Jan 11
Ben KingBusiness, Internet, Life Copyright, Digital License, DRM
Commenting on: http://www.theregister.co.uk/2008/01/11/att_want_to_block_copyrighted_material_at_network_level/
The solution to all this is very very simple.
I want the luxury of being able to download whatever material I want, when I want from where I want in whatever format I want. That as a customer is what I want, and the customer is always right.
The only question is what I am prepared to pay for it, and how. As I don’t want to be bound to any particular channel (iTunes for example), and I don’t want to be paying per use, there is only one option which is some form of Digital Download License, which we pay an amount of money per year (say £150), to do whatever we want online, bit like the TV license.
The question obviously is, how do the respective rights holders get their slice of the pie, well simply offer a discount on the license fee to anyone happy to run some form of software that monitors what copyright material you are downloading and reports that somewhere for statistical analysis for revenue distribution.
This won’t work however if I am required to buy more than one license or there is in anyway some restrictions, for example you can download everything except shows by NBC.
Jan 04
Ben KingBusiness, Internet, Networks, Vyatta clustering, high availability, nat, Systems, vpn, vrrp, Vyatta
The latest subscription release of Vyatta, 2.3, has seen the addition of clustering capability, which has added greatly to the high availability features of the product.
Previously high availability was really limited to VRRP, which was great but had a couple of issues:
- You couldn’t use VRRP across VIF interfaces, which made high availability for ‘router on a stick solutions’ tricky.
- We experienced a few issues with interface bouncing, especially on gigabit interfaces.
VRRP is however a very nice solution, each virtual address is associated with a virtual MAC address that the currently actively router associates with the appropriate interface, the switchover is nearly instanteous.
The new clustering functionality in Vyatta is based upon the Linux HA project, which takes a slightly more simple but arguably more effective approach to the HA whereby when a failure is detected the virtual IP is reassigned to appropriate interface on the secondary router and a gratuitous arp sent out across the associated network segment to mitigate any arp cache issues.
The HA functionality also allows for failover of the ipsec vpn service, at the moment this works pretty simplistically by simply stopping or starting the service as needed, thus on the currently inactive server the VPN service and therefore tunnels simply aren’t up.
Lets take a look at a relatively simple multisite HA Vyatta solution and the associated configuration.
We have two sites, each with a pair of Vyattas configured as router, vpn, firewall, and nat. Behind them is a multi-segment internal network.
Interfaces
ldn-router1 interfaces:
interfaces { loopback lo {
address 10.1.1.251 {
prefix-length: 24
}
}
ethernet eth0 {
description: "Internet"
address 98.76.54.31
prefix-length: 28
}
}
ethernet eth1 {
description: "Servers"
address 10.1.10.251 {
prefix-length: 24
}
}
ethernet eth2 {
description: "Workstations"
address 10.1.101.251 {
prefix-length: 24
}
}
ldn-router2 interfaces:
interfaces { loopback lo {
address 10.1.1.252 {
prefix-length: 24
}
}
ethernet eth0 {
description: "Internet"
address 98.76.54.32 {
prefix-length: 28
}
}
ethernet eth1 {
description: "Servers"
address 10.1.10.252 {
prefix-length: 24
}
}
ethernet eth2 {
description: "Workstations"
address 10.1.101.252 {
prefix-length: 24
}
}
The important thing to notice here is that, the virtual ‘active’ addresses aren’t configured on the network interfaces themselves, instead they come later in the cluster configuration.
The New York site configuration is the same, except of course the IP addresses are changed accordingly.
Cluster
cluster { interface eth0
pre-shared-secret: "!secret!"
keepalive-interval: 2
dead-interval: 10
group "ldn-cluster1" {
primary: "ldn-router1"
secondary "ldn-router2"
auto-failback: true
monitor 12.34.56.73
service "98.76.54.33"
service ipsec
service "10.1.10.1"
service "10.1.101.1"
}
}
The cluster configuration on each router is identical (unless you want to do certain clever things such as run a different routing configuration in failover!). The interface definition is just for the interface that you want to monitor via. You can have multiple monitors however a failover will occur if any monitor returns a failure, in some ways this is a help and some ways its a hindrance, personally I prefer to just monitor an outside address and if its not available then go to failover where hopefully it will be (especially if we use different external blocks by router).
When a router becomes the active member of the cluster, it scans the route table for matches to the service IP and assigns the service IP to the appropriate interface, it then sends a gratuitous arp out of that interface to avoid any arp cache issues.
Routes
One downside of the Vyatta downing the ipsec tunnel when that router is not active, is that you can then only address that router on its dedicated addresses, for example if I wanted to do some remote maintenance ldn-router2 from the New York site while it wasn’t active, the only way I would be able to do so is either to log onto a machine on the London subnet and go via that, or use the public external IP (which I probably don’t want publically accessible anyway).
The solution is very simple, due to the way that VPN route matching works. When making a packet routing decision Vyatta checks the VPN tunnels for a local/remote match first, then checks against the routing table, therefore if we add a static route to each router for the whole internal network to go via its partner, we get a really neat solution:
protocols { static {
route 10.0.0.0/8 {
next-hop: 10.1.10.252
}
}
}
Thus if a router has the VPN tunnel up (i.e. its active), it never checks the routing table and traffic goes direct, if the router has no VPN tunnel (i.e. its passive), it simply forwards the traffic to the active router.
VPN
The VPN configuration in a cluster is basically the same as a standard configuration, except the local and remote public IPs are the cluster addresses.
vpn { ipsec {
ipsec-interfaces {
interface eth0
}
ike-group "ike-ny" {
proposal 1 {
encryption: "aes256"
}
lifetime: 3600
}
esp-group "esp-ny" {
proposal 1 {
encryption: "aes256"
}
proposal 2 {
encryption: "3des"
hash: "md5"
}
lifetime: 1800
}
site-to-site {
peer 12.34.56.73 {
authentication {
pre-shared-secret: "secret"
}
ike-group: "ike-ny"
local-ip: 98.76.54.33
tunnel 13 {
local-subnet: 10.1.0.0/16
remote-subnet: 10.3.0.0/16
esp-group: "esp-ny"
}
}
}
NAT
An easy pitfall on the NAT configuration is to forget that Vyatta processes source NAT before checking vpn or routing table matches. The fix is simply to exclude your internal network as a destination in the NAT configuration.
nat { rule 101 {
type: "source"
outbound-interface: "eth0"
source {
network: "10.1.101.0/24"
}
destination {
network: "!10.0.0.0/8"
}
outside-address {
address: 98.76.54.31
}
}
}
VIFs
As i mentioned earlier, Vyattas implementation of VRRP doesn’t allow you to use VRRP on virtual VLAN interfaces, which is frankly a little annoying (although it will be fixed in the next release hopefully).
However under clustering it works perfectly, as the service IP can match and be assigned to any interface, real or virtual.
Conclusion
The clustering in Vyatta has added just enough simple HA clustering functionality that ‘just works’ to enable us to deploy far more complex and reliable solutions than was previously possible.
This is also just the tip of the iceberg, in future releases we can expect to see multiple cluster (allowing Active/Active configurations) and extra services added to the failover capability.
Oct 24
Ben KingBusiness, Internet, Networks, Vyatta Systems, Web/Tech
If you are using Vyatta and want to transparently forward traffic at the router level to a separate Squid proxy you will find that the standard firewall configuration in Vyatta just isn’t up to the job (yet!).
The workaround is to use the /etc/rc.local file to make IPTables do the job for you, heres how we did it:
#!/bin/sh -e
#
# rc.local
#
# Modified to forward to squid cache
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will “exit 0″ on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
IPTABLES=”/sbin/iptables”
IP=”/sbin/ip”
SQUID=”10.1.1.1″ # Internal address of our squid box
# Webcache jump to cache
echo Setting up jump to webcache
# clear any existing entries
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
# Don’t mark webcache traffic
$IPTABLES -t mangle -A PREROUTING -j ACCEPT -p tcp –dport 80 -s $SQUID
# Internal subnets to exclude
$IPTABLES -t mangle -A PREROUTING -j ACCEPT -p tcp –dport 80 -d 10.0.0.0/8 #Don’t cache internal
# External sites to exclude
$IPTABLES -t mangle -A PREROUTING -j ACCEPT -p tcp –dport 80 -d 1.2.3.4 #IP address of site you want to exclude from going to the cache
# Now mark our traffic, we have a number of subnets on virtual interfaces we want to grab, if you aren’t using vifs simply use eth1 or whatever you are using
$IPTABLES -t mangle -A PREROUTING -j MARK –set-mark 3 -i eth3.102 -p tcp –dport 80
$IPTABLES -t mangle -A PREROUTING -j MARK –set-mark 3 -i eth3.103 -p tcp –dport 80
# Send the marked traffic to table 2 (you can actaully use whatever table you want, i used 2 because we are using eth2 for the subnet squid is on.
$IP rule add fwmark 3 table 2
# set the default route for table 2, change eth2 for the interface you are on
$IP route add default via $SQUID dev eth2 table 2
# Make sure we exit
exit 0
Oct 24
Ben KingBusiness, Internet, Networks, Vyatta Interweb, Systems, Web/Tech
We use Linux extensively at bit10, for DNS, front line mail handling, proxying, web hosting, development platforms, you name it we probably do it in Linux or have at least had a good go…
Probably the most important job it does for us though is for our firewalling, core network routing and traffic management for both bit10s internal systems and for the ISP hosting side of the business.
Our implementation is a highly bespoke customisation of Debian using things like iptables, IMQ, vconfig, etc. all good stuff and happily handles the routing and traffic management for our entire colocation and ISP services, however we would be the first to admit it isn’t the easiest to maintain and look after. The options in the commercial club (Cisco/Juniper) are simply way to expensive and don’t offer the flexibility we require.
A couple of months a go a client came to me needing some fairly significant network reorganisation. They had multiple offices around the world, at each site they had a very unsegmented ‘flat’ network, between the offices they had a mixture of MPLS and VPN tunnel solutions, and a number of single points of failure.
What we needed to do was to segment up each site into sensible subnets and bring additional resilience to the firewalls and routers.
Our initial reaction was to simply do another custom Linux configuration similiar to our own setup, however we were concerned about the time to get this right and the implications of future maintenance, so we look off the shelf and very quickly discovered Vyatta.
Vyatta for the uninitiated of you punts itself as ‘ The dawn of open-source networking’, personally I think this is a bit of pessimistic afterall we have been doing routing and firewalling with Linux as long as I can remember, its more of a ‘The late afternoon after a good siesta of open-source networking’.
However here at bit10 ‘Loving Doing Digital’ headquarters we can’t really criticise people on their taglines… 
So why is Vyatta different?
The answer is simply its relatively easy to get to up and running, has a pretty web interface for those who have command line fear, and above all fantastic support.
Vyatta comes in two flavours, the fully open-source free ‘community edition’ and the ‘supported edition’. The community edition will suit you down to the ground if you have relatively simple requirements, basic routing/firewalling/etc., however if you have pushing the envelope you are going to the need the supported edition, which comes in two flavours ‘$647/£325′ for web only support, and ‘$897/£450′ for full telephone support, both supported flavours include free updates with the lastest fixes.
The telephone support is superb.
Vyatta does have limitations, especially if you are used to getting under the hood and having the full flexibility of Linux based routing, however the payback is a solution thats far simpler to manage.
Things we didn’t like:
- We couldn’t configure the built in firewall to transparently push traffic to a Squid proxy server. We got around this by going under the hood and having a custom rc.local file that tag and forwarded the traffic (I will post our script on followup blog).
- VRRP over VIFs. Vyatta supports VRRP (Virtual Router Redundancy Protocol) and VLANs out of the box, however you can only run VRRP on real ethernet inferfaces, which is troublesome if you are doing a ‘router on a stick’ solution. We have spoken to Vyatta about this and they have pencilled the functionality in for an upcoming build – good stuff!
- The CLI, in a nutshell the CLI isn’t like IOS, its good and fulfill its job, its just that mental switch you have to make from IOS mode to something different.
Things we really liked:
- VRRP (Virtual Router Redundancy Protocol) out of the box… VRRP was so simple to set up (on real ethernet interfaces), the village idiots really stupid cousin could have done it.
- The separation of configuration from installation. Take a clean server, insert Vyatta CD, one line to install it to the local hard drive, copy your configuration onto it. Job done.
- Support. The Vyatta team are passionate about their product, both on the telephone and on the web, and they know its limitations and will tell you so, so you don’t waste any time trying to make it do something it won’t.
Top Tips:
- Unless you are doing something dead basic, go for the supported package, this ensures you get the latest version, you get the support and frankly you support Vyatta.
- Don’t mess around trying to deploy it on that 5 yr old bodge of a server you have sat in the corner gathering dust, your firewall/routers will be business critical, so splash out on some decent hardware, we deployed on Dell 860s (<£1,000 each), which is all supported hardware and had no hardware related issues.
- Think about what you are trying to achieve, plan it first.
- Make sure you actually know a little about networking, while making life as simple as possible for the user, its not dumbed down to the level of a £50 ADSL router from PCWorld. If you don’t know the basics about routing, firewalling, etc. get someone to help you.
Performance:
I haven’t done any formal performance testing on Vyatta, however we have deployed it in bandwidth heavy environments, with upwards of 200 of LAN users across 10 network segments, and a single processor Dell 860 is running well under 10% load…
So is Vyatta Cisco on Shoestring… in my opinion if Vyatta can do the job you want, its definitely preferable to the Cisco option, probably the strongest reason beyond just price, is that Vyatta abstracts the software from the hardware, i.e. within reason you can redeploy a Vyatta configuration on any server with enough interfaces.
All in all well worth looking at.
Jul 06
Ben KingBusiness, Internet bit10, Interweb, Web/Tech
For the last 2 months, I have been trying to renew our Microsoft Partner program membership, it is a very painful experience.
Today I finally got someone on the phone at the MS Partner program who could help me.
Essentially there is a highly painful online process to go through, which i set off onto using Firefox (under Ubuntu)…
Why oh why do this MS? It just looks bad, and reinforces peoples view of you as monopolistic.
When I mentioned it to the guy at the partner program, its response was ‘Well we give you the software under the partner program, so you have no excuse not to use it’… Completely missing the point that I might prefer to use Linux for other reasons…
Anyway, towing the line I struck up IE6 (yes using CrossOver Linux), and somewhat amusingly most of the navigation wasn’t visible to me unless I hovered over it.
Sigh…
May 31
Ben KingBusiness, Internet Business, Interweb, Web/Tech
So the Autoglass comments keep coming on my blog entry about my (good) Autoglass experience, you can read it here.
Now I have had an interesting email through from a really nice guy called Gavin Jenks, who works for Autoglass and has commented on my blog more than a couple of times.
Gavin has asked me if I can delete a comment he made, because he doesn’t want to get in trouble with the powers that be at Autoglass.
I am really sorry Gavin mate but I have thought about it a lot and I just don’t think it would be right, heres my reasoning:
- The only thing with a longer memory than the Internet is the taxman, so even if I delete it, the comment will still exist on archive sites, etc. and just put into question other content here.
- If Autoglass don’t give staff guidelines on this sort of thing then really they can’t do anything against you.
- If the Autoglass marketing people are any good, they will long ago have discovered these blog entries and read them and if they were concerned about your comments they would have already taken action.
- I just don’t think its in the spirit of blogging.
Gavin, if you want to retract the comment, please feel free to post a retraction and I will ensure it gets published.
May 04
Ben KingInternet bit10, Interweb, Web/Tech
Our worthy MD, Alexander Craig, has gone back to the shop floor to do a bit of web design again, for his sister! Check it out… www.tonicraig.co.uk
Mar 20
Ben KingBusiness, Internet SEO, Web/Tech
Google really love my Autoglass coverage, my blog is now 3rd and 4th… I of course appreciate the irony that the more I blog about it the higher I will be Google for it…
Feb 19
Ben KingBusiness, Internet Business, Interweb, Web/Tech
It seems my blog entry on my great experience with Autoglass hasn’t gone unnoticed, even apparently generating business for them.
Its a good job that I did have a good experience as a quick Google search for ‘Autoglass’, brings my blog entry up as fourth.
This goes a long way to demonstrate the power of blog and other content entries on Google results, its especially interesting for organisations like Autoglass for whom in the normal course of events don’t get much content written them about them. Therefore one good or bad customer review can make a huge difference to their business.
At bit10 we often experience the reverse of this problem for SME’s for whom we do SEO (Search Engine Optimisation) for, the classic problem is that no-one links to them with good or bad reviews, therefore their Google ranking suffers terribly, so even if you tick all the other SEO boxes, they will still do badly on a perfect search phrase for them.
A good example is Food4WildBirds, who as the name suggests specialise in ‘Food for Wild Birds’, basically they are the one stop shop for ‘Wild Bird Food‘ and other small animal feed and treats. Great company, great service, and great SEO work on our part, however they still suffer because of the lack of links to their site.
So how do we fix this? Well one way of course is blog entries like this, however more effective in the long term is to get affiliate marketing and linking engrained into the organisation, so they are building relationships and activities that will legitimately improve their Googlerank.
Feb 19
Ben KingBusiness, Internet, Life Interweb, Web/Tech
Just in from MS:
Hello Ben,
Thank you for writing to Windows Live ID Technical Support. I apologize for the delay in answering your e-mail. We normally respond within one business day, but we have received an unusually large number of messages recently. We appreciate your patience as we handle every customer request as quickly as possible. This is Juhn and based from what I have read on your message, you suspect that someone may have compromised your King@hotmail.co.uk account. I know how important this issue can be to you and I look forward in helping you resolve this problem.
I have successfully verified the data you provided and I have sent a password reset message to the e-mail address that you asked us to respond to, ben@bit10.net.
– so i am now happily back on MSN!
Update (21/07/2008)
After recieving many posts and emails with people asking and pleading with me to help them get their hotmail back I have prepared a handy document that tells you everything you need to know. I am making a small charge for this of $10, you can buy it here.
Older Entries Newer Entries
RSS
Recent Comments