Hi, I'm Iljitsch van Beijnum. This page has all posts about all subjects.
The other day, I was sitting in a hotel lobby waiting for some people, working on my laptop. There I had the following conversation:
“Hey, is there a wireless network here?”
“No.”
“Then how are you working?”
“I’m working offline.”
<gasp>
In this age of AJAX, webmail, instant messaging and YouTube videos working offline seems so 1980s. I guess this means I’m getting old, because I’m much more comfortable having my stuff (or at least, copies of my stuff) on local storage, so I have access to it regardless of my connectivity, and there is at least a fighting chance that an application that works today still works tomorrow.
Interestingly, Microsoft, a company that makes billions selling software that makes computers useful whether or not they’re connected (Office), has jumped on the web-based applications bandwagon. Apparently they don’t see that web-based applications make Microsoft obsolete: all you need to run them is Linux and Firefox.
Apple on the other hand, seems to focus on applications that work best locally. Long after the majority of Office users have switched to free or cheap web-based alternatives, possibly discarding Windows in the process, creative professionals (and hobbyists) will still be buying Apple hard- and software to do their audio, video and image editing.
(Originally published on the Apress blog, which is now gone.)
posted 2006-11-06
Image link - posted 2006-10-29 in
The BGP TCP MD5 password mechanism (RFC 2385) is very useful to protect BGP sessions from attempts at unpleasantness by third parties. However, it is rather simplistic. One of the flaws is that there are no provisions for changing the password. In the old days, setting a new password for a neighbor would cause Cisco routers to tear down and reestablish the BGP session. Today, the session survives if the password or key is changed at more or less the same time at both ends. This requires a good deal of coordination. I must say that I can't remember anyone asking me to change an existing BGP password. But the security people insist that it's important to do this regularly, for instance, when employees leave. I think they have a different appreciation of the sensitivity of this key than those of us working in operations.
Anyway, Steve Bellovin, a well-known member of the IETF, has written this "internet draft" and submitted it for publication as an RFC:
http://www.ietf.org/internet-drafts/draft-bellovin-keyroll2385-03.txt (will be deleted after 6 months)
What he proposes is that a router can have more than one active key so it's possible for one end to change keys and the other end to go along with this without the need to coordinate the password change very closely. Unfortunately, it's still possible to configure the wrong key, or forget to change the key after agreeing to do so, and then the BGP session will go down at some point, probably conveniently in the middle of the night. See my posting to the IETF discussion list for details.
Well, progress isn't always progress, I guess. If you have any opinions on the matter, email me.
Permalink - posted 2006-09-30
Iljitsch van Beijnum
The Internet Protocol Journal, Vol. 9, no. 3, pp. 16-29, September
Last week, ARIN, the organization in charge of distributing IP addresses in North America, changed its IPv6 address policy so it's now possible to get Provider Independent (PI) IPv6 address space.
According to the ARIN Number Resource Policy Manual:
This is both good news, and bad news. The good news is that if (in the ARIN region) you are currently connected to two or more ISPs for IPv4, you can now do this in much the same way with IPv6. Since IPv6 routing is almost identical to IPv4 routing, all of this should be fairly easy.
However, since both the routing protocols (including BGP) and the rules for getting address space are now mostly the same, this means that in the future, IPv6 routing will suffer from the same problems that have been plaguing IPv4 inter-domain routing: a "global routing table" that is much larger than necessary, requiring network operators to invest in bigger routers and causing unnecessary instability. It also means that multihoming (the practice of connecting to two or more ISPs) will never be possible for truly large numbers of internet users.
The Internet Engineering Task Force has been working on alternative ways to gain multihoming benefits in the multi6 and shim6 working groups. But the ARIN constituents decided not to wait for the completion of this work, which will likely have the effect that the shim6 mechanisms won't be adopted widely or quickly when they become available. One reason cited for moving ahead with a known problematic solution for multihoming was the statement by some organizations that they wouldn't adopt IPv6 in the absence of a multihoming solution. Prediction: they won't implement IPv6 with multihoming anytime soon either.
And unfortunately ARIN (and the other RIRs) still claim that you can filter out any IPv6 prefixes longer than /32 even though they give out micro allocations and now PI blocks that are longer than that, mostly /48. See my article from nearly three years ago.
Permalink - posted 2006-09-05
Image link - posted 2006-08-13 in