Monday, 30 July 2012

Shiny

Yes, well, new laptop is very shiny. And the question was what to engrave on it.

I have gone for an Astec calendar. From what googling I have done, it is not the same as the Mayan calendar, so not quite a 2012 thing. It is, however, a very intricate image.

On the lid, obviously, I have to make space for the apple logo, so I have put the face from the centre of the original on the back instead.

Overall, pretty distinctive. If anyone wants a MacBook Pro engraved, we would charge around £25+VAT for this type of job. It is a one off, like a tattoo, but thankfully you can always get a new laptop if you change your mind in the future.


Friday, 27 July 2012

Holiday

So, I see from an old Daily Mail article that "The Association of British Insurers yesterday warned of the dangers of posting too much information after it was revealed 40 per cent of social networking site users reveal their holiday plans online – while one in three include details of weekend breaks."

Seriously - the whole idea of social media sites is that you tell your friends every detail of your life.

Well tough! - I am on holiday soon, sorry I told the world. But we should live in a world with rules that allow some freedoms. One is that you don't steal. One is that you can say what you like, even if it is a threat to blow an airport sky high (well done on that ruling).

It is already depressing enough that I pay for insurance and an alarm system that would rival many offices, and an off-site recording video surveillance system and good locks including some internal rooms. We even have nagios on the case checking stuff in my house and texting me and others. None of this should be on me, the potential victim of a crime, and really I should not have to curb my public enthusiasm for going on holiday. Criminals should be forced to work to contribute to a fund to re-reimburse those that pay for insurance. In a truly civilised society I would not have to pay for any of this.

I hope to have a fun holiday - I will be connected as you expect, and in fact Greece will be too hot to leave the villa for the likes of myself. The new laptop means I can play WoW 24/7 if I like, in air conditioned rooms. That is a holiday, but so will writing an iPad app, which is a possible project. It is totally distracting with no deadline and is fun. The rest will sun bathe and sit on the beach as is their way. I'll be on irc, but unpredictably. I guess, as ever, I am on-call for "shit hits fan" scenarios, but even the Oylmpics should mess that up :-)

I am hoping for a new toy to take, which is a new camera, having not had a new one for 5 years. We'll see. Canon are a pain. I'll post pictures if I manage to get one.

So have a fun Oylmpics (as the tattoo says) - I will...

Thursday, 26 July 2012

The apple way or the fuzzy way

OK, the new macbook pro and retina display is damn cool.

In fact, it suffers from being too good!

This is a problem that I had previously encountered on a nice IBM screen (3840x2400). The pixels were too small for most normal desktop operations. Whilst it is often possible to increase font sizes, you can rarely increase all of the icons and window decoration on many systems in quite the same way.

Now apple have been clever - you get to select a virtual desktop resolution, e.g. 1920x1200, and it then scales to the actual screen resolutions of 2880x1800. This may sound batshit insane, but in fact it makes more sense than it sounds. The clever bit is that the scaling really only applies to things like bit maps (images) as the fonts are rendered using the native resolution anyway. So the virtual desktop is really just a major scaling factor not a loss of resolution. All very sensible.

Except... One assumes that the clever logic to use the native resolution where you can (fonts, and presumably vector graphics, etc), is only possible if you use the right libraries. Some non-apple apps don't.

This is a slight nuisance for me, as I normally use Firefox and Thunderbird for web and email on all of my machines (my desktop machines are linux of various styles). These apps do work, but they work as if the screen was the virtual desktop resolution, including all fonts.

Fortunately using Safari and Apple Mail is OK. Their mail app is actually pretty good. So I have gone the apple way rather than the fuzzy way. Still can't see where I set default fonts on Safari though.

There is no screen option for native 2880x1800, but there is some good news - apps like World of Warcraft simply see all the screen options including a native 2880x1800 and work really nicely - cool. No oversampling is offered, but to be honest, with pixels this small, you don't need it.

See.. Right is Firefox, left is Safari :-


Wednesday, 25 July 2012

Top UK ISPs finally agree to provide IPv6 to all customers?

An interesting article today on BBC discusses a new net neutrality code of practice which top ISPs have backed.

The idea is complicated. One of the concerns that has led to this is that people can sell premium packages for better performance to servers provide by specific companies, etc. i.e. charge for access to certain streaming TV, etc.

That is bad, but on the other hand, trying to define net neutrality is hard. For example, we offer email services and so do competitors. However, as our email servers are on our network, access to them is going to be better for our services than competitors. Is that against net neutrality?

Anyway, putting all that aside, as you can see from the BBC article, many top ISPs have signed, and one of the clauses is :-

Firms cannot market a subscription package as including "internet access" if certain kinds of legal content or services are barred.

This has one very interesting implication. These top companies cannot sell an "internet access" package that does not have IPv6. If they do, then they are barring access to any IPv6 only services. There only has to be one IPv6 only service in existence for this to be the case.

The article states "Ten ISPs including BT, O2 and Talktalk backed the agreement"

So, what can I say? If you are with any of these ISPs, and if they claim to sell you "internet access", and if you cannot get to www.loopsofzen.co.uk then ask them why. If they eventually work out that it is an IPv6 only web site, ask why they are barring your access, and if that means they are in breach of this new code of practice by doing so. Remember, you can always take them to ADR over this as well.

OK, I have to say that I am being unusually cruel to my competitors here, and so please do take that as a joke. However, they should not sign such a code of practice if they do not expect their customers to challenge them when they don't meet it. Also, they damn well should be offering IPv6 now (see other blog post).

As for A&A's position on this - we don't filter anything and have not had any court orders to do so - we don't deliberately block anything, we just shift packets to Internet transit and peering, and we have an open peering policy at the peering points of which we are members. We don't (and can't) guarantee there is routing to every part of the Internet, as the Internet does not work like that, but we are not deliberately blocking anyone. I am not sure I want to sign the code of practice as I am not convinced their definitions are right, but the principles we are happy to go with and always have been.

IPv4: THE END IS NIGH!

The glass is not half full!
Version 4 Internet Protocol addresses are running out - we all know this. Last February IANA allocated the last blocks to the five regional registries. Since then one of these (APNIC) has already run out.

This weekend RIPE, the regional registry for all of Europe, is forecast to run out!

Technically, running out means they are on their last block and are effectively in lock down so not giving ISPs any more addresses. In practice, there is a policy allowing one final block per ISP, but this is only a thousand addresses, which you can imagine is not very useful for the likes of BT or Virgin.


What this means is that UK ISPs can no longer get more IPv4 address space, ever.

They have to cope with what they have. Technically there are ways for IPv4 to be traded, and ISPs to acquire other ISPs, but apart from that, ISPs are a bit stuck.

So when will ISPs run out? Well, tricky. The forecast window has been down to 3 months for a while, so, in theory, ISPs should not have more than 3 months of addresses left! In practice all ISPs have (or should have) plans for how they are managing their remaining IPv4 addresses. You can expect changes in policy to happen now.

It is hard to say what ISPs will do. Some will deploy carrier grade NAT which means you do not get a real IP address when you connect. Instead you get a private IPv4 which is mapped to a share of a real IPv4 address. There is even a scheme where routers can directly get a share of an IP address (i.e. the router is told a range of TCP/UDP ports it can use and expected to NAT to those). NAT itself is not new, and not nice, but this extra layer of NAT and sharing has a whole string of problems and costs for the ISPs.

Even when one router is used to share an IPv4 address on a network and one person is using it, the router can run out of sessions or ports. We have seen this happen where someone cannot see something because it keeps failing at the same point. Given non NAT and real IPv4 addresses it just works. Such problems will get worse and worse with torrent users not just hogging all the bandwidth but also all of the ports on shared IP addresses.

You also have to remember, if someone wants to put a new server on the Internet, such as a new web site, they too need IP addresses. That is going to get interesting.

We can say what AAISP is doing, and it is good news. We have always given customers as many IP addresses as they need (as per RIPE policy). This means we have a lot more IP addresses than customers.

Over the last few weeks we have gone through a programme where customers that can qualify for their own addresses (provider independent space) get it, and give us back blocks of A&A IP addresses. That is no longer possible now that RIPE have run out. It has, however, given those customers security that they have their own, portable, IP address blocks and we won't be asking for them back.

The next step is identifying anyone that has IP space they are not using. The new sflow stats make this easier, and we are contacting people to reclaim unused address space. Obviously, we can also claim our last thousands addresses from RIPE. We will also stop offering blocks of IPv4s to new customers at some point. Right now, anyone needing a block of IPv4 has to discuss it with support.

Where people have IPv4 blocks, and their router can handle the WAN address being within that block (which many can), we'll be recovering the WAN addresses too allocating an overlapping address. This seems trivial, saving one address, but could apply to thousands of customers. Similarly, multi-line customers using a FireBrick for PPPoE can use one WAN address on all lines.

Obviously we are already getting people using IPv6. So the next step is people that are using their IPv4 blocks. We contact them to see if they can get their networks using IPv6 and ideally to no longer need the IPv4 blocks. We already sell router upgrades to get people on to IPv6 and supply Ipv6 to new customers as standard.

One of the main reasons for needing real IPv4 addresses is VoIP. We already have VoIP gateway functions in the FireBrick, and so many customers can upgrade so they no longer need the public IPv4 addresses. We also have IPv6 VoIP services and there are some VoIP phones starting to support IPv6.

The final stages, which may be years off, are that we start charging for blocks of IPv4. Ultimately we may even start clawing back IPv4 blocks to allocate to new customers. The hope is that we can always provide every customer with at least one fixed public external IPv4 address. We think we have enough IPv4 addresses to do that in the long term and never have to deploy carrier grade NAT. But it is hard to predict the future.

So, really, IPv4 is dead, long live IPv6.

Update: With no change in the underlying data, potaroo have changed their forecast from 29th and 31st July to 11th October!

Tuesday, 24 July 2012

Philosophy and Immortality

I have never read any philosophy so this is probably all old hat, sorry. Also, this could upset some of those of a religious persuasion, which is not my intention - don't read if you don't have an open mind.

Basically, this is my musings on the idea of immortality - living for ever. Something I am sure many have pondered. No, I am not dying (any more than anyone else), I am just getting older and philosophical.

There are, of course, some pretty half hearted concepts of immortality. Lets start with something simple.

The atoms in my body carry on after I die: They will end up in other things and people and live on forever in some way. I have to say that this is a pretty crap immortality, but it has the one redeeming feature that it is factual and true.

My DNA carries on in my children: I do have children, and this is slightly more appealing as an concept. It means something that was uniquely me carries on (so way cooler than just carbon atoms). Unfortunately each generation dilutes that by two, so very quickly you lose anything uniquely me. It is not a very long immortality really. However, again, factual and true, which is nice.

Deeds or monuments: This is interesting - the idea that some good deeds or some thing that I make could live on after I die. The Egyptian Pharaohs were good at this one. It is, of course, quite difficult and could range from just some family story, distorted from each generation to the next, right up to being Hitler. Yes, sadly, it is probably easier to be immortal by doing something very bad as something very good. It is a goal one could aim for (to do something memorable or long standing), which is nice, and it is factual, if a tad vague and unpredictable.

My words will carry on: This is an interesting idea - that we live in an information age. Before I was born information was very much attached to physical objects (books, etc). Now we live in the age of The Cloud and storage that grows faster than we can fill it. There is no reason this blog would be deleted after I die - not because it has anything profound, but because there is no reason to delete it. It will take an increasingly small amount of available storage to stay on line and searchable. Old blogs will become history projects. It is conceivable that in a thousand years someone could search for these words and find this very blog post. This is quite nice, and very plausible.

But enough of fact, lets consider fiction... and fantasy...

Reincarnation: The idea that you have a soul that somehow continues after death and goes in to a new person. This is all well and good, but the catch is that you do not recall you last life or even benefit from previous experience, even subconsciously. For all practical purposes this is as naff as the carbon atoms being re-used. Its really more of a story of future damnation - where "doing bad" now means a worst body for the next life, but "doing good" means a better one. It is totally crap as an idea of immortality. Of course, it falls over on the factual basis too.

Heaven: Heaven (or hell) or some eternal celestial plane when you die, and living on forever. An interesting, and even appealing, idea (with some caveats). You can see why it is popular. One big appeal is the continuity of consciousness that comes with this. A soul that re-incarnates with no memory is not "me". But moving on seems nice and fits with things that happen in life - one often moves on from one environment to another (job, home, etc). But I have to wonder, and always ask anyone that believes this, "what then?". You really start to run in to problems with the idea of living for ever. After all, even if there is every entertainment possible, even if you had the chance to live out anyone's life in history just for fun, even if you could play any game, when you have done all of those things a billion times, what then? Ultimately you have to consider enough is enough. You have to consider an end to your being. And if you accept there can be an end, then why do you not accept that it happens when you die rather than some arbitrary time later? Not really a workable immortality, and lacks any fact or plausibility, obviously. Shame.

Not dying: This is slightly more plausible - the idea that basically your body does not age and fall apart. But essentially you are still mortal - can be hit by a bus. Living sensibly you have no real prospect of dying and can really plan for the future. The reason it is plausible is that medical science is getting close to curing aging in various ways, or at least understanding it. You can be pretty sure it will not happen in my lifetime - bugger. There are some issues though: One being that you can still die, but another is that this does not work if everyone has it. You think the world is over populated now - wait till nobody dies any more - it won't work and will be horrid. You'll want to die soon enough.

Can't die: The basis of many a sci-fi, the idea that you cannot die (even hit by a bus). This is where your body survives or regenerates magically no matter what. This only works if you are one of a few people with this super power as otherwise we have the overcrowding issue. It also suffers the bored with living forever problem, but more so, as you would eventually be living in the heart of a dying sun, and expanding cooling universe - so getting bored -  only with none of the entertainment of heaven. Crap idea, sorry.

Mind backup: Another fun idea, and a tad less plausible but not quite beyond all possibility is the idea that somehow your mind could be copied. This could be down to micro cellular scans of your dead frozen brain to create a connectivity map. It could be that all that is you can be extracted by observation of you over your life by clever software. More fanciful is some star trek style scanner or transporter. All sorts of concepts of a way to copy your mind, and ultimately run you in a computer. This does solve some aspects of the over population as we could all live in Azeroth and take no space and eat no food. It is just about workable, but suffers the getting bored with living forever problems as above. One big advantage with being run in a computer is that you could sleep - suspend consciousness until something interesting happens. Ultimately all the players are permanently asleep - but technically immortal still. With that extra caveat of sleeping indefinitely, it could work as a concept.

Circular life: This is really one I dreamt up myself, trying to address the problems of the above. It involves a can't die scenario, and a time machine. You live on until life on Earth gets boring (due to a suitable meteor or some such), and then go back in time - say a few thousand years. You live all of that time again, remembering some things from the first time, and so having fun predicting the future. Then you do it again, and again, but your memory is not perfect, as memory is not, and so eventually the time loop is completely repeating with no changes. You live a life of someone that never dies and always vaguely remembers the future, concealing your longevity and blending in and having fun. You really do live forever with none of the problems. It does rely on a fading memory, but you are happy non the less. Bingo - the perfect answer. Oh! Crap! This is even more fantasy than the rest, maybe I have to stick to one of the concepts that is factual or at least plausible.

Please archive my blog after I die. In the words of today's DIlbert: "It's better if the dying and the ash scattering are separate events".

Monday, 23 July 2012

Loss, latency error correction and retries

Internet Protocol is a packet based protocol - it means that all information carried over IP is broken in to packets - a block of bytes of data. Typically these are anything from 1 byte to 1500 bytes, but can (at an IP level) go to 65535 bytes. When transferring a large file the data will be broken in to the largest convenient chunk (typically 1500 bytes of IP) by the higher later protocol (typically TCP).

The job of the link layer below IP is to carry these IP packets. Even the IP packets may be broken in to smaller packets (fragments) to do that as typically the link layer works at 1500 bytes maximum packet size.

There are many ways this can be done, including Ethernet (over copper or fibre), WiFi, ADSL, Modem, and so on. Each of these low level protocols operate in different ways and have different characteristics. Some times the low level fits these in to smaller fixed size blocks such as 48 byte ATM cells.

One of the key things to understand is that these lower layer protocols are not responsible for guaranteeing delivery of packets. IP as a protocol is not intended to be 100% reliable. It will drop packets because links are full of as a result of errors. The higher level protocols, such as TCP, manage any resending of packets that is needed to get a reliable transfer of data.

However, these higher level protocols work better if IP only drops or delays packets because of congestion. Packets dropped due to errors have a disproportionate effect on overall throughput. To put this in some context, if you have 1% random packet drop on a link, TCP will not manage to fill the link to 99% of capacity as one might intuitively expect. Instead, each time a packet is dropped, TCP thinks that this the result of congestion and effectively slows down the transfer. It is quite possible that as little as 1% random loss will reduce your TCP throughly by 90%.

If, however, the loss is down to congestion, TCP is right to slow down, and that causes the loss to go away. TCP speeds up when no loss. The packet loss is how it knows that it is going too fast (though some other mechanisms do exist for this now). So a full link will, indeed, have loss.

A full link also gets latency - this is delay of the packets being sent. This is because routers have a queue of packets so as to smooth out the bursts of traffic. It turns out that many systems have queues that are too big and so create buffer bloat which makes TCP somewhat less efficient.

So, a low level link passes packets. It might delay them a bit (latency) or drop them (packet loss).

Whilst low level links are not responsible for reliable transmission, it is sensible to avoid errors causing dropped packets. Some links are prone to errors, especially radio and high speed DSL links. These types of links often have an option called interleaving. Interleaving means spreading the bits of a packet out over time and interleaving bits of other packets. This is done in conjunction with forward error correction (there is no point interleaving if not using FEC). What this means is that packets have extra data added which can be use to repair lost bits due to interference. The interleaving is actually a trick to make a long burst of errors appears as a small amount of error in several packets and so be more likely to be repairable.

Interleaving adds more latency as the packets are stretched in time, but it is a fixed amount of latency that is added by this. The extra FEC bits make the link slightly slower (more bits have to be sent for the same data) but again this is a fixed and predictable reduction in speed. There are often different levels of interleaving that can be used and sometimes different levels of FEC. It is a trade off - more interleave is more latency and more FEC is slower throughput, but they make a link more reliable in the face of some types of error.

Whilst most links have a small level of FEC and interleave, there are cases where these are taken to extremes - where the FEC data is hundreds of times the amount of data. However, such things are usually only used for specialist applications such as communications in to deep space (e.g. Voyager spacecraft).

FEC means packets are more likely to arrive and so less are dropped due to error. One thing FEC does not do is re-try missing packets - that is still left for the higher level protocols.

So, why the educational rant? Well, it seems even high level escalations in BT are unaware of basic packet protocols. They stated that packet loss on a line can result in latency. This is simply not true. The loss will mean that at a higher level packets may have to be re-sent by higher level protocols, but does not create latency at a packet level. They also stated that latency (of over a second at times) could be the result of interleaving, not realising that interleaving adds a very specific defined and consistent latency (usually a few milliseconds). You only get latency like that if something queues a packet, and not at the modem level.

Saturday, 21 July 2012

Sacrificing Chickens!

Well, I have to say that the gods of technology are thwarting me...
[such gods being as plausible as any others]

My desktop machine is a Ubuntu machine for now. Mostly OK but causing issues from time to time. When they insisted on "unity" for my desktop I rebelled and went for good old gnome.

But the latest is a quirk with NFS. Unable to log in as I could not mount my home directory - I gave up and called in the big guns: Cliff, with comments from Paul, managed to get me back on-line. When Jimi is back from being in a field somewhere he can fix, and by fix I mean install Fedora.

While they worked I used the console - 80 column text on a 30" monitor to use irc. I did not need my reading glasses!

Of course, the answer is, in any god like ceremony, especially pagan...
Sacrificing chickens!


Is this IPv6 NAT? Someone shoot me!

Setting up a new Apple Airport Express as last one died. What do I see?
WTF is "IPv6 Connection Sharing" and why would you ever ever ever need it?

Update: Several comments suggest this is merely prefix delegation - I do hope so.

Friday, 20 July 2012

Finally, a UK mains plug you can put in your pocket.

One does not simply put a UK 3 pin mains plug in your jeans pocket. It will tear clothes and/or hurt you. Yet some times you want to take a USB charger with you...

I have been watching these people for a while, and I get the impression they have issues with the British Standard or some such - seems to taken forever. They have some clever ideas for foldable mains plugs and even compact multi socket mains adapters - but now they are on sale (well, the USB chargers are) at firebox. Well done.

Thursday, 19 July 2012

Barclays Fraud Dept

Well I am bracing myself for my holiday - I have more than one debit card and expect to take some cash too.

It is such a trauma going on holiday - even if you tell your bank - even if you spend thousands on plane tickets to the destination using the very same card - they may - just for the hell of it - block your one and only card when you are there in a queue in a supermarket in a foreign country in the name of "fraud protection".

When we went to Barbados a few years ago that happened. My Barclays card would not work. By some fluke I had with me a Lloyds card for an  account I had opened some years before, still valid, just, and never ever used, but had a £1000 overdraft on the account even if £0 balance from opening. The card was not even signed (oops). That worked, the Barclays one did not. I spent hours on calls (expensive ones) from Barbados getting Barclays to fix it. I was not repaid for that time or money.

So I am dreading my next holiday. Will they will try and protect me from fraud yet again?

But hang on - who are they protecting - who would be defrauded here?

I had this discussion with my bank manager (who comes to see me some times). I said I did not want this hassle - and he was shocked. Did I really want to "disable fraud protection" on my card. Sadly, even though I said yes, he was unable to do this.

You see the "fraud protection" is not actually to protect me!

It is a shame they will not actually be honesty about this even...

I am in very little danger of suffering from fraud - to do that someone would have to "fool" me. Someone would have to lie to me for some gain. What is far far more likely (and did happen once, and was not picked up by these idiots) is someone pretends to be me when asking the bank for money (typically, via some merchant).

Now, if that happens, who has been lied to? The merchant and the bank, that's who! So that is who has suffered some sort of fraud, not me. I would suffer (temporarily) the hassle of the bank mistakenly reducing the balance on my account thinking I had asked for money.

Only if I was somehow careless and gave out some details which I should not have (and contractually agreed not to, etc) like my PIN, would I, perhaps, be in some way liable for a fraud against the bank - i.e. only if they could say "well, we thought it was you because they had your PIN", etc, could they pass on that liability. I am not that daft, and some of my cards do not have a PIN even!

So, at the end of the day, I would far rather they did turn off their "fraud protection". The worst that could happen is they mistakenly take money from my account (which they have to put back when they realise it was not me) and so stop some transaction happening later as no money left. From my point of view this is exactly as annoying as them blocking my account because they think something legitimate is in fact fraud. It does not help me at all, in any way, whatsoever.

Well, we'll see. Listen to Mitchell & Webb's view on this.

Wednesday, 18 July 2012

Apparently *we* are BT Retail, that explains it!

That same fault where they suggest we get a BT Home Hub 3, we contact them about the fault not actually being fixed and the stupid notes...

The notes they then put on the fault about Dan calling them :-

"Dan from CP BT Retail contacted regarding want to rasie [sic] an escalation."

So, we are BT Retail are we, that explains why we should have BT Home Hubs.

Arrrrrrrrrrrrg!

Some details for the interested...

We generally like FTTC, not only because it is fast, but because the service is an Ethernet level handover. One of the classic issues with any fault is that "line" related issues (errors, low sync, drop outs) could be the modem or the wiring or the line or the DSLAM, and only some of that is BT's responsibility on ADSL services.

With FTTC the line, and the modem, are BT's responsibility, and they are even a BT install so the wiring from BT telephone NTE to BT VDSL modem is BT's as well.

This particular customer has a line forecast to get around 60Mb/s sync. He has a 40Mb/s capped service (standard FTTC) and does sometimes get the full rate (which works out just over 39Mb/s IP rate). However, he loses sync a lot and syncs at lower speeds at lot.

When the engineer went out the sync was 16Mb/s, having been 8Mb/s over night - clearly a fault for a line that should get 40Mb/s and be capable of 60Mb/s.

Yet the engineer reports "Customers Equipment, Error or Misoperation;End User own equipment" and tries to blame the PPPoE router not being a BT Home Hub 3. The line syncs even when no PPPoE router present at all, and the PPPoE router cannot affect that in any way.

Naturally our escalations team is on the case our end!

Tuesday, 17 July 2012

Get a home hub 3 from BT?

Advice from BT regarding one of our FTTC customers:-

"Change the router that they had installed as it was not a BT home Hub3."

"Router that was installed was not a BT home hub3, so i suggested that the they get one from BT."

Hmm, nice one BT, not! Trying to sell your products to our customers when we are paying you to fix a broken service that we pay you for.

[ref 1-12439644949]

Just to explain - Fibre To The Cabinet (FTTC) is a service which BT sell to end users as BT Infinity, and include in their service a BT Home Hub router product. It seems a nice enough broadband service.

We, as an ISP, provide our customers with an FTTC service. This uses the same underlying technology at the exchange and cabinet and in the premises as far as the handover point (PPPoE port on a VDSL modem). Unlike BT, the service we sell does not include a BT Home Hub (obviously) and is not called BT Infinity. We provide a different router (which does IPv6, by the way). The service has many differences apart from that, including a fixed IPv4 address or addresses, IPv6, a UK domain, and our constant line performance monitoring. Oh, and we provide access to the Internet without filtering.

Sadly, when something breaks, we often have to get a BT engineer out to fix it, as they have an exclusive right to work on the national infrastructure that is the BT network. They do say some annoying things to our customers on occasion. They sometimes refer to the service as Infinity (as they did in this case), and have even been known to refuse to install a service because a customer does not have a BT Home Hub.

I think this is the first case where they have said that the customer should get a BT Home Hub when repairing a fault. Oh, and it is not clear that they did int fact repair the fault in this case either.

It makes us look stupid and is very anti-competitive.

Sunday, 15 July 2012

Zero packet loss

I was pondering the concept of a zero packet loss service, following some comments on a post in ispreview. The commenter was adamant that it is impossible to provide a zero packet loss service. Of course, this was silly anyway as what we claimed is that the Ethernet service allowed us to do zero packet loss maintenance on our routers, which is not the same thing at all.

But I was pondering what was meant by a zero packet loss service anyway.

Zero is a problem, for a start. With a lot of metrics that one is trying to achieve in a service, one can design the service to exceed the require metric by more than any margins of error so as to guarantee you achieve it. When talking of zero loss, you can't do that - there is no way to have better than zero loss, in there? So one is working against a brick wall of a target. This means you have to define a tolerance or carefully define the measurement parameters.

The closest one could consider the services we offer to zero loss would be a point to point uncontended link. These used to be bare fibre with termination equipment (WES), but these days such links are switched at the exchange (EAD). Either way, if one has a 100Mb/s uncontended point to point Ethernet link, then that can be zero packet loss as a service. Any packet you put in one end will come out of the other end. Obviously, if you want to send 101Mb/s on a 100Mb/s link then it won't work, but it won't be the service which is dropping packets. In that case it will be your switch or computer trying to send more data that has to delay the data or drop packets in order to get what it is sending down a 100Mb/s interface. The service can be zero packet loss.

Is it really zero though? Well, the problem is that any outage whatsoever, any time, ever, in the life of the service, even for a microsecond, means the service is not zero packet loss any more. So actual zero is probably impossible. It has to be zero packet loss (when the service is working), and then have caveats on repair times for when it is not. But, within normal tolerances of Ethernet links, one can offer a zero packet loss service.

Better than zero? There is also the risk that a stray particle flips a gate on a receiver somewhere and a bit is received wrongly so a packet dropped. Interestingly, the newer standards for Ethernet at very high speeds have error correction, just like disk drives and indeed many communications systems these days. So actually, you end up with a case that packets get through even with a specified level of interference in the medium. In a way, this is making a system that is better than zero, in that it is still zero loss in the face of certain levels of error. Normal EAD links don't have this, but I think the FTTC VDSL does have it in some configurations, which means stating zero loss is more feasible. Sadly the FTTC is normally a shared link back-haul to the exchange, so contended, and so not something we would sell as zero loss anyway. In the future, more and more links will have inherent error correction.

Internet services are a tad special in that Internet access is never uncontended or zero loss. We can (and do) have services that are zero loss uncontended links from customers to us, and then we connect on to the Internet. Transit providers can (and some do) offer zero loss guarantees over their transit network, and even compensate if that is not the case. But that is to their border only. The very nature of the Internet means packets to a specific end point could be lost due to congestion on a link. Thankfully we don't try and offer zero loss services over the Internet, obviously.

Zero packet loss router maintenance is what we actually claimed. This is much easier, and even industry standard. The principles are very simple indeed - you have more than one path the traffic can take (in each direction), and you ensure that traffic is switched from one path to another, so as to allow one bit of equipment to be worked on when it is carrying no traffic.

There are several means to do this, including routing protocols like BGP and OSPF, or low level protocols like VRRP. Virtual Router Redundancy Protocol is mainly used for fall-back, i.e. if something breaks, and can react within as little as 30ms (with version 3). However, if can be used to manage which is the active router as a deliberate step as part of router maintenance. With the FireBricks we have a built in controlled shutdown and startup sequence which means VRRP and BGP both actively change incoming traffic to the other router before rebooting to run new code. The reboot is well under a second, and the startup is sequenced to ensure we have routing for traffic before taking over as master again.

Whatever the technique, the trick is switching the traffic from one router to another. With routing protocols, this is part of the protocol itself - you simply change what you announce. With VRRP the switching means a different device becomes master, and it uses the VRRP MAC address to convince a switch to change where it sends packets for that MAC.

In either case you want the old router to still accept and forward traffic during the switch over. This means that the sending end can take what time it needs to do the switch. At no point is the sending end unsure where to send a packet, it is always either the old router or the new. Whichever it sends to, the packet is sent on to where it needs to go.

The means that no matter how faster the packets are flowing, no packet is lost by the switch over process. There is no fine timing and co-ordination required, as the old router can accept traffic for as long as necessary (seconds even) before the sending end switches over.

Once traffic is switched off the old router it is no longer involved, and so can be worked on, rebooted, upgraded, or whatever.


So, I stand by our claim that we can do zero packet loss maintenance on our routers for our Ethernet services.

Thursday, 12 July 2012

Nice one Barclays

Or is it the new comms bill in work already?

What's my name?

I have long understood that, in the UK, your name is whatever name you are known by.

I would be interested in credible references from anyone on this, either way.

Basically, that we have no formal legal notion that we all have a single official name that we must always use, or that we have a single legal name.

Now I know about using a deed poll, which is a statement to the world renouncing a previous name and stating you will only use a new name. Even so, this is not something that is official or registered or anything - it is a statement you make yourself in writing (on paper with straight edges). To convince people (banks, etc) that it is a valid thing, you usually want a printed and even sealed one, but in principle you could just hand write it in crayon and it means the same thing.

I think a lot of people in the UK think that people do have an official name and even that a deed poll is some sort of official document.

The one thing that does matter, as I understand it, is that you don't use different names for fraudulent reasons. But you can be any name you like, and I think you can even be different names in different contexts.

I know loads of people that "go by" their middle name, and lots of people that use a name that is an abbreviation of their original name, e.g. Jim.

Why has this come up?

Well, I have used some aliases. This has not really come about by some desire to be covert or difficult, it just sort of happened. I have aliases in various contexts because of the way things work - e.g. you have a "handle" on things like irc and I am "RevK". I am "RevK" on a few World of Warcraft realms too. I am known to some as "The Reverend". Having been given an orc by a customer, I also ended up being known as Thrall Horde because we set up facebook account in that name, and that has been kind of adopted by myself.

At one point I was briefly known as Bill (with email of bill@gates.me.uk) because someone called William was trying to get bill.me.uk off me via Nominet dispute process. I called myself Bill for the discussions as someone going by Bill would have more right to bill.me.uk than someone called William, surely :-)

Anyway, there have been a couple of cases recently where the question of a person's name has come up.

One is Nominet me.uk domains that have to be registered to an individual. I have one registered to me where I am using the name Thrall Horde. I think that is valid. It is me, and I am not hiding that fact (not fraudulent). There are people that know me by that name, and some may only know me by that name.

Another case is RIPE getting confused by the notion that people can have any name they choose. They want your "official" name when applying for PI space and fail to understand the idea that we don't have "official" names in the UK.

From what I can tell there are countries where people do have a single "official name", probably countries that do have ID cards, which we don't, yet.

So, am I right? Am I legally allowed to call myself anything I want for non fraudulent purposes? Or is there one true official name that I have? If the latter, how is it that a simple self declaration like a deed poll is good enough to change my name for passport, driving licence, bank account, etc.?

I am pretty sure of the idea of having any name I want, but less sure that I can have more than one name in use in different contexts at the same time. I really don't know, and my googling is not getting me the answers.

Update: Some interesting references. It looks like there was once a restriction on changing a Christian name (from baptism) but that being generally not the case now, and in general one can simply adopt a name - its a matter of providing evidence that you have done so in some cases for some purposes. Some rulings seem to suggest a man cannot have two names at once but it seems also recognised that many people (particularly actors) do just that. It seems even the passport office will place an "observation" that someone is also known as stage name. Perhaps I should make Thrall Horde my stage name and get a note on my passport :-) The key thing is that a name is simply a (non unique) means to help identify an actual person - and if the name does that, and is not used for fraud, then it is your name!

Update: Nice article on names and computer systems.

Wednesday, 11 July 2012

Suggested serving size

Many foodstuffs have high levels of salt, or fat, or sugar, or something, especially snacks and sweets.

The government obviously want to fix this, being a "nanny state", and make it clear to people that the thing they are buying is bad for them.

So, they get manufacturers to add some traffic light things that show if levels of a few key things are high or low compared to recommended daily intakes. That will make it clear where things are bad for you.

But hang on, clearly, some things are sold in packages that are not one portion. A packet of breakfast cereal or a tub of butter are perfect examples. You can't rate the whole package, you have to rate a typical "serving".

So manufacturers get to suggest a "serving" size. Now, if that serving size was bad for you because of some very high level of some metric, then of course, the responsible thing for them to do is recommend a smaller serving.

End result, all things are good for you in the suggested serving size.

Taken to the extreme - see picture - a bag of aero bubbles has a suggested serving of 9 sweets. That seems to work out to be around 27g. They show on the back details per 100g and per 9 sweets. Its a 113g bag (about 38 sweets).


FTTC/Etherway working

Well, the good news is that the teething problems have been sorted and the service is finally working. There are many lessons to learn as to why this took so long to resolve, and we are waiting for details of the underlying cause from BT.

Obviously we provided details of the fault, packet dumps, and our views on what seems to be the underlying cause to BT. I hope this was helpful to them in resolving the issues.

However, it makes for a very interesting service.

I am pleased to say that we have managed to set up fall back routing for this customer. We are testing the link state on each of our connected routers, and allowing fall back to conventional broadband if the link drops. We can even set up 3G fall back as a third tier for this now.

This provides a high availability fixed price Internet access service to a small ISP in Basingstoke, and we now have a happy customer.

As I understand it, the roll out for this is to have all the exchanges that do FTTC and have Ethernet access nodes covered by the end of the year (around 500 exchanges).

RIPE NCC winding me up (again)

So, I have an block of PI, and so there is an inetnum record.
I am one of the maintainers (mnt-by) and so I can change details.

One of the details I can change, of course, is the "descr" record. It is described in the database definition as "A short decription related to the object." [sic]

Now, RIPE objected when I made a change (changing Adrian Kennard to Rev Kennard) and said I was not allowed to change this.

Well, these days, PI space is provided under a contract so I asked where in the contract it was that I should not change it. The referred me to a RIPE policy stating "Registration data (range, contact information, status etc.) must be correct at all times (i.e. they have to be maintained).".

To me, that is a requirement that I do change things where needed to ensure they remain "correct", and not, as RIPE NCC said, a prohibition on my making changes!

Indeed, whilst on an "application" for IP space, with a template inetnum, you are required to set "descr" to the name of the IP space owner, I cannot see anything saying that it is, as per the database definition, incorrect to update the record with any correct "short decription related to the object.". RIPE NCC have not answered this point at all. I may be wrong, of course, in which case they just have to reference the contract and policy in their reply.

Anyway, having agreed that we could change the PI space to my new company "Thrall Horde", and having sent all the paperwork they wanted, I changed the inetnum accordingly.

They have complained again about my making the change, even though the change is to ensure the record is "correct" and maintained as per RIPE policy.

Now they have locked the record preventing me from following the very RIPE policy they referred me to requiring that I maintain the record.

Arrrg.

Update: They have stopped me maintaining routes and domain objects too - now that is taking the piss.

Update: Spotted that my inet6num was not locked, but they had changed back to something not quite my name. What are they up to.

Update: Sorted - records unlocked and updated - so just now awaiting an explanation of what PI space contract terms and/or RIPE policy allowed them to lock the inetnum record, and supposedly prohibits my changing it in future. That will be fun.

Tuesday, 10 July 2012

BT refusing to work on a fault 24/7?

So, an Ethernet fault reported on Friday and still not fixed. Hmmm.

Basically, their latest plan is to :-

(a) wait until 00:00 to do some "tests", which will take until 02:00
(b) wait until 09:30 to have a "call" about the tests

That means STOPPING WORK for 6 hours now, working for 2, then STOPPING WORK for 7.5 hours before doing some more work.

That does not sound like they are working on this fault 24/7 to me...

I wonder what they will say in answer to my question "are you refusing to work on this fault 24/7?". Hmm...

I supposed at least if they are refusing to do what the contract says then they can kiss goodbye to the normal very limited compensation that is in the contract and pay something more realistic. After all, this would be breach of contract if they are. Well, that's the way I read it anyway.

Update: After lots of emailing, blogging, facebooking, google+ing, and tweeting, they are finally going to do tests now rather than waiting 5 more hours. Lets see how it goes.


iPad on PI

SIMDBy the wonders of modern technology my iPad is now "on my LAN" when I am out and about. I simply have one of my Data-SIMs set to relay to the FireBrick at the house which routes on to the LAN. Works a treat.

Although the iPad is not IPv6 when on the mobile network (watch this space on that one) the L2TP relay to my house is IPv6 - which is a slightly backwards world.

P.S. I cannot give it the same IP on WiFi and Data-SIM. Well, technically I can, but as the Data-SIM is a /32 route it means all traffic to it would go via mobile even when using the WiFi, which would not be good.

Top tips on getting PI space

First off, there is limited time to get IPv4 PI space. IPv4 is running out fast.

Secondly, you should only apply for PI space if you meet the allocation criteria. Fortunately that is not too difficult to meet.

PI space is your own IP address block. It has been around for a long time, and anyone can apply. You normally apply via an ISP (as doing so directly is silly expensive). It costs the ISP 50 Euros a year. AAISP charge customers £5/month.

Once you have PI space, you can change ISPs as you wish, and keep the same IP addresses. This does limit the choice of ISPs to ones with "clue" but that is not such a bad thing.

The problem used to be that if you did not have enough devices using IP to justify a /24 (256 addresses) you got a smaller block. The smaller block was then totally unusable on the Internet. This was just plain silly and wasted IP addresses allocated like this. Thankfully RIPE changed the policy last year so that if you are multi-homing your IPs (connecting to more than one other autonomous system, i.e. ISP) then you can get a /24 even if you have too few devices to justify that size block. This means that PI space is finally useful for smaller networks.

Obviously people should not lie on their RIPE application, but it was, previously, very tempting for people to "over estimate" their requirements in order to justify a /24. The new policy should mean more realistic applications.

To make use of this new policy, you do need to have some routing to more than one ISP. This can be done, even on DSL lines, if you have the right ISPs. It is more common if you have something more like a "leased line", or perhaps our new FTTC Etherways.

Of course there is one slight snag. PI space is meant to be non-transferable. This does seem a rather arbitrary restriction to me. It is not a problem now, but when one can no longer get PI space there may be people who do want to transfer PI space. They will probably simply not tell RIPE this has happened, which means RIPE records are wrong. It seems far better if RIPE did allow such transfers.

However, there is a simple work around which costs around £25, and then £15 a year. Simply create a dormant UK Ltd company and request the PI space for the company. You simply have to have the company run your network. Then, if you ever want to transfer the PI space you simply transfer, or sell, the company instead.

Obviously the new user would have to still meet the requirements for the PI allocation, as you always have to when you have PI. This includes using the PI for your own use and not for customers.

Fortunately, while RIPE still do PI space, getting my PI space changed from my personal use to that of the new company "Thrall Horde" was relatively painless. I should have registered it under the company in the first place though.

Usually, with your PI space, you will want an AS number. This is an extra cost at present, but it looks like RIPE policy is changing and AS numbers will be free again in future. You can multi-home without using an AS - it is not a requirement to actually use BGP for IP routing, and even if you do, you can use a private AS which is then dropped when your peers pass on your route announcements. So for now you can save the cost of an AS number.

You can manage all of the RIPE objects yourself if you want, rather than your ISP. Well, apart from the route objects quoting their AS number if you do not have your own AS. This is pretty simple on the RIPE web site now. You, or your ISP, will need route objects and then probably have to arrange changes to filtering for transit provides, but this is usually pretty simple.

You, or your ISP, will need to set up reverse DNS, but again, this is not too hard.

So far the only actual problem we have found is getting geo-location fixed. I get loads of german adverts on web sites at the moment and cannot access iPlayer. We are working out how to solve that one now.

What is interesting is the huge difference between a new IP allocation via RIPE and a new telephone allocation via OFCOM. With RIPE it is possible to apply for PI space in the morning, get it a few hours later, set up all the RIPE objects, contact transit providers, and have full multi-homed working IP addressing on the Internet as a whole by the end of the day. With phone numbers it takes literally months to get the prefix manually added to tables by each separate UK telco and international gateway, and even then you can be chasing up exceptions for months more. Why can't the telecoms world be more like the networking world?

Monday, 9 July 2012

Total BT con? 7 to 13 hour fix time?

So, BT offer 7 hour fix time on FTTC Etherways.

But the compensation is 15% of month's rental per hour, or part, after that, limited to 100% of a month's rental. That means after 13 hours and a second they have used up the 100% month's rental.

So fix in 7 hours, or if they take more than 13 hours they have an incentive *not* to fix the fault. I.e. they are charging rental for the service but you cannot report a second concurrent fault. So actually, after 13 hours, they are better off not fixing the fault.

What kind of messed up compensation scheme is that. Needs fixing BT. Now!

At the very very least one should not have to pay the rental while it is not fixed. After all, we have a fault on over 4 days fix now - we are paying BT for a broken service now, not even breaking even. Madness.

Of course, for engineer visits next working day, this works well for them, as almost any engineer visit puts them over the 13 hours, so they can work on "working days" and exclude bank holidays and so on, as much as they like. "24/7 including bank holidays" is meaningless when 13 hours is the maximum you have to care about. What a total and utter con, thanks BT...

FTTC Etherway - yes we are the first

FTTC Etherways are a new type of service which we are now offering. It seems, from talking to BT, we have the first live service of this type now.

The good news is that this is an exciting new service that should appeal to business customers. It combines the simplicity, high reliability and performance of national Ethernet services with the low cost and lead time of Fibre To The Cabinet (FTTC) services used for broadband. This offers the best of both worlds.

With the Ethernet services we can offer what was traditionally called a leased line connecting a customer to us with low latency and low, or zero, contention (sharing). The service has low target fix times for faults and is very reliable and flexible. We can connect people to two separate data centres at the same time for extra reliability, and provide dual router functioning (VRRP) for zero packet loss router maintenance on our network. This is normally provided as a fibre direct to the premises with accompanying cost and lead time (and digging up of the road in many cases).

FTTC on the other hand is quick and cheap to install and has lower running costs. FTTC is widely used for broadband, but normally makes use of the shared broadband back-haul infrastructure. This is more costly for high data usage, and suffers from outages for maintenance on BRASs and LNSs and so on.

By combining the two we can offer high quality Internet access using Ethernet back-haul but at a sensible price for a truely all you can eat service. This is still too much for most home users, but ideal for any business needing a proper Internet connection. BT even offer a 7 hour target fix time, 24/7, on these services.

The not so good news - the roll out for this is happening over the rest of this year - being an extra step once an exchange has Ethernet services and your line has FTTC available.

The bad news is that our first customer does not yet work - this is not really a detraction from such a great service as it will be fixed soon I am sure. It is just that we are the first. If only BT had taken up our offer to trial the service before launch!

Basically, from what we can work out, there is some typical source filtering that you would expect on a shared LAN end user access system (like a cable modem). Basically, for a shared LAN, you want to filter what customers can send so that they cannot spoof neighbours IPs and the like. To do this you make kit that only allows DHCP and PPPoE packets initially, and then any IP packets that match what was allocated by DHCP, and nothing else. It seems that this is what we have.

Interestingly one BT brochure on GEA/FTTC says it supports DHCP and PPPoE (which it does). An odd claim to make if it is in fact transparent, though both DHCP and PPPoE get extra data added for circuit ID and line speed, which is nice. However, the formal spec from BT plc (t/a Openreach) states very clearly that it is layer 2 (Ethernet) transparent except for a small list of low level frames like pause frames and LACP (sort of layer 1.5). The spec from BT plc (t/a BT Wholesale) also claims to be transparent. It is clear it should just work.

What we are seeing is ARPs and ARP replies not getting to us from the customer unless using the IP of a DHCP allocation. We see no routed IP packets, i.e. from other IP addresses either. This is exactly what you would expect on a shared LAN cable service.

So far, with a 7 hour fix time target, BT have taken 4 days. This is not good. Sadly, once they get to 13 hours they stop paying compensation (which is appalling, if you ask me). So now they have no incentive, apart from our constant nagging, to actually fix the fault. Ho hum.

Friday, 6 July 2012

Is this the first FTTC / GEA / Etherway?

Some of you may have heard these terms before... To elaborate :-

Etherway is a term for the end point access technology for BT plc's Ethernet services (t/a BT Wholesale). It allows various "layer 2" (i.e. Ethernet) wide area connectivity services. Etherway is the end point access technology, and can be FTTC, fibre, EFM (Copper) and all sorts. Etherflow is the point to point layer 2 (Ethernet) connectivity. Can be point to multi-point and all sorts, but we do VLAN tag one end to VLAN tag other end (or untagged if only one) layer 2 Ethernet services using this and connect people to other sites and/or the Internet.

Mostly Ethernet services are long lead time and expensive. Often they involve digging and extra cost. But FTTC is a new way to connect at the end user and quicker, cheaper, and simpler.

Basically, BT plc do GEA (Generic Ethernet Access) to allow telcos, such as, well BT plc, to connect to services such as FTTC and FTTP with a VLAN tagged Ethernet service in the exchange and connecting to end users using Fibre To The Cabinet (FTTC) or Premises (FTTP) services. It works well for normal broadband.

The service of GEA Etherways allows a layer 2 (Ethernet) end to end service from an end user on an FTTC line (with BT plc supplied modem) to connect to us in the data centre.

It is new. Up until now they have used copper (EFM) and Fibre (EAD) services to the exchange. They worked, but are expensive. The FTTC/FTTP (GEA) is new. And, on top of that, it sounds like we (AAISP) may be the first to try it! I have to say that I am not surprised.

Now, we have a very understanding customer (Tim, in Basingrad) who is trying this.

Seems that there may be some source filtering which is stopping any IPv6, and stopping all IPv4 unless DHCP allocated IPs. My guess is PPPoE would work. But it is far from right, and our friends in BT plc are struggling to make it work.

Fingers crossed they sort this as it is a very cool product - proper IP over some sensible connectivity with no BRAS in the way. Proper (all you can eat pricing) Internet for businesses. So thanks a lot to Tim for putting up with being the first - we'll see him right on this.

Calls from the grave

Dolly (mother in law) had a mobile (orange) which I paid. It was an old virgin equiv (zero monthly rental) tariff, which was ideal as she would run up the odd 25p of calls some months, if that.

Well, somehow, even though someone swears blind that the SIM was cut up, we have calls from the grave. Fortunately only £40 or so, but still...


Thursday, 5 July 2012

Geek present...

OK, I once got my son a UK Limited Company as a present for his 13th birthday. He was doing business studies at school, and had to make up some letterheads and business card, so why not do it for real :-) I don't think the business studies teacher appreciated it, which was a shame.

He still has it, and was 18 just in time for the law to change requiring directors to be 18. Phew!

Now I am considering an (early) present for his birthday, but as a fellow geek he may appreciate it. I am thinking of getting him an IPv4 /24 PI, multi homed and routed to his house in Sweden... I have to get it early as RIPE will run out before his actual birthday I expect.

Is this just too geeky as a birthday present I wonder?

Have you tried turning it off and back on again?

Latest from the National Lottery...

"Before contacting your ISP may I suggest disconnecting your ADSL connection for a minimum of 10 minutes and then reconnect. This will release the current IP address and gain a new one."

How quaint - they think I have ADSL and that it is a dynamic IP address.
LOL LOL LOL

So, latest email to ICO:-

Further to my previous email on this matter...

I am now having issues specifically with National Lottery (Camelot) regarding personal information they have relating to me.

They have confirmed that they believe I am in Germany!

They have deduced that my IP 91.240.176.1 is in Germany. I have advised them of their error. The IP address is in Bracknell, UK.

I have advised them of the direct association of an identifiable living UK individual (myself) with this IP address, which is one of my IPs assigned to me by RIPE (i.e. not my ISPs IP address, *mine*).

This is therefore personal information, and it is incorrect.

I have formally requested that they correct this erroneous personal information as the data subject under the DPA, and they are refusing to do so.

What can be done?

Now apple can't count?

OK, having found that the "buy today in your favourite apple store" was a lie, and having now found that actually, if you want more than the base model you have to order the new Macbook Pro on-line anyway, I ordered one, on the 1st.

I want it by the end of the month, and they said "Dispatched 3-4 weeks", so I figure I am OK then...

But somehow 3-4 weeks from 1st July equates to "31 Jul, 2012 - 06 Aug, 2012"


Pardon?!?!?


I make one week the 8th, two the 15th, three the 22nd, and four the 29th. So 3-4 weeks would be 22nd to 29th, not the 31st to 6th. That would be at least 4-5 weeks.


Why the hell can't any damn retailer actually do what they say?


As it is I am chasing a birthday present needed for this weekend, from simplyelectronics.co.uk, which still says 2-4 working days on the site, ordered on Monday, and now say 3-8 working when asked, and turn out not to be UK at all. Arrrrrg!

Government snooping for dummies

Basically, either the government can snoop on encrypted traffic, or they cannot. It does not matter which or how...

If they can snoop on encrypted traffic, then the systems for encryption will be changed until they cannot. There is no point in encryption if someone can snoop on it. It does not matter what the technology is, this is a simple fact.

If/when they cannot snoop on encrypted traffic then everyone using encryption for facebook, twitter, gmail, games, etc, etc, etc, will not be visible to them even to extract "communications data".
So, given that either now, or very soon after they have paid for lots of "black boxes", they will not be able to snoop on normal every day communications systems that are located outside of the UK, and used by millions of people - why the f*ck are they bothering?

Please pass this message on to your MP. It is as non technical as I can make it. Thanks.

Wednesday, 4 July 2012

Impressive speed test


So, a speed test from the data centre on my new PI space. Not sure why they always under estimate, but grade F- ? really ? And why would we obey that pesky speed of light thing?

Tuesday, 3 July 2012

PI

No, not raspberry, or 3.1415..., but Provider Independent address space.

PI space is a block of IP addresses assigned to me rather than to an Internet Service Provider. It means that I can move the IP addresses in future, and connect via more than one ISP. In fact, unless I get a lot more IP connected devices at home, I have to connect to more than one ISP.

To qualify, I am multi-homing my house. I should have the second link sorted shortly. But right now I am renumbering the LAN and updating reverse DNS. I should have IPv6 PI shortly too. All good fun - a whole /24 (that's 256 IP addresses) just for me!

I was pondering how this would work with the draft Communications Bill. I am connected to two ISPs. I can send packets via either, and can direct them on a per packet basis if I want, starting an SSL TCP session via one and continuing it via the other. If ever either ISP gets "black boxes", I'll do that just to see how they cope :-) Given that one of them is A&A, that is a tad unlikely for some time.

Even if they were just passively monitoring, they would not see enough packets to construct the TCP session and extract anything from it. If they were intercepting SSL traffic, they would simply break the connection, something that means I can complain to the ISPs in question, who should be able to complain that the government black boxes are therefore not fit for purpose.

I really hope an ISP can refuse a black box that actually breaks the service they sell, but who knows.

Then I was pondering the Digital Economy Act, and how that would work. I am the contact on the IP addresses with no encompassing block belonging to an ISP. Which ISP would Copyright Infringement Reports go to if one of my IPs was involved in something? For now both ISPs are too small to get CIRs, but if ever that happens, it could be fun to poison trackers with one of my IPs just to see how much havoc I can cause.

Oh! what fun.

P.S. Speedtest.net says I am 3550 miles from Maidestone, my ISP is "***", and that I am slower than 99% of the - I think it is a tad confused somehow.

P.P.S. National Lottery think I am outside the UK and that I should contact my ISP as only they can update my location details - ahem (a) which ISP, and (b) I control my inetnum records, thanks. Email sent to them to confuse the hell out of them. FYI, no, I don't actually play.

More: Getting cross wil National Lottery now as they are refusing to recognise my IP addresses are in the UK. I've started threatending them with the Data Protection Act now :-)

How it works: https

Most of us make use of https at some point, usually for accessing on-line banking or on-line shopping of some sort, but increasingly for more mundane things like facebook or twitter or gmail. It is meant to provide some extra security, but what does it provide and how does it work?

Snooping on your messages

Before we even consider encryption, consider that the easiest way to snoop on your communications is either before it is encrypted or after it is decrypted.

At the simplest level, consider you are sending someone an email, and using https to access gmail. You may take all precautions your end to be sure you are not snooped on in any way, but the recipient could be a dick and forward the email on to his mates, or post it on facebook. If you are considering security you have to think of the bigger picture and the people involved, not just the technology.

Thankfully most of us are not considering security but simply privacy. We (supposedly) have a right to privacy. We just don't want someone snooping, which is fair enough.

But if you are considering security, you do have to consider other ways an attacker can access your computer. There are hardware key loggers that plug in line with your keyboard, and are undetectable by the computer itself. There are viruses that log keys and grab images of the screen. Most computers have some sort of remote desktop facility, which means that you could be accessed if you have a poor password and poor  firewall settings, even though you have no viruses on the machine. There are many ways, but all of these really only make sense if you are being individually targeted, so really not a concern for most people.

Encryption

Encryption as a principle has been around thousands of years. The concept is simple, you somehow "scramble" your message before sending it in a way that only the intended recipient can "unscramble". This is putting it very simply though.

Encryption uses maths, and there are some very clever people that understand how it works. There is a whole science of cryptography. Myself, even though I have an A at A-level maths and a degree in computing, I struggle to get my head around the detailed maths involved in some of it. The principles, however, are relatively simple to understand and can be explained with some simple analogies, thankfully.

Using mathematics to encrypt things has been around for a long time, but only in the last few decades have computers been powerful enough for serious encryption to be used routinely. There are many different systems, but basically it is impossible to crack an encrypted message without having the "key". I should be careful what I say here - in cryptography there is no "impossible", it is simply a matter of making something that takes too much time and resources to crack in the lifetime that you need something to be secure. But really, for all practical purposes, we are talking "impossible" to crack.

There are, of course, conspiracy theories. The idea that "they" have scientists that have cracked modern encryption systems. Basically, many encryption  systems work on the difficulty of some specific mathematical problem. However, some mathematical problems have some "short cut" discovered that makes them a lot easier to solve. Some people believe such short cuts have been found and that governments can secretly decode all encrypted messages. This really is rather unlikely. Not only would it be unlikely for only one person to have found such a short cut, but it would be very unlikely for it to be successfully kept a secret. If you must have a conspiracy theory, it is far more likely is that governments just want people to think they have a way to cracking encryption.

Another theory is that "they" have huge computing resources to "brute force" the encryption systems. This has some grain of truth in that some older encryption systems can now be cracked in realistic time frames with large numbers of modern computers. Even so, this only makes sense when targeting a specific message. A realistic time frames could mean weeks to crack one message. In practice, modern encryption uses much larger keys which can't be cracked like this.

Of course, this is speculation on my part - but you can be pretty sure that if encryption in use today is found to be easy to crack, it will be changed very quickly to something that is hard to crack. Oh, and don't try and make any sort of encryption system yourself, it will be easy to crack :-)

Public key encryption

One of the key encryption techniques used is "public key encryption". Fortunately this is very easy to explain to someone without using any maths - a simple analogy using padlocks works well. In reality it is more complex, and public keys are used to encrypt random symmetric keys that are used to encrypt the message, but the basic principle is the same.

The idea is simple - imagine you have a very good padlock and a key for that padlock. You give me the padlock and you keep the key. Later, I want to send you a message and want to be sure nobody on the way can read the message, only you. I put the message in an impenetrable strong box and lock it with your padlock, and then send it to you. Nobody can open it. You get it and use your key to open it. Simples!

Trust, and man in the middle attacks

Of course you want all sorts of people to be able to send you messages, so you have loads of identical padlocks made, all of which open with only your key. You have your name engraved on them.

This means that when I want to send you a message, I just get hold of one of the padlocks with your name on it, and use that.

But what if there is an impostor, making padlocks with your name on. I end up getting one of these fake padlocks, and send your message. The impostor intercepts the message, unlocks it with his key (as it is his padlock), reads it, then locks it again with one of your real padlocks, and sends it on to you. Neither you, nor I, are aware of this. Oops.

The answer therefore is that all padlocks come with a certificate which states exactly who's padlock it is and lists the locks serial number (that somehow cannot be forged). This certificate has a seal on it (which also cannot be forged) which is one of the well known "certificate authorities" which we all trust to issue certificates for padlocks.

OK, that sounds a tad woolly doesn't it. The whole "cannot be forged" is achieved using public key encryption to "sign" things. I won't go in to detail, and there are analogies using padlocks and keys for that too, but lets just assume for the moment that it is possible.

This still leaves an issue - how do I know the seals of the trusted certificate authorities, and to be frank, how can I trust these people? After all, I am trusting them not to issue a fake certificate to the imposer?

The first answer is that my web browser comes with a list of certificate authorities (CAs). I can poke around with the settings to see the list. This just leaves the matter of "How do I know I can trust then?"

That is harder - the list of CAs in my browser may have some familiar names, but will have lots I do not know. If I have not personally inspected these companies, checked the security, processes, staff, and ethics I have no way to trust them, yet I do, every day!

The main reason I can trust them is that they trade on their integrity. If they did certify a fake padlock (so to speak) that would be found out eventually, and they would lose credibility, They would be removed from lists in browsers and people would not trust them. They would go out of business, and they know this. So they have to "do the right thing" to stay in business. It is not ideal, but it is a basis of trust, just.

https

When you access a web site, all of these principles are deployed. Your browser gets the "padlock" from the other end, with the certificate signed by one of the certificate authorities in the browser. It checks the certificate. It then uses this to negotiate the keys for the encryption to be used. Then you communicate with encrypted messages that cannot be decoded.

How serious is a man in the middle attack?

A man in the middle (MITM) attack means intercepting the communications - the whole "impostor with fake padlock" thing... This has some problems, thankfully.

Firstly, you have to actually be able to intercept communications. This is hard to do generally. It is a lot harder than simply monitoring unencrypted traffic (which can be done by tapping phone lines, or even bending fibres until light leaks!). It could be done by your ISP, or, in theory, by government mandated "black boxes".

The second issue is these pesky certificate authorities. Your fake padlock has to be certified. One way is to somehow get a new CA (which the impostor controls)  in the CA list in the browser. This is hard, and certainly hard to do without being noticed. In theory a government could make it a law, but that would be very obvious and not very popular. Also, the browsers are not all made but companies - some are made "by the people" i.e. community open source projects where there is no legal entity to legislate against or intimidate. The other way is to get a copy of the "seal" from a CA that is already in the list. This will be bad when it is found out as it ruins the credibility of that CA and they get removed from browsers.

Basically, on a small scale, to target someone specifically, if you can arrange the physical access to intercept traffic, and if you can get a new CA on the users browsers somehow, you can do this. In practice this is hard. Where this is done is in corporate environments where regulation or corporate paranoia mean they install black boxes in the office. In such cases the staff know about it, and so it is no surprise that they have a special CA on their browsers.

You cannot covertly do this on any large scale - the change of key (the fake padlock) is always detectable if you look for it. Imagine that I get a fake padlock and certificate and meet up with you and compare with one of your real padlocks - we can see it does not match and know something is up. We also get to see who certified the fake padlock.

Of course, always remember, the web site you are communicating with can see the data - that is the idea. If they want to, they can use that data in various ways you may not like (legal, or non legal), and they could be compelled by their government to hand over data.

Summary

There is no way in hell that any government can snoop on all https traffic in the middle without the public knowing they are doing it. It only takes one person to check the keys to discover it.

If someone is snooping on your https then they are able to see everything, not just "communications data", if they want to. You no longer have the privacy to which you thought you had a right.

If https becomes snoopable by any means, then the "community" will come up with better systems to make it impossible. There are already changes afoot in the area of https that will thwart snooping by governments, and now there is even more incentive for such changes in the last few weeks.

Monday, 2 July 2012

You are now breathing manually

OK, under the needle (insulin) and working well.

Only catch is I have an appetite now, and eat more, and, well, getting fat.

So need to adjust insulin down, exercise more, and try and make it balance.

"You are now breathing manually" is a meme, for winding someone up making it feel that have to think to breath. But with diabetes "You are now balancing insulin and sugar manually" is kind of very true.

Bugger.

How it works: Private Browsing

Occasionally people want to view a web site that they would rather others did not know they were viewing. The classic contrived marketing example being buying a present for your wife. The reality, I am sure, is people watching porn.

So how does the Internet work, and who can see what you are doing?
  1. Well, the one thing you can be sure of, is that the web site you are visiting can track your IP address and knows that your IP is visiting their web site. No matter how the web site works, that will pretty much always be the case unless using something like TOR. However, to them you are a faceless IP address, and they will probably assume a dynamic IP address that will not be the same person tomorrow or perhaps even a second from now. They are also in some other country, probably. They probably have no interest in ever finding out who you are, and just want you to buy their premium services - just hand over your credit card now - there are girls waiting in Arnold, Nottingham for you :-)
  2. To access the web site you will have used something called DNS. This all happens behind the scenes. It is a system to convert names like (OK, every example I invented already exists, but www. something) in to the internal IP address used by your computer. The DNS server is probably run by your ISP. Surprisingly most DNS servers are not set up to log accesses (but could) and DNS accesses are not something covered by the UK Data Retention Directive. So yes, your ISP could know that you looked up a specific host name, and infer something from that if they wanted to. However, ISPs (well, most ISPs) have some integrity and would not look in to that. Also, you can use external DNS servers like 8.8.8.8 (google) and then the logging (if any) is again some anonymous dynamic IP address. If you really want you can run a local DNS resolver and avoid logging like this at the ISP or google, though some servers will be able to make logs.
  3. Your computer logs all sorts of crap, like you would not believe, but most browsers have a "private browsing" mode of some sort, or at least a "clear history" mode which means you can erase pretty much all of that. The "private browsing" mode is likely to be the most private. It is designed for this specific purpose (!) and so it does not log stuff. This is a reputation thing - someone making a browser that leaked your "private browsing" stuff would be exposed and laughed at.
  4. In order to actually access the web site in question, the packets do pass through your ISP. They could be snooping - but again, most ISPs have some integrity and would not be looking. To be honest, as an ISP, we really have no reason to look at, or care, what the hell you are up to, and would not do so.
  5. The packets pass through intermediate ISPs and transit providers. They have even less incentive to ever look at what you are up to, and less way to tell who you are - so again, low risk.
  6. On the way, if you are in an office, or even some homes where you are not the IT person, the packets could go via a local router of firewall that has some logging. They could log stuff. Your employer can, and may feel the need to, log your DNS lookups and your network traffic. Private browser mode will not help you. They almost certainly know which IP is which employee. Just go home!
So, over all, at home, you are pretty safe if you use a "private browsing" mode, to find your wife/girlfriend a surprise present, obviously...

That is, except, for the new Communications Bill, which will, if passed, mean that all those web site accesses are snooped, and logged, and kept for a year, and accessible (officially) to various parties (e.g. police) and of course unofficially to anyone that hacks the black boxes... Oops.

Sunday, 1 July 2012

Monitor or intercept

The latest snooping proposals from the government have a lot of issues, moral, legal, technical, security, and many more. But there have to be some "lines" that have to be drawn somewhere and they need to understand them. One such line is between monitor and intercept. There are many other lines, and some are hard to draw (like difference between envelope and content), but that is something for another day.

Monitoring means "listening in", in effect. It means the communications continues as normal, the same as if you are not monitoring, but you as the person doing the monitoring get to see a copy of some or all of what is being communicated.

Intercepting means you actually take the communications, and do things with it before sending it on. You may change where it goes, block some of it, change some of it. It is much more serious in lots of different ways than monitoring.

The problem is that the government want to be able to track who is talking to who, i.e. the communications data. I am sure they would love to see what everyone is saying as well, but they know that really is going too far to get re-elected. To be honest, what they seem to be proposing now is going to far for my view.

However, there are plenty of means of communication that are not handled by someone in the UK. Facebook and twitter and games and all sorts can mean that they would have to convince a non-UK company to provide monitoring of that communications data. They don't like this, for obvious reasons.

So they want to snoop on the communications as it passes through UK ISPs. Essentially monitoring everything, so it seems.

There is another problem - some of these non-UK companies are using encryption - i.e. https (secure web page access) like your bank uses. This means that they cannot see what is being communicated simply by monitoring in the middle. The whole idea of encryption is to stop such things.

They claim to have a way around that! Why the hell to they think they can monitor encrypted traffic? Well the answer, we think, is that they have had vendors of black boxes show them it can be done. And, in a controlled corporate environment there are ways. One way is taht you mess with the settings on everyone's computer so that you can do what is called a "man in the middle" (MITM) attack without the computers being aware of it (installing a new CA). In effect you pretend to be facebook or twitter (or your bank) when talking to your computer, and you make it believe you. Then you pretend to be you when talking to facebook, twitter, etc, and pass on the content of the encrypted communications after looking at it and taking a copy. In theory this can be done if you are in bed with the certificate authorities and get a dodgy CA. And CA found doing this would go out of business quickly though.

For me, this moves very clearly from monitoring to interception. Now you are actually messing with the communications. This is very very bad for a lot of reasons.
  1. It is just wrong - if you are monitoring, then that is all you should be doing
  2. It undermines the whole principle of secure communications and can allow real MITM attacks behind the government system
  3. It allows you to snoop on the bank, and anything else you want
  4. It is detectable by anyone that is looking, and more and more people will look
  5. It will break lots of things
  6. I creates some really nice targets for any criminals and hackers to go after
  7. It is technically a nightmare, including scaling issues and single points of failure
This last point is very important. For an ISP, monitoring communications can, in principle, be done by setting up a monitoring port on one or more switches. These are a port to which the switch tries to send a copy of every packet. Technically, this is simple, though picking where to put this in the network is harder. Also, it is low risk. If the black box breaks, the network does not. If there is too much data, the black box does not see 100% of it, but it sees some, and again, nothing actually breaks.

But, if you want to intercept traffic, that is a lot harder. It means that you send everything in to and back out of a black box. It means ensuring all of the communications goes via this one point, and does not have packets spread over several redundant links. It means your whole network relies on the black box working and having enough capacity to cope with the load. It also means some stupidly expensive black boxes. Looking on-line there are some expensive boxes that handle 100Mb/s of traffic and some really expensive ones that handle 1Gb/s of traffic. Even A&A's tiny network is going over 1Gb/s now. They need many orders of magnitude more in order to work with any of the larger UK ISPs. It is basically impossible but trying will break lots of stuff.

It won't actually help. There will be ways to communicate securely and without monitoring the communications traffic. There are well established systems in place for this designed to allow people working under oppressive regimes to communicate with the outside would - where being found out could get them shot. Such systems will always exist, and there is no reason to think that they will not be used.

One interesting discussion on the mailing list is what if a web site wants to be check they are not intercepted. It is possible a plugin or some websocket javascript or some such on a standard browser, right now, could check the certificate data on an SSL link. If that is the case, any web site could simple include a simple app to report to the user that they are being intercepted. The likes of facebook or twitter could make it so you cannot use them from an intercepted connection. This is even more possible, and perhaps likely, for games where the client is the game itself. Well, what would a hacker do to bypass this? they would change that javascript or app on the fly, so that it does not report the issue. Would this be going to far for our government? I bloody well hope so. If this is allowed, then what of a page that has on in it text giving instructions to tell the end user how to check the certificate (as we do on the A&A accounts web page)? Are they allowed to change the text on the site to remove such instructions? What else would they be allowed to remove, AKA censor?

At the end of the day, we have to consider very carefully how much freedom and privacy we want to give up. Remember, bee stings have killed as many people in the UK as terrorists so far this millennium. Think of the bees!

Update: ISPreview say "At present ISPs are already required, if requested, to maintain a very basic log of their customers’ internet website and email accesses (times, dates and IP addresses) for a year, which is made available to various government and security services via a warrant. This does NOT include the actual content of your communication." which is not quite true. We only log email that goes via our mail servers and web pages accessed on our web servers. We have not been asked to keep these logs for a year. We do not have to snoop on customers to see what web pages they access or what emails or tweets or pokes they do. This new law would require that.