Computing – Page 55 – More Zonkyness

Adventures in Cisco IOS Land: Forwarding DHCP Requests

Jan 052011

Please read the disclaimer before continuing …

Once the basics of my router were up and running, I wanted to ensure that my wireless network could be served by a DHCP server. This is complicated by the fact that :-

My wireless network is a separate network.
I use a Unix-based DHCP server (partially because I’m very familiar with it).

The first thing to do is to configure a “helper address” on the wireless interface – in this case the vlan that incorporates the wireless network :-

interface Vlan102
    ...
    ip helper-address 10.0.0.21
    ...

You can configure more than one helper address in here, which may be useful for debugging purposes – or in a production environment you may wish to run a failover dhcp server.

In theory, this should send all broadcast DHCP packets onto the specified network address. However it also forwards other UDP broadcast traffic onto that host which may not be what we want. Specifically for a DHCP server we don’t want DNS, TFTP, etc. These other protocols can be excluded with (at the global level) :-

no ip forward-protocol udp tftp
no ip forward-protocol udp domain
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs

Using the ‘symbolic’ names for the protocols aids the readability of the configuration file.

At which point the instinct is to fire up the dhcp server and see if it works. Very natural of course, but I would suggest that sniffing the traffic to check that the relevant packets are being forwarded is wise at this point. Or you are risking testing two things at once – the packet forwarding and the dhcp server. Despite being very experienced with DHCP servers, it turned out that my main problem in setting this all up was a faulty DHCP server!

After fixing that problem, my newly configured wireless network worked fine.

Some additional configuration that may be worth trying :-

ip dhcp relay prefer known-good-server – The explanation for this on the command line is somewhat mysterious, but the documentation indicates that with this turned on, the DHCP clients will need to renew their leases less frequently. How this works, I don’t know.
ip dhcp relay information option – This inserts information about the relay agent (the router) into “option 82”. This additional information can be logged which can be useful.

Adventures in Cisco IOS Land: Disclaimer

Cisco 6 Responses »

Jan 052011

Firstly I will point out that this series of blog entries has nothing to do with Apple’s OSX operating system build for the iPhone retrospectively named iOS; these are about a far older operating system from Cisco that runs on most of their routers and switches – IOS. They are intended as ‘aide memoires’ for myself – a crusty old Unix geek who wanted to find out about this IOS stuff when he finally got sick and tired of consumer grade routers.

The router I’m using for all of this is a Cisco 881W running IOS version 15. This is a ridiculously overpowered router for a domestic broadband connection, but it does have lots of interesting stuff to play with.

Now to the disclaimer part – I’m no CCIE; I’m a Unix geek and whilst I have considerable experience with networking, it has all been with networking services such as DNS and DHCP. So anything you find here could well be done better in a different way. Or perhaps I’ve encountered a feature that shouldn’t be used just yet, or perhaps I’ve found something in my ignorance that could actually be useful!

Streaming Media Stutters

Computing, Media No Responses »

Jan 052011

Becoming increasingly popular are various forms of streaming media services – Last.FM has personalised radio stations I can tune into on my phone, the BBC has their iPlayer which allows me to catch up on BBC TV (or radio) programmes I’ve missed, and my film rental service even has a streaming service that allows me to watch films without being worried about discs being mailed to me. All very cool of course, and it’s even quite handy but there are a few problems that need to be solved before streaming services can beat having the real disc – compact disc for music and blueray for films.

We sometimes look at these services under the best of conditions and rarely consider how they would work under the worst of conditions.

Firstly there is the quality issue. Whilst streaming music may well approach the quality of CDs, films and other forms of video are a long way from being of the same quality of the discs – sometimes not even getting close to the quality of DVDs when Bluerays are the quality to aim for. Sure it is no big deal – the convenience of online streaming makes up for the quality to a certain extent, but it does not replace the need for quality.

Secondly, reliability is an issue. Not only does streaming media (even audio) have a tendency to stutter to the point where listening or watching becomes unbearable, but sometimes streaming services just crash through being overloaded – very frustrating when it is half-way through a film. In theory most of our network connections have more than enough bandwidth to support streaming media – at least audio. In fact my own network connection is good enough for streaming video with just the occasional stutter – maybe just once an hour – and of course the occasional stutter may well because of other activity on my network. I do after all have people visiting my “server under the stairs” for blog postings and photographs on a regular basis.

However my wireless network is sufficiently bad that even streaming audio can get very bad in the evening. Not the fault of the streaming media companies that I live in a very dense environment with lots of wireless “noise”, but it still means that I tend to avoid using wireless networking except on devices where there is no choice. And on those devices I have sometimes been forced to put them away, or switch to using 3G.

It would be helpful if media streaming companies allowed people to buffer larger amounts of the media stream to assist in this. I would not mind waiting 10 minutes for a buffer to fill up to ensure that I could watch a film all the way through without stuttering. Or indeed wait 60s for an audio stream to buffer.

On the subject of media servers crashing, it is a little hard to see what can be done about this. The obvious thing is that streaming media companies need to be very careful about the code they write (or buy) to increase reliability. Software always has bugs, but increasing the importance of bug destruction would be very wise. Less obvious is to measure how reliable the media servers are at various loads, and limit the load to the level they can support reliably.

A message saying “please wait for an available film slot” is better by far than trying to start playing a film only to have it drop out half-way through!

ESXi: Starting A Host From The Command-Line

Computing, Working Notes No Responses »

Dec 122010

I recently had cause to restart a virtual machine on my ESXi host, but my usual method of firing up my Windows 7 machine and using the graphical manager was unavailable.

Fortunately the relevant instructions were obtainable from the http://vm-help.com/ site …

Firstly log into the ESXi host itself (which you previously have to enable), and run :-

vim-cmd vmsvc/getallvms

To obtain a list of the current virtual machines. Find the one you want to restart and find the ID for it in the first column. Use this in the following commands :-

vim-cmd vmsvc/power.reboot ${vmid}

This requires the vmware tools installed on the virtual machine, and for the tools to be running (i.e. the virtual machine needs to be reasonably healthy). If this is not the case, you will need to do the equivalent of hitting the reset button :-

vim-cmd vmsvc/power.reset ${vmid}

And that’s it! A lot quicker than the GUI way, unless you happen to have that always running.

The WikiLeaks Conspiracy ?

Computing, Media, Politics 2 Responses »

Dec 082010

If anyone has been following the news closely over the last few days, they will be aware of the attempt that the Swedish authorities are making to extradite Julian Assange to face an assortment of sex charges including rape. Even by itself, there is enough suspicion about the timing of this given previous history of the charges to cause any neutral observer to wonder just what is going on here.

For those who have not dug into the details, the charges were first investigated in August 2010 and then dropped before being re-opened. All the while Julian Assange was either in Sweden, or willing to talk to the prosecutor although not prepared to travel to Sweden at his own expense. The escalation to a request for extradition was unfortunately timed happening at the same time as the latest WikiLeaks (linking to a mirror as the main site is mysteriously down) publications.

By itself it is just about enough to cause a sensible to person to say to themselves … “I wonder … Nah!”, but there are other things happening to WikiLeaks.

WikiLeaks appears to be under a continual distributed denial of service attack where many computers are used to send traffic to the WikiLeak servers. There are two sets of servers involved in hosting the WikiLeaks sites – the actual web servers themselves, and the DNS servers hosting the name.

In the case of the web servers, the servers were first moved to the Amazon cloud service in the middle of a denial of service attack – so Amazon can hardly complain about this as it was known about at the time. Yet after less than a week, the site was booted off the Amazon cloud without a public explanation. The suspicion is that political pressure was brought to bear especially given one of the earliest statements about the issue was from a certain Joseph Lieberman – a US Senator.

WikiLeaks then went to a French hosting company – OVH – who have stated that they will honour their contract. Presumably providing that the French courts do not insist that they terminate the contract, which is possible given that the case is under review.

Separately to this, the Wikileaks domain (or “name”) has itself been under attack. Large scale distributed denial of service attacks took place against the EveryDNS infrastructure servers that provide the name wikileaks.org, and every other name hosted by the same infrastructure. EveryDNS took the step of terminating their domain hosting. As of now, the domain wikileaks.org is not available via the DNS servers I run, indicating that either they have not found another hosting company for the name, or their alternative arrangements are under sufficiently serious attack.

Those are the technical attacks.

In addition, a number of financial companies have frozen WikiLeaks accounts preventing funds from being used, or donations being made – PayPal (who admit that their decision was influenced by the US Government) and Mastercard amongst them.

Add all the attacks together and you start to think that there is some kind of conspiracy behind all this – perhaps the US government is waging cyberwar against WikiLeaks. It is almost certain that they have this capability and there are indications that they are annoyed enough with WikiLeaks to do this.

However it is still more probable that this is a combination of :-

Annoyed US (and possibly other) “hackers” making denial of service attacks against the WikiLeaks infrastructure and the associated infrastructure.
Various commercial organisations deciding that it is too much hassle to “help” WikiLeaks and deciding to terminate their contracts.

Probably the harshest criticism should be directed at PayPal who have just said in a TV interview that they received advice from the US State Department that the WikiLeaks site was probably illegal under US law. Well the opinion of a government in a free society should not be enough to condem an organisation, and the directors of PayPal could deservedly be called chickenshit arse-lickers for their actions.

Perhaps you do not believe that WikiLeaks is in the right here. I’m not entirely sure myself – leaking US diplomatic cables is one thing, but perhaps publishing a list of potential targets the US government feels are critical to its security was a step too far. But there is a bigger issue here than “merely” WikiLeaks itself. We are seeing a situation where a website that has not been condemned for their actions in any court of law has been pushed around and to some extent off the Internet by the actions of a few – both people engaged in illegal activities (denial of service attacks) and people making commercial decisions (terminating contracts).

Imagine if you will, this website is something controversial in a country that is considered a pariah by most of the world – Iran perhaps; perhaps they publish allegations with evidence of widespread government crimes and corruption. Iran and supporters of Iran undertake to destroy that website with “cyberwarfare”. Wouldn’t we want that website to be protected in some way ? Perhaps you are thinking that Iran doesn’t have the resources to undertake such an attack; well think again. Many of the largest botnets capable of carrying out widespread denial of service attacks are under the control of organised criminals (spammers) who have less resources than any government – it takes little more than a spotty teenager in a basement to control tens of thousands of compromised machines and target whatever they like.

In such a situation, it would seem to make sense to provide a hosting service of last resort. Presumably a volunteer effort as it would have to be immune to commercial interests, and presumable massively parallel to ensure that there are many servers providing service so that a distributed denial of service attack would fail to hit everywhere.

Lastly, the US reaction to WikiLeaks seems to me to be a little over the top. And I am not talking about the lunatic fringe who are likely to jump and down screaming at the slightest criticism of the US, but at more respected figures. Some of the reactions verge on coming close to events such as the Fatwwā against Salman Rushdie way back in the 1980s.

For example :-

Jeffrey T Kuhner wrote in an editorial in the Washington Times that Julian Assange should be treated “the same way as other high-value terrorist targets” and be assassinated.
Gordon Liddy has suggested that Julian Assange should be added to a “kill list” of terrorists to be assassinated without trial.
Mitch McConnell has called Julian Assange a “high-tech terrorist”.
Newt Gingrich has stated “and Julian Assange is engaged in terrorism. He should be treated as an enemy combatant.”. Well it would be a start to treat any terrorist as an enemy combatant (the US doesn’t as enemy combatants have rights).

Calling for the assassination of Julian Assange is no better than a radical Islamist calling for the assassination of Salman Rushdie – we’re supposed to be better than the knuckle dragging fundamentalists frothing at the mouth. Seems that some in the US aren’t. A reminder to those people – we supposedly live in countries where the rule of law is supposed to be followed, and nobody has tried and convicted Julian Assange of anything in relation to WikiLeaks.

As for calling Julian Assange a terrorist, that is blatantly ridiculous. However annoyed you may be with him, none of his actions equate to driving a truck packed with explosives into a crowded shop entrance, or hijacking a plane and flying it into a large city killing thousands. Even if any information published by WikiLeaks has led to the death of anybody (and nobody has managed to demonstrate this – merely raised ill-founded concerns about the possibility), the responsibility for those deaths belongs to those carrying out the killings and not WikiLeaks. At most (in such circumstances), WikiLeaks might be guilty of incitement to murder – and in a much less obvious way than those calling for the head of Julian Assange to be delivered to them on a platter.

The US is beginning to look like the fool in all of this – their information security is a joke, and their reaction to their inability to keep secrets is to shoot the messenger in a way that makes them look no better than those rogue regimes they complain so much about.

Older Entries Newer Entries