Wandering Words

I've went through and tagged every previous entry with various keywords. I noticed one thing very quickly, I have a lot of meta posts (just like this one) about the blog itself. It was also interesting to see that I posted more personal (feelings, not data) stuff than I'd ever planned on doing. I thought about going back and deleting it, but with the Wayback Machine archiving most if not all Internet content for everyone to view... why bother. I'll leave them here. I'm a human being, just like most folks reading this blog, so yes, I have feelings and have been in love and have folks that taught me things growing up. :)

One of the tags I used was "high horse" these are the entries where I pontificate on one subject or another. I'll be upfront and state that my opinions may come across stronger (or weaker) than they were and they might be totally different now... so read what you will into them.

Enjoy!

Thanks to our local Blog Admin Wizard, Chip... we have a new version of Movable Type up and running. I love the new interface, it rocks. :)

Wow. What a weekend. Decided to upgrade MySQL to allow the upgrades of a couple of other things on the server, and it was a "downhill" event. Everything looked good when I went to bed last night at about 1am. But then when I woke up this morning, Apache was down.

Too long of a story to post, but let us just say that there are many things now upgraded and all once again working in harmony.

I've updated my Wireshark Coloring Rules. They work on a 2.6Ghz Mac Book Pro running 10.5.4 and Wireshark 1.0.2. I had to remove some of the Analysis Flags due to TCP & CRC Offloads of the Mac Book's Ethernet NIC... well, I think. :)

NANOG43 is in Brooklyn, NY this year. These are my rough notes if I have any. Also, I'll not link to every topic if I'm not all that interested in the subject. You can find the agenda with links to most if not all of presentations. If you have questions about any of them, feel free to seek me out.

Security BOF
Updates from various Security groups and call for participation.

Community Meeting
Pretty quiet meeting actually. MLC wasn't nearly the hot topic that I believe everyone was expecting.

Keynote
Jay Adelson, CEO of Digg
Views from the Other Side: Confessions of a Guilty Customer

Lots of discussion about being the customer side. Mostly light like the Keynotes have been at NANOG so far, but had some nuggets as all things can. Jay is a very good speaker, but being a serial entrepreneur he kind of has to be.

Coolest thing from pres was at the end when he put up: http://labs.digg.com/swarm/

Peering Wars: Lessons learned from the Cogent-Telia Depeering
Martin Brown, Alin Popescu, & Earl Zmijewski, Renesys Corporation

Favorite quote: "Being a tier 1 is not easy. You will be punished if you are perceived to be in a position of weakness."

Internet Traffic Trends -- A View from 67 ISPs
Craig Labovitz, Danny McPherson, Mike Hollyman & Scott Iekel-Johnson, Arbor Networks

78 ISPs now... sharing data every hour, 5 minute aggregate data
5 MSOs, 4 Tier1s, 15 Tier2s, 4 Content Providers, 1 R&E, rest did not self-classify
1300 routers

Every time I get a new Mac, I always end up losing the line drawing font in X11 for some of the older ANSI apps that I still use. Fortunately I Google search and find the same post that tells me how to do it on Slashdot.

So, I'm tired of having to search for that every time, plus the answer is buried deep in standard Slashdot "First Posts" and other drivel, so hopefully this entry gets picked up by Google for a good simple place to answer the question of: How do I get ANSI line drawing characters in Mac OSX or at least Mac OSX X11?

And the very simple answer, by an anonymous coward who I can never thank enough:

1. Go download sabvga.pcf at: http://home.earthlink.net/~us5zahns/enl/ansifont.html
2. Place sabvga.pcf in /usr/X11R6/lib/X11/fonts/misc
3. cd to that dir and run "sudo mkfontdir"
4. Fire up X11 in your Utilities folder
5. Open an Xterm and run "xtern -fn sabvga"

YouTube went down on Sunday the 24th of February. A good summary of the events (at least for geeks) can be found at:

http://www.renesys.com/blog/2008/02/pakistan_hijacks_youtube.shtml

There has been LOTS of comments on NANOG all weekend about it. NANOG is the North American Network Operators Group, generally a bunch of folks in the Americas that participate in some way in the operations of networks and the Internet. You can see the archives at: http://www.merit.edu/mail.archives/nanog/ and see some of the mails that flew back and forth regarding the outage.

I thought I'd provide a summation for the one or two folks who read my blog but aren't geeks, or network geeks at least and maybe teach a little about networking in the process.

Basically on Sunday the Pakistan Government told Pakistan Telecom (along with other ISPs in Pakistan) to block YouTube. Pakistan Telecom decided the best way to do this was to "black hole" some YouTube routes. Black holing traffic on the Internet is basically forcing traffic to a different location and then throwing that traffic away. One of the most drastic ways you can accomplish this is by using the first decision in deciding where next to send a packet. That decision can be described as "Longest Match Wins" in routing.

Think about Longest Match this way. Say you have an address of 221 Main Street, Fairfax, Virginia. Now say you had four paths in front of you, the first path said "Virginia", the second path said "Fairfax, Virginia" and the third path said "Main Street, Fairfax, Virginia" and the fourth path said "221 Main Street, Fairfax, Virginia". You would chose the fourth path because it takes you directly to where you need to go.

So, Pakistan Telecom decided to cheat a bit and say, instead of just going to "YouTube", follow these paths to "West Coast You Tube" and "East Coast You Tube". I've greatly simplified how You Tube breaks up their IP addresses, but the concept holds for this example.

Now what SHOULD have happened is that Pakistan Telecom (PT) SHOULD NOT have advertised those more specific directions (address prefixes) to their upstream transit provider. Those more specific address prefixes should have only been used inside the PT network. However, those prefixes got "leaked". Basically someone put the road-sign up for the public telling everyone on the Internet that PT had the most specific path to get to YouTube.

YouTube responded amazingly quick (30 minutes) and basically started advertising the more specific blocks themselves thus the Longest Match rule no longer applied and instead you had two "221 Main Street, Fairfax, Virginia" road-signs posted; one just said 10 miles, and the other said 1000 miles... people are going to take the shortest path then. Determining the shortest path is another part of routing. Perhaps another day I'll take some time to explain that one.

Longest Match specifically refers to taking your address and comparing it to a routing advertisement (the prefixes) and looking to see how many bits are identical in the two. If you've worked with computers you probably know about the Subnet Mask that you have to assign along with your IP address. When dealing with Subnet Masks, this allows a machine to decide if they need to go to a router or if they can talk to another machine directly. For example: 10.1.1.1 with a subnet mask of 255.255.255.0 (aka 10.1.1.1/24) can talk to any other machine whose IP address begins with 10.1.1 ... WITHOUT going through a router.

In a prefix advertisement the prefix includes something very similar to a Subnet Mask. In this case the mask basically tells other routers in the network how specific of a route any specific prefix represents.

For example: I could say that my home address is "Virginia, Fairfax, Main Street, 221" and I could say that when I advertise my address I'll advertise down to the street name. In networking there is the concept of CIDR notation to describe blocks and sizes of IP addresses. For our teaching example, we'll pretend that to advertise a direction just to street level we would add /streetname to the address. My routing advertisement for path #3 from the above example would look like "Virginia, Fairfax, Main Street/streetname" Then if like #4 I advertised, "Virginia, Fairfax, Main Street, 221/streetnumber" you realized that THAT would be the longest match if you were looking for my specific address.

What if you were looking for 223 Main Street though? In that case, the longest possible match would be path #3 for you, "Virginia, Fairfax, Main Street/streetname" and you'd take that path which would get you to my street, but not directly into my driveway. Once you get to the street you'll get further directions on how to get to #223.

So, now that you hopefully have an idea of how longest match works, what could have been done to prevent this? The simple solution and the one that NORMALLY keeps stuff like this from happening is Route Filters. In this case, PT's transit provider should NOT have accepted any route advertisements from PT for address space that PT doesn't own. Currently the best way to ask people you are providing transit for what their addresses are, then look at the various assigned numbers authorities and/or routing registries to verify the blocks of addresses really belong to them and then create a filter that only allows those addresses to be sent. It is a pretty manual process though, and of course mistakes (or mischief) can happen.

There are discussions ongoing about other ways this could be done. Routing registries could provide certificates or you could sign your routes in a public manner that are in the registries and then when one router talks to another router they could verify through the signed messages that the number/routing authority has identified you as the proper owner (by your possession of the private key/cert) and accept any of those routes. Whew! That is a pretty straightforward way to accomplish this, and hopefully this incident will remind folks that it is important to move forward with it.

Though straightforward, it isn't easy. Lots of folks have to all agree to do it the same way. Other folks have to build infrastructure to support it. Vendors have to update their routers with software that understand how to process it. And of course, then the operators of the networks have to actually understand and use it. We can dream though. :)

If nothing else though, hopefully transit providers (like UU.NET/Verizon, AT&T, Level 3, PCCW, ATDN, etc.) will pay more attention and filter any routes that don't belong to their customers and prevent this from happening at the edge. Some already do, good for them! Some don't. Bad for them!

Oh well, hopefully you found all this interesting. Didn't mean to be so wordy, just mostly wanted to pass along what happened in non-network geek terms.

A list of things and places I want to visit and see at some point. This will grow and shrink I'm sure. Mostly just wanted to make some notes. No comments, because it is mostly for me. :)

• Niagra Falls
• Glacier Bay, Alaska
• Dubai
• Yellowstone
• Glacier National Park
• Big Sur
• Death Valley
• Lake Mead & Hoover Dam
• Grand Tetons
• Denali
• Carlsbad Caverns
• Hawaii Volcanos
• Mammoth Cave
• Ozarks
• Sequoias (all over)
• Crater Lake
• Mount Ranier
• Grand Canyon
• Pearl Harbor
• Mount Rushmore
• Yosemite
• Cape Canaveral
• Key West
• Berlin
• Moscow
• New Zealand
• Bali
• Galapagos Islands
• Greece - all of the historical places
• Rome: Vatican, catacombs, coliseum, the Forum
• Venice: catacombs
• Sicily: hometowns
• Paris: MORE of the Louvre, old churchs, museums
• Ireland: County Galway
• London: MORE museums, museums, museums
• Amsterdam: MORE museums, museums, museums
• Barcelona
• Auschwitz
• Pyramids, Valley of the Kings
• New York City: the "gothic" place Lisa tells me about
• Bora Bora
• Great Barrier Reef
• African Safari
• Machu Picchu
• Swiss Alps
• Sydney Harbor
• Japan: Tokyo
• Prague: Castles!
• Canadian Rockies
• The Amazon
• Beijing
• Three Rivers Dam
• Hong Kong

I've invented Baked Potato Chips!!!

Preheat oven to 450
Yukon Gold Potatoes sliced on the mandarin slicer, one click less than 1/8" thickness.
Aluminum Foil on cookie sheet, shiny side up (for easy clean up).
Tablespoon of Olive Oil for Roasting spread around on Aluminum Foil.
Lay out chips one thick butting against one another.
Sprinkle Tony Chachere's Creole Seasoning on them.
Bake for 10-12 minutes (watch 'em for your version of done)

Peel them off and watch eat immediately (they cool VERY quickly). On my cookie sheet, I could get about 250 calories (2.5 potatos) worth.

Also tried some just with Kosher Salt and Freshly Ground Multi-corn Peppers, Tony Chachere's version was better, but Duke was happy to get a couple of the non-spicy ones.

At work our email servers are Microsoft Active Directory Exchange Servers. I use IMAP to access them. I also use Thunderbird for my IMAP mail client. I use the nightly builds and noticed that I was suddenly being prompted for a Kerberos login every time I sent email.

While I certainly could use Kerberos for the login, I prefer not to and only use standard IMAP and SMTP encrypted auth and not Kerberos. So, in order to completely disable Kerberos from Thunderbird I played around until I found the following combination. Just changing the using-native-gsslib to false will not work as I originally thought it would. I had to put the /dev/null in there to really get it to stop. All seems well for me now, MUCH happier!

1) Open Thunderbird Preferences
2) Advanced Button
3) General Tab
4) Press "Config Editor" button
5) Easiest to just Search for "gss"
6) There will be two entries that both need to be edited:
a) network.negotiate-auth.gsslib = /dev/null
b) network.negotiate-auth.using-native-gsslib = false
7) Close the Config Editor
8) Close the Prefs
9) Restart Thunderbird

Obviously be careful futzing around with the config. I hope this helps some folks!