v6 work
  • NTP might not work
  • Some security concerns
  • Go through commons OS, Daemons, Hardware ( phones, printers, UPS, gameboys)
  • Might have to tunnel
  • Hassel carrier if not provided
  • Hassel vendors if they don’t work
  • Some parts won’t happen overnight
  • Predictions – Telstra selling IPv6 mid 2010 – Resource rush to grab IPv4 IPs while they can , surge in APNIC membership – exhaustion brought forward – secondary market will come – APNIC will lose control

Simply allocation of ipv6 addr to ipv4 holders – Elly Tawhai

  • Policy 73
  • Encourage greater uptake of IPv6
  • An APNIC member with IPv4 allocation is eligible /32 . Member with assignment gets a /48
  • One-Click IPv6 from my.apnic.net

NZ/IPv6 from (offshore) DNS – GGM (no name)

  • Passive tap on DNS servers – spot reverse lookups for in-addr.arpa
  • Capture all DNS in 1 day look for NZ IPs
  • 1 in 10,000 lookups are doing IPv6
  • 1 in 200 queries for DNS using IPv6
  • 87.5% active delegattions in 24 hour period
  • 45% of V6 networks live in 24 period
  • 52% of v6 is Macs
  • IPv6 not on the phone
  • 6to4 common even with providers that do IPv6 native

Things running late so IPv6 panel skipped.

Share

NZNOG 2010 – Day 1 – Session 3

NZ Internet Task Force – Paul McKitrick

  • Out of Cyberstorm planning session – “what to do about botnets?”
  • Task Force has Steering Committee
  • Trust is essential – New members vetted – slow growth of membership
  • Protocol on how widely specific pieces of information can be shared
  • Information sharing – networking – training courses ( honeynet, shadow server foundation, team cymru )
  • Focus areas – Telecommunications (telecom honeynet, Uni grads seconded to telecom, Walled Gardens)  – Research (Botsearch.py , VUW honeynet , data Brokerage ) – Stretegy ( Phishing site takedowns, Nat Cyber Security day 2010 , NZ Computer crime and Secuity project )
  • NZ Ips sending 110 million spams per day
  • Why – good for “.nz inc” , Opportunities for research, networking, conduit for disclosure

Bits on a Budget – Perry and Jamie

  • chellenging the belief that PCs running linux useful only for slow, small, un-important routing jobs
  • changes in last few years means this may need to be re-evaluated
  • What changed – PC Arch, Intel stopped sucking , Quick Path Interconnect , PCIe , Multicore – Substantial improvement in Linux – Multiqueue RX/TX to take advatage of multicore
  • Intel x520 10 GigE cards – Significant hardwareoffload – TCP segmentation, generic receive offload , checksumming , multiple input/output queues, input flow director
  • Well over 10Gb/s to hardware from CPU to IOwith PCIe
  • Server $9k – Dual intel x5570 – 6 x 4GB DDR3 – SuperMicro X8DTE with 1 io hub – Server grade redundant PSU – NIC $3k , 2x Dual port Intel x520 10GE Nic + optics – Debian Lenny – Linux 3.6.32.5 vanilla
  • created traffic generators as test setup – 45 machines
  • 1 sender 1 receiver ( 11 boxes to 11 boxes ) – 9.8Gb/s – 1.2Mpps
  • 2 senders , 2 receivers – 18Gb/s [ missed getting other stats but saturated links ]
  • 3.5Mpps before collapse , PCIe thrashing, NUMA inefficiencies , Young NIC drivers
  • Bridging instead of routing – L2 filters – performance approx same as IP routing
  • firewalling – Stress box with lots of small TCP connections (hard to create, generator needs to hold up 100s thousands of sessions) – Open, receive 4k data, close  – lots of tweaks to create traffic – Conntrack entrydefaults to 65k, upped to 10mil-
  • firewalling – 150,000 connections/second reached ( 5Gb/s)
  • firewalling – without contrack – saturates 10Gb/s
  • Number of Rules in Fw – 10Gb bi-directional , packetloss at 128-256 rules , no tuning – double that for single-direction – test has each packet going through each rule
  • Do you need to be an expert ? – If very fast, very cheap, then yes
  • Vyatta busy making this very easy – only pay for support, software is free
  • GigE (even lots of ports) is pretty easy
  • What experts do – Results over 90GB/s ( 40 in , 40 out ) on current hardware – People investigating for commercial reasons

Secure BGP – Geoff Huston

  • Anything evil is possible on the Internet
  • If I was evil , Through routing I’d attack DNS and forward to interceptor web server. Attack NZ based banks overseas so appears ok here
  • Through routing attack – route registry system, DNS root, trust anchors for TLS, critcal public servers, overwhelm routing system
  • Large networks advertised ( /8s etc) by various networks with no ovious reasons why. Same with AS numbers – v6 too
  • Nobody notices or cares about bogus routes beingoriginated
  • today’s networking is very insecure
  • Easy to – grab traffic , drop traffic , added false addresses to routing system , isolating or removing router from system . Don’t need to hack router just inject false routing information
  • what to do – protect you routers – standard security ( ssh access, maintain filter lists, user accts mngt, access log maintenance, snmp acls , etc )
  • what to do – bgp filters, md5 , passwords, prefix limits, watch out for errors causing bgp session to reset or come down – look at Rod Thomas’ BGP config templates
  • what to do – Check validity of routes your customers as you to route before adding to access control
  • alternatively – can BGP check each update to make sure it reflects the way things actually
  • RIRs sign who owns IPs , so routing changes for that network are in turned signed, resource certifcates. sign derivtive certs for sub-delegations of that resource
  • “AS 65000 can route 192.2.200.0/24” signed by the owner of that network.
  • What about path validation (signed AS above can just be prepended). A bit harder. – some progress and funding and test implimentations
  • Solution must cope with “partial use and deployment” , some good players will not use it any time soon.
  • Partially secured enviroment may be more operationally expensive but no more secure than what we have today.
  • Trust hierarchy is a “concentrating of vulnerability” – single point of attack
  • Only what to achieve useful outcomes?
  • Perhaps just anomaly detection to spot a large percentage of the problems
  • Will need key management systems and processes within companies like with website SSL certs

Trends in Cybercrime – Marcel van der Berg

  • Plenty of bots in NZ
  • Few comand and control servers in NZ
  • Approx 5000 unique IPs in NZ seen each day – trending up slightly long term
  • Increase in http botnets vs IRC botnets more static – around 500 controllers
  • C&C servers – IRC based in US and Eu – http based US , China , Russia
  • 1 million open recursive DNS servers just used in 1 attack
  • Resurgance of “pay per install” business – stable botnet platforms offer lucrative models
  • “dumps” – information on magnetic stripe card – reseller network – from ATMs / POS / Payment processors / personally / In transit / Any datbase holding data
  • “CVV” – personal data (addresses, names, etc )
  • Make credits cards to match info from dump
  • “201” cards with chip on them harder to write/use and numbers are worth less. Perhaps $50 for the blank card
  • It’s all about the people. It’s all about the money
Share

NZNOG 2010 – Day 1 – Session 2

Emergence Video Internet EcoSystem – Bill Norton

  • Tier 1 ISPs , Teir 2 ISPs and Content Providers
  • Recent changes: Big Content companies peering 70%-80% of traffic, agressively pushing out and peering with cable companies. CDNs also disrupting. Big middle
  • Video big growth
  • Perhaps 80% of Internet traffic is video – > Video Internet
  • How hollywood delivers video and how internet delivers video are parallel and clashing
  • Hollywood System: creation/production (IP + money + work= movie )
  • Hollywood Distribution: Staged, theaters, pay-per-view, dvd, premium tv, commercial cable, broadcast TV
  • Hollywood model vs Internet Model clash
  • Lots of room for innovation (eg settop boxes, tive, boxeee, hulu) over commodity internet vs over cable infrastructure.
  • Hollywood system is 100% push
  • Hollywood system adjusting to take account of Internet model
  • Worldwide releases all at once
  • Download buy and rent available
  • Combo packs movie + dvd + soundtrack all in one package
  • Mini revolution achienved Vidoe Internet – Cheap cameras + editing software , Free upload and idstrobution (youtube) , dropping CDN/transit prices , broadband to the eyeballs , Home wifi , setop boxes
  • SkypeTV – killer App – what happens on mothers day?
  • What would purpose built video Internet look like?
  • Portable TV, tablet
  • Video Internet , innovation at lower end of content ( conference, cheap shows ) since cost of movies and primetime shows expensive to make.

Next 3 years – Philip Smith

  • Internet has been grwoing since the start
  • “The Long and Windy ROAD”
  • Work on next generation of IP since mid-1990s
  • Current Situation: Perception IPv6 hasn’t taken hold. Private sector worried about ROI to migrate
  • Stauts: Service providers get prefix automaticly. Much discussion about transition about operators, Deployment experience presentations, Many providers made backbones IPv6 compatable.
  • OS and Apps getting better
  • Content needs to be on IPv4 and IPv6 (not yet)
  • Ongoing debates – IPv6 Multhoming – Rigid IpV6 address allocation model “one size fits all” barrier
  • Ongoing – Not every device is IPv6 cabable (who cares about local lan devices) – We have enough IPv4 – Migration vs Co-existence (both will exist for years, dual-stck OS makes it trivial)
  • What not NAT?  Many serious issues
  • Is IPv4 running out? Yes!
  • IPv4 run-out policiys by RIRs (last /8) – soft landing- keep range for 6/4 NAT
  • Issues today – minimum content on Ipv6 , giving Ipv6 to customers might confuse them
  • Strategies available – Do Nothing  – Extend Ipv4 , push custs to NAT, Buy IPv4 – Deploy Ipv6 , dual stack, Ipv6 and NAT, various others
  • Proposals for prolong IPv4, various NAT options – NAT444/SP NAT – Dual Stack lite – NAT64 and IVI
  • Many require lage NAT box to translate all traffic v4/v6
  • IPv4 address markey – could happen – will addresses need to be registered with RIR to prove buyer has right to advertise them?
  • Spare /24s being grabbed and sold could cause routing table growth
  • Deaggregation various across the globe
  • Large provides marketing dept pointing to high ranking on CIDR report as proof they are “big”. Morons
  • Reports people towards top of list tend to feel flacky when you use them
  • BGP instabilitu report ( >5 updates per minute) – People towards top tend to be rough service.
  • Running low on AS numbers, transition to 32 bit – They are in the wild
  • Reasonable software support for 32-bits ASNs

Do your Fruit hang low – Adam Boileau

  • Adam is a penertration tester, Kiwicon organiser
  • Security guys are Jerks
  • Maybe you need better security guys
  • Secuity is fundimantally asymmetric – defenders do lots more work than attackers – Hackers only have to find one hole
  • completity == insecurity
  • 0day can happen happen to anyone
  • Full disclosure is dead
  • Vulnerabilies are worth money
  • Surity is not a product
  • Security is a property of the system as a whole
  • Why do you care? – Sin’t a network problem any more – Network is getting dumber (passive encryption) – clients arn’t exposed any more
  • Virtual everything – consulation changes everything – VLANs, VRFs, MPLS, Virtul servers, virtual hosting , Virtual firewalls, Virtual network segrigation
  • Lawful Intercept – Harder to hack 1000 people or 1 telcom LI system? – Vodafone Athens , T-mobile – Google vs China
  • The Target is you (again) – You are the management plane- you use crappy IE6 boxes on the corp domain
  • Your Desktop – AD, patch management, AV, outloook, TFTP server, IDS, twitter, facebook, outsourced desktop mangement
  • Security Metrics . Nobody knows how bad it is and who got hacked , media reporting is useless
  • Scanned 6.8 million IPs and put in mongoDB
  • data-mined – lots of A records, self-signed certs , specific apps
  • Presentened stats of various probably vulnerable boxes
  • http://lowhangingkiwifruit.com
  • Tried contacting owners , no luck
  • Crimes Act very vague, no case law, etc
  • what to do? Release? Release the toolchain? Release to some people? Just delete it?
  • Companies: Insomnia or Lateral Security
Share