The modern day window tax on the internet
Comments Off
In 1696, King William III of England imposed a tax on glass. Essentially, houses with more than ten windows paid a levy to the government, but the tax is now remembered as unfair and very avoidable by bricking up the windows in your home. Today there is a new tax on glass – firms who light the glass in fibre optic cable pay the government a levy based on the length of the fibre. Again the tax is desperately unfair, and very avoidable because firms can just not roll out services on fibre.
When firms avoid fibre, it hurts us all. When fibre is cheap, firms can use it to roll out super-fast broadband to their users, using the sort of technology that facilitates connections tens or hundreds of times faster than a typical UK home enjoys. It also allows service providers to increase the capacity of their network edge, and to improve the robustness of their network – for instance by building more links between their network points. Improved robustness also means better business continuity planning options, improving the availability of their services. This tax kills faster access, and better services.
The fibre tax also worsens the conditions for international networks looking to build into the UK, for instance in order to bring their content and services to the UK market . This is not a hypothetical risk, it is a game-changer that has destroyed the business cases of several projects that we have been contributed to last year.
This morning, George Osborne was on BBC TV explaining that he saw an advancement in next-gen broadband (based on fibre optic cabling) as a priority. If this is the case, then he must commit to repealing the 21st Century Window Tax. To date, they have only considered repealing the 50p per month tax on telephone lines that has been suggested by the hugely flawed Digital Britain study.
We are just not competitive with this tax.
Published in categories: ecommerce, networking, non-tech
Can you fill all of the Great Lakes with M&M sized /64s?
Posted to my blog at the request of RobL !
On Nanog, Owen DeLong and Larry Sheldon were discussing the relative size of the IPv6 address space:
>> 64 bits is enough networks that if each network was an almond M&M, >> you would be able to fill all of the great lakes with M&Ms before you >> ran out of /64s. > Did somebody once say something like that about Class C addresses?
Well, this seemed like a challenge for Maths, and the answer is:
No. There are only 2,097,152 Class C networks.
Assuming all M&Ms are spheroids of uniform oblate nature, radius major axis=6mm, minor axis=3mm. Volume is (4/3)Pi (Major2) Minor
They will be poured into a great lake of your choice, and we will assume random close packing (agitation mechanisms are probably best discussed off-list) and a (generous, but this Wikipedia article insists) void fraction of 32%.
Volume of m&m = 0.452cm3, occupies 0.665cm3.
Lake Erie is 484km3 – See: http://www.epa.gov/glnpo/factsheet.html
1 km3 = 1,000,000,000,000,000 cm3
484,000,000,000,000,000 * 0.665 = 321,860,000,000,000,000 m&ms needed to
fill this lake.
There are 4,294,967,296 /64s in my own /32 allocation. If we only ever use 2000::/3 on the internet, I make that 2,305,843,009,213,693,952 /64s. This is enough to fill over seven Lake Eries. The total amount
of ipv6 address space is exponentially larger still – I have just looked at 2000::/3 in these maths.
THE IPv6 ADDRESS SPACE IS VERY, VERY, VERY BIG.
Can we please now just go ahead and roll out some ipv6 services?
Published in categories: Sys Admin, ipv6, networking
2010 will be a bad year for ipv4
We are now at the end of January, but IPv4, the Internet’s core addressing protocol still has a nasty hangover, and all signs are pointing to 2010 being a bad year for the protocol.
Since January 1st, a few key milestones have passed, indicating how urgent the IPv4 rundown problem has become. Firms that rely on internet connectivity must take urgent action in light of the events:
- The allocation last week of two further /8s (blocks of IPv4 addresses with the same number before the first dot) to APNIC mean that for the first time, less than just ten percent of the IPv4 unallocated pool is available to be assigned. At current utilisation rates, this pool will be exhausted in only 600 days. Of course, the internet could stop growing, but all signs point away from this…
- The allocation of 1.0.0.0/8 is the assignment of the first really ‘dirty’ block of addresses, signalling that we really are in the run-down period. Bad network design decisions in the past have meant that networks have ‘borrowed’ the use of addresses starting 1. for ‘internal use only’ or special applications on their network. This means that organisations assigned address space starting ‘1′ may well have partial connectivity even though they are rightfully assigned the space. Examples are the braindead hotspot operators who take addresses like 1.1.1.1 to trigger hotspot logout, but a handful of examples appear across this address range.
- RIPE NCC, the organisation who assign addresses to networks in and around Europe have this month implemented their ‘run down’ policy which will mean that organisations requesting space will only be able to cater for their growth requirements for a very short amount of time. This is to evenly spread the inevitable misery across the ISP community.
RIPE members should thoroughly audit their address space so that they can ensure that their records are accurate, because RIPE are more likely to ensure that address space is assigned to your end users in line with the community’s policies. ISPs and services providers who need help can contact me for further information or specific assistance.
Organisations who rely on internet connectivity for their products should ensure their providers have an IPv6 migration plan in place. Otherwise end-to-end connectivity for your home or office is unlikely to be something you can enjoy looking beyond the runout period. Companies hosting network services, for example a website, should enquire what their host’s IPv6 plans are, and start to enable their services via v6.
There is real traction to ensure v6 support appears in both the hardware and services you need to connect to the internet. It is easier today than before to find help making your services available via v6. The alternatives – patchy connectivity via nested stacks of ipv4 islands, or no more end-to-end connectivity (so that your internet service is a walled garden), have much worse consequencies than learning to roll v6.
Engineers know the facts by now and have no excuse. For more information, see the RIPE NCC’s information site, ipv6actnow.
Published in categories: Linux, Sys Admin, The 'net, ecommerce, ipv6, networking, telecoms
IXP Bake Off Results
Comments Off
Here are some slides that present some research undertaken by a number of European Internet Exchange points (IXPs), which I presented at UKNOF15 last week. They may be of interest to networks which connect to IXPs who have been considering connecting to the local multi-lateral peering (MLP) service, but are unsure whether testing has proved that the functionality and performance of the new ‘next-generation’ offerings (namely BIRD and OpenBGPd) are fit for purpose.
The slides show that the new route-servers perform splendidly well compared with traditional Quagga based MLPs, also that route-servers are now free of ‘first generation code’ bugs, and also that they handle your prefixes transparently – as you would expect.
Interestingly, BIRD and OpenBGPd behave identically ‘on the wire’ so IXPs are encouraged to use multi-vendor MLP on their platform for increased reliability and stability. The new breed of route-server code is dependable and tested, so networks that would like to connect should draw confidence from this testing, and IXPs wishing to roll out MLP services should feel confident in the software tested.
Happy peering!
Published in categories: The 'net, bgp, networking, peering, telecoms
DNSSEC and SSL certificates
Dr. Jörg Schweiger of the German domain name registry DENIC posed an interesting question at this morning’s first DENOG meeting, in Frankfurt.
Would domain name users who are concerned about the accuracy of data served pay extra for the ability to sign their DNS zone ? A handful of people in the room raised their hand in agreement, but the overwhelming majority of operators did not.
His argument was that this compared well with SSL certification authorities who sell certificates that suggest that visitors to a website are interacting with a validated entity, and the technology guarantees privacy between the visitor and the website. It’s this technology which makes buying and selling online safe.
However, I think that DNSSEC has different aims altogether – simply to guarantee that DNS data is not changed en-route between the authoratative server, through the caches, all the way to users. Therefore there are significant attack mitigation reasons to deploy DNSSEC, so I hope that operators will begin trials (we are doing so), and that the pace of trials will quicken as the root zone will be signed this year.
If DNSSEC is deployed as designed, then temporary and brief mistakes will not be imported into DNS caches, users will not fall foul to tampered data in caches, and we all receive an authenticated/secure channel for distributing DNS data inside an organisation.
The argument that Dr. Schweiger used is that DNSSEC adds an operational and technical burden to registries (extra communication with registrars, more complex software, additional CPU and bandwidth requirements).
I hope that my colleagues in other organisations agree that there are significant infrastructure advantages to freely allowing DNSSEC to grow, and that Moore’s Law, automation, and the fact that DNS registries normally find it simple to peer widely with ISP networks will offset the needs to consider the commercial signing model.
Published in categories: Sys Admin, The 'net, domains, networking, security
innodb_data_file_path bug with long line limits
I have a MySQL server which was starting to scrunch its data more and more slowly. Some analysis led me to blame an autoextending innodb file which had grown somewhat unkept to several GB. I wish the autoextend behaviour could be configured to grow more files rather than grow one file, but that’s another rant. I decided to clear it up which is a simple process :
- Stop the inflow of new data
- mysqldump the database to a .sql file
- Bin the junk innodb data files
- Edit my.cnf to create files of a spec that I wanted, start mysql
- Import the data.
I decided to create 500 data files of 100MB. When MySQL started, it ignored the config I had set in my.cnf and loaded the innodb defaults – 5MB log files and an ibdata file of 10MB which could autoextend.
It turns out that if the innodb_data_file_path line is too long then the innodb section is ignored and the defaults will prevail. I changed the plan to create 200 files of 250MB, which made for much smaller config, and the innodb settings loaded just fine.
If you want a perl one liner to generate the innodb_data_file_path, I used:
perl -e ‘$i=1; do { $padded = sprintf(“%03d”, $i); print “ibdata$padded:250M;”; $i++; } until ($i eq 200)’;
Published in categories: Linux, Sys Admin
Extreme Switch / OpenSSH bug
I have been trying to get a patch applied to Debian’s openssh-client packages since February which would fix a bug that prevents me from logging into Extreme switches via ssh:
trials:/usr/src/openssh-5.1p1# ssh hextreeme -l netadmin
Keyboard-interactive authentication
Enter password for netadmin:
channel 0: open failed: resource shortage: Channel open failed
The bug is described in Debian bug 495917, and it also prevents connection to some NetScreen firewalls. I have this bug with Debian 4 (openssh-client 4.3p2-9etch3) and Debian 5 (openssh-client 1:5.1p1-5).
If anyone else is experiencing the same bug and needs a quick fix, then you can download my Debian packages which replace openssh-client. You of course need to hold the packages if you don’t want them overwriting by a security fix.
- Debian 4 openssh-client_4.3p2-9etch3_i386.deb
- Debian 5 openssh-client_5.1p1-5_i386.deb
By using this software you agree to hassle both the debian-ssh team and extreme to sort their stuff out!
Published in categories: Linux, networking, security
IPv6 Track at NANOG
Greetings from Philadelphia! I am presenting as part of the IPv6 at NANOG46 (click here for info of how to watch) at 9:30PM UK time today, or download the IPv6 for Enterprises presentation here, or see information about the other speakers here..
The messages are clear and simple. Working now to get ready for the IPv6 transition will be less expensive and lower risk than waiting for IPv4 starvation to hurt. I interviewed some key enterprises about their specific grumbles but the great news is that most are transitional and already people are working on fixing them.
Published in categories: The 'net, bgp, ecommerce, ipv6, networking, peering, telecoms
