my web 0.2 website

Mac VNC Client for Linux KVM

When you build a KVM guest, if you want to install the guest over the network, you should attach the video console of your guest to a VNC display.

How can I put this..? This is quite a novel way of doing it.  I think there’s a reason that more virtualisation systems don’t work in this way.  VNC is not great, but I am sure there is a reason that I can’t use a dummy serial port instead.  I’d have preferred RDP, but perhaps there’s a reason I can’t use that too.

I normally use Chicken of the VNC as a mac osx client, because it has a funny name, and has always worked.  However, it crashes and burns (see screen shot) when trying to install Debian on a KVM guest.  Hopefully I can save someone else an evenings’s worth of trying every other mac vnc client, and offer the fix.  Just use VNCViewer.  I tried this after half a dozen others which all failed in a similar way to Chicken.

Any comments on why RDP or Serial might not have been better welcome.

Internationalisation of DNS continues

Like most original internet standards, the DNS was designed to initially suit the needs of any section of the world that could communicate using 7-bit ASCII and Latin character sets. Then the internet became really popular. Everywhere. The DNS had to evolve to cope with naming schemes that came from alphabets all over the world.

All successful internet protocols are elegant and simple by design. This makes it possible to retro-fit great ideas someone has one. Internationalisation was proposed in 1992, and it eventually became possible to register Internationalised Domain Names (IDNs) in the .com space in 2003. Standards move slowly on the internet!

IDN is up for discussion again at the 31st ICANN meeting on Monday. This time, the world’s registry community are meeting in New Delhi, one of the most significant IT regions of the non-Latin world, to discuss the remaining “glitch” in the IDN system. An IDN might look like this: .com. Therefore any user still needs to be able to type .com in order to reach the resource they request. There is a proposal at the ICANN meeting to add Internationalised top-level domains, actual complimentary TLDs to .com, that will mean that resources can be reached in any supported alphabet.

This is interesting stuff. One school of thought is that this could significantly assist the development of electronic enterprise in many more pockets of the world. The supremacy of Silicon Valley as the web’s main economy would then be broken. I think differently – I think that .com is now too established as the main ecommerce ‘brand’ TLD, and attempts to localise the meaning of .com will be fruitless. .com means “I trade online”. Despite .biz and similar TLDs being equal in technical terms, they are not equal in the eyes of shoppers or traders. .com now has specific global meaning, and can’t be diluted.

If VoIP kills phreaking, who are tomorrow’s engineers?

“Ma Bell is a system I want to explore. It’s a beautiful system, you know, but Ma Bell screwed up. It’s terrible because Ma Bell is such a beautiful system, but she screwed up. I learned how she screwed up from a couple of blind kids who wanted me to build a device. A certain device. They said it could make free calls.”

That’s a paragraph from an article linked to from Steve Wozniak’s website, which Steve describes as “The Article that changed history“. He is one of the most important engineers of our time, and like thousands more, he was driven to learn more and more about how computer systems interact, after snooping around telephone networks. The telephone system has always been a prime target for attack for two reasons – vulnerabilities have historically been well published, and telephony was so expensive that it was worth working out the ways to subvert the system and talk for free.

But what happens when talking across the world is so cheap that its not worth stealing any more? You may think this is an irrelevant point, calls from BT users to France are still 18.5p per minute, to New Zealand are still 31p per minute. But what if these calls to France were a penny a minute? Calls to New Zealand 1.4p a minute?

Well, they are now that price if you are a Localphone user. Does this mean no more Steve Wozniaks, young men driven to explore big networks so that they can use their skills to build something even bigger and better?

The first ‘Phreaks’ – the collective name for people who like to exploit vulnerabilities in the phone system found their skills by accident. A blind eight year old called Josef Carl Engressia discovered that he could stop a phone accounting for a call he was making by whistling a particular note in a long distance call. He’d accidently discovered the 2600Hz tone which signals to long-distance telephony kit that a user had hung the phone up.

The later Phreaks like Steve Wozniak were more methodical, they took this learning and approached the exercise as engineers – phreaking was a learning experience – as Steve puts it, “The blue box year was 1972. Apple started in 1975. The biggest connection was some design tricks and techniques that I honed on the blue box.” Fooling around with the telephone drove innovation and learning for the early Apples.

The telephone system acted as a central point of interest for those interested in information security, and gave the movement focus. Whilst the 2600Hz trick no longer works, the number features in the name of the world’s most popular security journal, 2600 The Hacker Quarterly, which specialises in distributing information to IT personnel about improving their systems by demonstrating weaknesses in flawed systems. Again, without Phreakers would such openness and publicity for information security exist?
I admit that phreaks are not only motivated by the prospect of free telecoms, they are fascinated with the huge telephone network. I only ask if calls were as cheap as they are through services like Localphone, would so many engineers have found value exploring telephone systems, learning techniques to use in their later masterpieces.

I hope that tomorrow’s engineers will still explore telecoms. In fact, its easier today than before – downloading a free PBX like Asterisk means you nolonger need to be a criminal in order to explore how a telephone network interacts. VoIP networks have existed as islands within a corporation, or groups of interested people (e.g. the closed FWD system permitted free calls between friends on their network, no matter where they were in the world, but did not allow calls to route to other telephone networks, such as the one your mobile is connected to). Cheaper telecoms was our drive to build Localphone, so it can still act as a motivator for engineers to create something, its just that today you can have more fun doing this legally!

Disclaimer: the author is an engineer at Localphone.

Making the right ipv6 noises

I’ve been allowing the webcast of RIPE55 to mutter away in my ears all week and have let myself get distracted from time to time when the topics turned relevant to networks I operate or the chatter got interesting.  A bit like the end of today’s ipv6-wg session.
Six months ago I was quite sure that v6 was not likely to be viable as a way to guarantee the continuity of fresh (and useful) addressing resources when the IANA ipv4 pool is expired (around two years from today).  I thought that our best chances remained with working with our remaining v4 options; reclassifying 240/4 as normal unicast, pressure or perhaps even (shudder) regulation imposed on the holders of unused legacy class-A space, tighter policy control on remaining v4, and eventually a market model for new address distribution.

This is operator speak for burying one’s head in the sand.  240/4 is not going to useful for end-to-end internet use any time soon, thanks to the amount of equipment which is configured to not permit assignment of a class-e address to an interface, which unless you are using a very old or patched operating system will include the computer you are sitting in front of.  The best we can hope for is that it will be useful for private internetworking at some point in the future.  The class-A holders wont give their legacy allocation back because they think its worth lots of money, but the holders (and their future customers who ‘buy’ rights to a slice of addresses) are going to be disappointed when their announcements are ignored – anyone who thinks that HP can deaggregate 15.0.0.0/8 into 65,000 /24 networks and sell it off (HP not subject to the cost of every single other router in the world carrying the routes for free) is mistaken.

I have changed my mind and started testing v6 out.  I care about the end to end internet, and I care that addressing resources should be available to anyone who can justify need and that this is good for innovation. I am therefore pleased to hear the ipv6-wg discussing text for a new RIPE recommendation document that boils down to:

• New v4 addresses wont be available in two to four years, and this means your future network plans STOP HERE if they only involve v4.
• RIPE urges the deployment of v6

I am however concerned about one thing.  There are a number of networks which use provider independent addresses so that they can multihome (connect to more than one ISP for redundancy and performance.)  This is not catered for in general circumstances with RIPE v6 policies, except in very special circumstances.  This is due to a desire to keep the v6 routing table small so that we avoid the problems of an unwieldy routing table like today’s (by today’s equipment standards) in the future.

I don’t think the RIPE community can justify publishing such a document until 2006-01 reaches concensus, and in fact that this resolution is that IPv6 PI is available, it is a /48, and it’s possible to get some if you are multihoming.  You can’t tell operators that they must move to v6 without giving them a migration path.

The argument revolves around routing table size and control, but the community must allow networks that rely on connectivity to multihome, it’s an accepted technique for many operations now.  By all means require the organisation to continuously multihome or give the addresses back, but we must let the concept of v6 PI exist.

Otherwise needs based address resource allocation dies in around two years.

Making Round Robin DNS usable.

I have been fairly consistently telling people a lie for the last ten years – and that is that Round Robin DNS can not be used for high availability. Its a view I have held pretty strongly, but two people have shown me techniques in the last week that have made me change my mind.

First, a note on what Round Robin DNS is. Hopefully you know what dns is! When a resource record is answered in a round robin fashion, a single resource record has several answers. When high-availability is build into a protocol (e.g. DNS itself – retries) RRDNS works pretty well. dig . @a.root-servers.net if you want a reference service which uses this principal.

RRDNS is also used to share load between nodes in a cluster where the protocol is not as forgiving, with unpredictable results. If I serve my website via two nodes, so the dns looks like:

www IN A 10.1.1.2
www IN A 10.1.1.3

then my website is not at all highly available. Pretty far from it, in fact – if either the nodes 10.1.1.2 or 10.1.1.3 fail, then I have suboptimal results, when in a highly-available configuration, I only want to suffer a performance degredation or outage if all of my nodes fail.Two colleagues showed me two different systems earlier this week that solve this fundamental issue with traditional RRDNS implementations – and that is handling an outage. Both of them use the premise that you never use the box’s own, unique (e.g. management) IP address in the RRDNS Resource Record, instead you use ‘virtual’ or aliases IP addresses that are free to roam around your server cluster. Consider my zone with this change:

www1 IN A 10.1.1.2
www2 IN A 10.1.1.3
www IN A 10.1.1.201
www IN A 10.1.1.202

Now I can address both servers in this small cluster with their own address, and also point customers to an address which can be served by any of those machines. If both web servers are up, they each have one of the additional addresses aliased. If 10.1.1.2 goes down, the computer 10.1.1.3 can adopt both 10.1.1.201 and 10.1.1.202 as aliased interfaces.

I can’t take the credit for finding either of the technologies I mention below, that can manage the automated failover of aliased interfaces, but I have seen both work this week.

Firstly, Wackamole which is brilliant if you are already using ‘Spread’. Nodes on a Spread ring send health messages to each other. If a node goes silent, or sends a communication that it is failing (deliberately stopping), another server in the cluster adopts that server’s aliased address. You can also configure a mechanism that notifies other devices that their arp cache entry for the vip is staled.

The second is good-old VRRP, which I had only ever considered as a redundant first-hop protocol, but actually can be run on a Linux server in order to provide these Virtual-interface floating features. This system does not rely on the Spread messaging bus, but in order to float several VIPs in a cluster, one vrrpd instance, and therefore group, must be configured for each vip. For my simple cluster of two servers above, I would need to run vrrpd twice on each server, to balance both vips as such :

/usr/local/sbin/vrrpd -Ni eth0 -v 48 -p 120 -g 3 -t 10.1.1.201 -S /var/run/vrrpd_48.state
/usr/local/sbin/vrrpd -Ni eth0 -v 49 -p 100 -g 3 -t 10.1.1.202 -S /var/run/vrrpd_49.state

Careful planning needs to be done in order to use RRDNS to share load. I have deliberately refrained from describing this technique as Load Balancing, because at best it is load sharing – you can’t balance traffic, only politely suggest to visitors that that might like to share traffic across your cluster. Additionally, you need to do some capacity thinking – if you have two, or even three nodes in your cluster, if one of the servers fails, one of the servers which is left is dealing with a doubling of the traffic that it was doing before. There is really no elegant way to share three vips across two servers.

Its cheap though. And as I have learned, you can force it to work with a bit of ingenuity.

Net Neutrality debate gets traction

I cited a DoJ statement in a previous article that was destined to stagnate or kill all innovation on the web, by permitting ISPs to end the end-to-end nature of the internet.

I’ve been trying to draw the attention of some other technical people by talking about NN on mailing lists.  Sadly some people have got the wrong end of the stick – they think that the rule simply states that ISPs will be allowed to carry customer Quality of Service preferences to the edge of their ISP networks.  This is not the case – the Net Neutrality debate is about whether an ISP should be permitted to be un-neutral irrespective of, or even against their customers’ wishes.

One company that stands to loose most from an un-neutral net is Google who have been quick to earn column inches supporting the neutral net.

Peter Norvig, Google’s Director of Research speaks from the front cover of this weeks’ Computing arguing that the only reason “the net has grown far beyond the original perception bounds” was in fact ” because it is open, and because services can be launched without being fettered by higher level control.  At Google, we think it is good for competition to try to keep services this way, and that is what we are going to push for.”

I don’t want an internet dominated only by companies with deep pockets.  Google, the archetypal company with the deepest pockets don’t even want an internet dominated only by companies with deep pockets.  The only parties that stand to gain from the NN war as the ISPs that have been the most aggressive at driving down consumer internet charges, to un-sustainable points.  Don’t give them a life line.  Let’s have a fair internet.

A license to do something bad isn’t reason to.

For months, ISPs in Europe have been campaigning to preserve their ‘mere conduit’ status, or in English they have been fighting to prove that they should be able to treat all packets, between customers and the resources that they want to access equally.  This means, no content blocking, monitoring, and fundamentally no commercial favouritism – or as it is referred to Network Neutralism.

At the same time, some ISPs in America have been petitioning to abolish the concept of Net-neutrality on their networks.  These campaigns have not fallen on deaf ears, the US Department of Justice now consider that without legislation permitting ISPs to charge companies who host content for access to the ISP’s customers shifts the “entire burden of implementing costly network expansions and improvements onto consumers“.

This shows a wanton lack of understanding of the model with which internet connectivity is sold.  I, as a consumer, buy connectivity from a company who will try hard to ensure my packets will flow towards their intended recipient.  Someone who wants to host content pays another ISP some money to ensure that their packets flow back towards me when I visit their website, online shop, or use their service.  That’s the model, and its the only one that works.

If I want to set up a shop online, I should only have to pay the companies that I have a direct connectivity relationship with.  It should not be permitted for a company that I do not connect through, to hold their eyeball customers to ransom, demanding money from me, the shopkeeper, to allow me to reach our mutual customers.  Particularly if this customer is selling internet connectivity – there is a strong ‘end to end’ implication with that phrase.

The DoJ are wrong – what they think is a burden to consumers is just the fair market price that internet connectivity is sold for today.  An ISP should charge their customers enough to make sure that they can pay to support their network.  As a consumer, if I want to use MSN, Skype, Hotmail, Google, the BBC, iTunes, or any other online service, I should be able to, because I have paid for my ISP to try their best (without getting in the way) to get data between me and the services I use.

Net-neutrality has been the driving force behind innovation online, and we would not have the wide variety of services online today, if starting to trade online meant you had to pay lots of ransom notes to every ISP in America first.

Why Municipally Provided Wifi Must Never Be Allowed

I have twice now had to defend an unpopular premise – that local governments should not provide free wifi to residents and visitors. A recent thread on the Open Rights Group discussion list almost got pretty out of hand between a few people who thought it was dangerous for the government to be providing IP services, and the majority who wanted it.

To provide “free” wifi to residents, a council must spend our money on many more items than simply wifi access points located in strategic points around the city. They need to provide onward connectivity (expensive), operational support, technical support, security systems, subscriptions to professional groups such as the IWF, monitoring and maintenance and much more. The council can’t afford to fix the pot-holes on my road, despite billing me each April on the promise of doing just that, so where will the money come from in order to pay or this infrastructure?

I also do not want the council competing with my local ISP. Government is not designed to compete with private enterprises. Turfing council tax paying employees out of work by competing with their employers is surely counter-productive.

I also don’t want the general public to be led to believe that internet access is free to provide. Its bad enough that Carphone Warehouse, Orange, and other companies are trying to their best to leave customers of ‘free’ broadband services with that theory without my local government joining in.

Some people believe that free municipal wifi could be a positive externality achieved when a city is ‘wifi’d’ for public sector employees to use when doing their job. I would love to see any cost/benefit analysis that demonstrated that the applications that drive our public sector are cheaper to run over ubiquitous wifi rather than store-and-forward messaging systems that take advantage of wifi at strategic points or 3G data connectivity. I then want to see the figures that suggest opening up a private local government network for public use wont cost any more money.

Then followed the argument that if local government can provide street-lights, then why shouldn’t they provide wifi using the same rationale. The problem with this logic is that streetlights and IP connectivity are not similar enough to compare. Street lighting is a public good; in economic terms, that means that we all are required to pay for it and we all get it, irrespective of our purchase preferences as free economic agents. People wouldn’t ‘buy’ street lighting in normal circumstances, even though there is a compelling reason to deploy it. Internet connectivity is not like this, where IP is useful, it is already widely deployed.

Firms need to fight in order to be the best at providing services, so that they can feed innovation and value. Consumers need to choose which service meets their needs the best. I would wager that you demand very different things from your domestic internet connection than I do. If I had to buy SheffieldCityBroadband (which I do have to buy, if I get taxed for its provision – tax is of course demanding money with menaces), it probably wont do what I need.
Free wifi isn’t free. Someone has to pay. And if that someone is the taxpayer, then why can’t we just pay “the best” private company in our area to provide the service. Perhaps I will be lucky and get two providers to fight it out to be the best!

Lastly, the concept of buying internet access from the Government is extremely frightening to me. Check out the content blocking section of the LINX Public Affairs site if you want some evidence that the government are desperate to filter our internet connections. If everyone buys their state-IP the government have a simple place to block our content!