117 posts • joined Tuesday 17th April 2007 14:42 GMT
Pull the other one...
"In short, Cisco has gone from a company that runs itself based on marketing teams back to one that is focused on engineering and sale"
I would love for that to be the case, and it might happen in my lifetime, but boy do they have a long way to go. IMHO of course. And I wouldn't trade my current Cisco-centric job for another one anyway.
It's a classic:
They didn't start out with classful addressing. :-) And there's nothing wrong with using /31 on point-to-point-links (RFC3021), and it often works on Ethernet-links too!
And 240.0.0.0/3 will hopefully not see service any time soon. The work involved in making sure it's reachable from everywhere makes IPv6 deployment seem like a vacation. It'll give you 14-15 IPv4 /8s, just around one years worth with the current allocation speed.
It's no problem making a router that can take 16 million prefixes or more. Each prefix should take up less than 16 bytes so even my laptop could probably easily hold at least 50 million prefixes.
There's just one catch to a large table: The lookup time tends to stink. And remember that each and every packet crossing the router needs at least one such lookup. Many solutions have been tried with varying success, e.g. flow-based routing (a la NetFlow) or trie, but I would guess the most widely used solution is the TCAM approach.
This guarantees lookup times no matter what size, but TCAM is very very expensive. I'm certain that any major router vendor will gladly supply you with a TCAM based router that will hold 16 million prefixes, but it'll cost you...
@ARP spoofing etc.
One of the points here is that most exploits in IPv4 have been dealt with so you have no end of knobs to turn, e.g. "Dynamic ARP Inspection", "DHCP Snooping" et cetera. Features similar to these are much less common in IPv6, which is a shame. Though there's not much new in the article one can hope it helps forcing the vendors to supply RA Guard et cetera.
It depends on what you mean by "configuration state". Most deployments are dual stack where IPv4 and IPv6 live together. Each one is configured just like if it was the only one. In some deployments you could have tunnelling here and there, but for most users/uses this should appear transparent.
If you suspect your ISP is incapable of handling issues like these you really should choose another. Protecting customers from each other has long been a standard ISP practice and IPv6 doesn't change this at all.
Well ffs... the people taking over the responsibility for the network (and taking the money) are obligated to look for problems. I only know Cisco and cannot speak wisely about other vendors, but everything is in the configuration. You can't "hide" stuff as such.
@spanning tree problems
Oh please... the spanning tree protocol is there to _help_. Many people think it's a bad thing, but it's not. Many people configure their network wrong and blame spanning-tree for the ensuing problems.
You could be right about this being a spanning-tree related problem, i.e. a problem created or exacerbated by wrong STP configuration, but STP is not at fault. The problem lies with the (highly paid?) incompetent "consultants" that design and operate the network.
It sure does sound like they need a redesign: A network with a single point of failure, where said SPoF can disable the whole network and where fault isolation takes several hours. Amateurs! :-)
@Peter Jones 2
You might very well be right about the current operator (Logica) probably not being directly responsible for the initial sorry state of the network. But _anyone_ assuming responsibility for a network _has_ to observe some kind of "due diligence". If Logica (or whoever) is willing to take the money they implicitely also accept taking the blame.
Not sold yet
Please bear in mind that the transfer has not happened yet.
"The parties have requested approval of a sale order from the Bankruptcy judge. There is a timeline for making filings and a hearing date. There is not an approved sale order at this time, [...]"
It's the *lack* of critical fixes that people complain about. Every sane OS (which excludes OS/400) needs fixes to critical bugs. We get updates to our CentOS servers often, and the Fedora workstations get them like every day.
The problem is when there's a bug and the fix is NOT supplied. And then the exploiting starts...
Yeah, that actually made me a little sad inside every time you said it.
Even though weaknesses have been found in MD5 it doesn't mean that Joe Blow can feasibly extract the plaintext password from the hashes that were inadverently posted.
If you think you can, please tell me what plaintext I used for this hash: "0f0d334af847f44e9611204ed72275d0". I'll even tell you it's 14 characters plain english, no funny capitalization.
Sir, you need to come with us please. You obviously display terrorist tendencies.
@Andy and Cowherd
You two are WoW nerds. (Or should it be WotW?)
@Bugs R Us
Sure, let's have some "rights managed" content. But PLEASE make sure that it then actually works for the people who pay for it. Not everyone uses Microsoft Windows and Windows Media Player, and things like protected WMA can't work at all on my Fedora installation.
The iTunes Plus ".m4a" files are fine, at least I can get a gstreamer plugin to play those. I don't know if they're patent encumbered though. The files themselves are identified as having been bought by me. I have no problem with that.
CentOS != "piracy" (obviously, but non-open sourcers might not know)
"Ironically, the BSA has discovered one of the few ways to "pirate" open-source software, and is apparently an advocate. The BSA's website apparently runs on Red Hat Enterprise Linux clone CentOS. Surely a license-respecting organization like the BSA would want to pay full freight for a RHEL license rather than undermine Red Hat by choosing CentOS? Evidently not."
I'm sure Matt doesn't mean it like I read it, but I dislike the comparison between "piracy" and legitimate derived work. The GPL specifically allows, yes even mandates, the possibility of what CentOS is. Red Hat themselves didn't invent many of the important parts of their distro, including the Linux kernel and many many GNU programs. If CentOS is "piracy" then RHEL is just as much.
IMHO what Red Hat sells isn't software as such, it's support. And that support might very well be worth all the dough it costs. But using CentOS (as I do myself extensively) is encouraged by the GPL.
(Very good article though, I'm starting to really like this Matt Asay!)
Maybe you should read up on Internet routing. Nobody uses OSPF on the "Internet". SPF algorithms can give you best-latency routing, but they scale very badly.
And maybe you should read the paper. They do try to explain why a "nearest neighbor" routing scheme could be a good idea.
It has not met any serious criticism on NANOG-ML, on the contrary:
I'm a little puzzled about there being "nothing analogous to Direct2D from other OSes"; I don't know the Windows-world very well, but I seem to have seen OpenGL able to provide services on a few other OSses, a.o. Linux. And on my laptop hardware acceleration works very well. (I'm using the proprietary NVIDIA-driver, but that's irrelevant to the OpenGL argument.)
AFAICT the Direct2D APIs are "easier" on the developer, but OpenGL can to 2D acceleration fine.
> "I don't see any 4Ghz chips and i've been waiting years for them!"
How does a 5.0 GHz POWER6 sound to you? Or an 8 core 4 GHz POWER7? If you don't see these chips you're really taking care not to follow tech news.
If you by "old laws incapable of addressing the modern world" mean that the juror's/victim's/witness' Googling/Facebooking is just a thing of the modern world that the judicial system should accept, you are IMHO very wrong.
They must never be allowed to investigate by themselves, Internet-based or otherwise. When a victim or witness has to ID a suspected perpetrator among many potential in a line-up, all these potential suspects are presented in as much a neutral and equal way as at all possible. If the victim starts investigating himself then he already has an idea from which his investigation starts, and he is thus prejudiced against the subject of this investigation.
And a juror's job is to consider the guilt or innocence based only on what the court presents. There's a reason certain things are inadmissible in court, things that are not presented to the jury at all. The same goes with things that the jurors are explicitly instructed to ignore.
Letting people investigate by themselves would erode the legal rights of the innocent-until-proven-guilty suspects.
(I do not commend the MET's actions described in this article. And IANAL.)
I understand the problem thus: The allegedly infringed patents might be generic enough to not only concern Dalvik but also other pieces of code in other software stacks. If Oracle would succeed in winning a patent case against Google they would set precedent and therefore make it much easier to "come after" other open source software projects with patents, either the same or similar.
Testing software patents this way might open up a Pandora's box. Imagine that a court decides that the specific patents from this case are clearly enforceable, or imagine that Oracle and Google choose to settle out of court, thereby scaring others from using Dalvik code or derivatives, or even code vaguely similar to Dalvik.
We can of course hope that Oracle clearly loses this case, and that an appeals court (or higher) asserts that (at least these) patents simple aren't enforceable. But that's probably hoping too much.
There are others ways of making money than being litigious you know. I think James' was miffed by the sparkling eyes being those of the lawyer, since this lawyer's goal seemed to clearly be suing Google.
Seems you pulled it off. And you should seriously put that in your Meditations. That would spice it up a bit. :-)
Yeah, screw MAC users, let's start using X.25 again!
No, a /16 network isn't always a Class B network. The Class B networks start with binary "10", and cover the range from 184.108.40.206 to 220.127.116.11. In classful addressing their natural netmask is 255.255.0.0, i.e. /16 in CIDR notation.
The network 18.104.22.168/24 (CIDR-notation) is a /24 subnet of the Class B network 22.214.171.124. And 192.168.0.0/16 (CIDR-notation) is a supernet of the Class C networks 192.168.0.0 through 192.168.255.0.
Everyone please forget everything about classful addressing.
But the malicious traffic actually comes from your own PC, not from the Internet. The filtering you suggest, while theoretically a good idea, is of no use here.
Anyway the "special use" IP-adresses (RFC 5735) are not likely to hit your front door, since sane ISPs are unlikely to accept these in the DFZ.
From a security standpoint there isn't much idea in hiding your ESSID or filtering MAC addresses. Any activity on the network defeats the hiding. And MAC addresses are easily spoofable.
Stick to encryption instead of voodoo. :-)
"And just what does the "i" in Apple's iOS stand for anyway?"
The "i" in "iOS" is the same as the "i" in iPhone, iPad et cetera which is a super short form of "Irritating incompetent inept impotent idiot".
""If I were running the App Store I'd go through all other apps and ensure that any which use the GPL are booted. And I'd turn down any future GPL apps.""
That would be extremely prudent. It would even be illegal _not_ to do this. Unless Apple changes their license terms.
Please understand: Distributing GPL applications via the App Store using the store's standard license terms is ILLEGAL.
"So in other words a daemon running with root privs just downloads and installs stuff when it feels like it. No bloody thank you!"
I haven't tried this flavour, but if it works like how auto-installs have worked in Fedora 12 it's not a daemon, it's a program started on demand. And it asks you for a root password to install the packages.
Even if it doesn't, I would think they have protected this program just as they have protected "login", "gdm" and other programs running as root and taking input from the user.
How do you feel about being able to shutdown your machine from the GUI without specifying a root password? How do you think that works?
You didn't try to zoom in did you? Was that too difficult for you? They're stopwatches
@AC 15:42, not quite...
@Andrew Jones 2
You must live in a strange country. :-)
Where I live (Denmark) it works like this: One person verifies your ID (typically drivers licence) before taking your voting card (sent to you previously by snail mail) and putting a mark on the list next to your name. Another person, sitting next to the first person, hands you a voting ballot. Noone writes anything down about who gets which ballot.
Are you sure it's trackable where you are? Most modern countries seem to use an anonymous system.
Please read up on what DNSSEC is. It gives the client a cryptographically safe way of determining if the DNS answer came from a "trusted" source, just like SSL certificates.
It will not make it any easier to track you (yes YOU Derek) on the Internet than it already is.
I don't get it. If some patent troll could come after me in court over VP3 then why couldn't they do the same over H.264? How can the MPEG LA "guarantee" that they don't infringe on other patents? Or is it just because so many of the big players are part of the MPEG LA, each commited to not suing if you have a license from the group?
I completely agree with your point: Technology like codecs isn't free to develop, and giving out patents ensures that someone actually wants to spend their ressources developing shuff.
One thing bothers me a little though: The patents last for 20 years. That's a long time when we're talking software. So if we want to keep software patents, let's at least shorten that period a little, to maybe 10 years instead.
The people making money from H.264/MPEG4 licences now isn't the same people that developed the thing.
@AC 14:05, amanfrommars?
Why would amanfrommars post as AC?
I for one...
... welcome our new feline roboplane sabotaging overlords!
@ disabling DNSSEC in BIND 9?
I don't get it. What's wrong with "dnssec-enable no" in your named.conf? I haven't tested it myself (no handicapped network connections here) but I can't see why it wouldn't work.
(If you're referring to the mess with a certain python script mangling named.conf, that's hardly a BIND problem.)
@problems using 126.96.36.199
Are you guys sure it's not something between you and 188.8.131.52?
[20:45:36 prathlev@euler ~]$ dig @184.108.40.206 +short rs.dns-oarc.net txt
"220.127.116.11 DNS reply size limit is at least 1257"
"18.104.22.168 sent EDNS buffer size 1280"
"Tested at 2010-04-14 18:45:23 UTC"
[20:45:36 prathlev@euler ~]$
(Yes, my timezone is GMT+2)
Making MS ISA 2006 do EDNS0
Simple: Press the "Start"-button, choose to shut down the machine. Insert a CentOS 5 DVD and install from there. In about 30 minutes you will have a server that can do EDNS0. Name it "msisa" or something for nostalgic reasons.