This week’s list of threads starts with a pointer a statement by the International Coalition of Library Consortia on the growing pressure between publishers and libraries over the appropriate rights and permissions for scholarly material. In that same vein, Joe Lucia writes about his vision for libraries and the cultural commons to the Digital Public Library of America mailing list. On the more geeker side is a third link to an article with the experience of content producers creating HTML5-enabled web apps. And finally, on the far geeky side, is a view of what happens when a whole lot of new wireless devices — smartphones, tablets, and the like — show up on a wifi network.

Feel free to send this to others you think might be interested in the topics. If you find these threads interesting and useful, you might want to add the Thursday Threads RSS Feed to your feed reader or subscribe to e-mail delivery using the form to the right. If you would like a more raw and immediate version of these types of stories, watch my FriendFeed stream (or subscribe to its feed in your feed reader). Comments and tips, as always, are welcome.

ICOLC Response to the International Association of Scientific Technical and Medical (STM) Statement

A recent statement by the International Association of Scientific Technical and Medical Publishers (STM) advocates a set of new guidelines for document delivery (http://www.stm-assoc.org/industry-news/stm-statement-on-document-delivery/). While intellectual property laws vary from country to country, STM’s approach would radically alter well-established library practices that advance knowledge, support scholarship, and are compliant with current copyright laws. The STM recommendations are in conflict with widely held principles that provide a copyright exception for interlibrary loan (ILL) activities. The regime anticipated by the STM statement would place unfair restrictions on researchers’ access to information. In particular, ICOLC contends that:

1. interlibrary loan, under existing principles and laws, is consistent with the three-step test of Berne;
2. cross-border deliveries are adequately and appropriately governed by current copyright law;
3. digital document delivery directly to an end-user is best coordinated through the end-user’s library or community of learners;
4. libraries are able to deliver on-site articles to library walk-up patrons in any format, including both digital and print;
5. current copyright law appropriately places the burden on the library user to affirm that the documents they receive are for private, non-commercial use.

The ICOLC strongly supports IFLA’s Draft Library Treaty, Article 7, which states “It shall be permissible for a library or archive to supply a copy of any work. . . lawfully acquired or accessed by the library or archive, to another library or archive for subsequent supply to any of its users, by any means . . . provided that such use is compatible with fair practice as determined in national law” (http://www.ifla.org/files/clm/publications/tlib.pdf). See also ARL’s statement clarifying legal protections afforded to libraries for national and international ILL use (http://publications.arl.org/rli275/18), and related documents (http://publications.arl.org/rli275/4 and http://publications.arl.org/rli275).

- ICOLC Response to the International Association of Scientific Technical and Medical (STM) Statement, International Coalition of Library Consortia, issued June 22, 2011

On the heels of last week’s frightening copyright scenario comes this statement from the International Coalition of Library Consortia. It was short, so the main content of the statement is posted above. Follow the link in the citation to find contact information for the ICOLC statement. Library Journal also has an article on the statement with quotes from Tracy Thompson-Przylucki and Ann Okerson.

Libraries & the Cultural Commons

Reduced to its medium-independent core, the mission of libraries is to subsidize and sustain barrier-free access to intellectual and cultural resources for our constituents and communities. In that sense, libraries establish a bridge between the proprietary realm of commercially supplied intellectual property and the gift economies of intellectual and cultural expression. From my perspective, everything we do flows from that core function. The DPLA will be, in effect, a new global networked digital face of the library as cultural and intellectual commons.

- Libraries & the Cultural Commons, by Joe Lucia, DPLA mailing list, 22-Jun-2011

Joe Lucia, University Librarian at Villanova University, posted this broad and, frankly, energizing view of the role for libraries to the Digital Public Library of America mailing list. If you want a concise view of how libraries are about content and services and not the historical carrier and delivery mechanisms, then take a look at this message.

The FT and NPR: HTML5 as part of a multi-platform strategy

I had heard that the FT and Apple were struggling to come to an agreement on digital subscriptions, so it came as no surprise to me that the FT has launched an HTML5 web app. Some folks have added sneer quotes around app, but I’m not going to. The HTML5 version of the FT’s app looks, behaves and has even more functionality than their native iPad app.

- The FT and NPR: HTML5 as part of a multi-platform strategy, Strange Attractor blog, 7-Jun-2011

I think there is a strong future in common agreement of web markup standards over proprietary app development. I’ve made that point serveral times on DLTJ, so I remain attuned to stories that point in that direction. This article points to how the U.K.’s Financial Times built an iPad app using the built-in Safari browser and the HTML5 tools like advanced cascading stylesheets and offline storage for reading when you are off the net (just like the old Financial Times native app). And, of course, the techniques work on other tablet platforms with minimal modification. NPR is experimenting with the same technique using Google’s Chrome web browser.

Wi-Fi client surge forcing fresh wireless LAN thinking

IDC reports that twice as many smartphones and tablets, nearly all with Wi-Fi, will ship compared to laptops this year. The number of Wi-Fi certified handsets in 2010 was almost 10 times the number certified in 2007, according to the Wi-Fi Alliance. Tablets, e-readers and portable audio devices are helping to drive this growth.

The result is a very different wireless environment in terms of radio behaviors, Wi-Fi implementations, applications, usage and traffic compared to just a year or two ago. This raises a different set of issues from simply managing these mobile devices with tools from vendors…

- Wi-Fi client surge forcing fresh wireless LAN thinking, by John Cox, Network World

Long ago I used to have to manage network infrastructure. That was back in the days when, for a small organization, one person could be the unix system administrator, the network administrator, and help with desktop support. With the complexity and pervasiveness of devices, though, I don’t think one person can do all of that any more. It is articles like this one that talk about the difficulties managing wireless networks that are bursting at the seams with new devices that make me realize how far networking has come in the past two decades.

Wandering into public or semi-public wireless networks makes me nervous because I know how my network traffic can be easily watched, and because I’m a geek with control issues I’m even more nervous when using devices that I can’t get to the insides of (like phones and tablets). One way to tamp down my concerns is to use a Virtual Private Network (VPN) to tunnel the device’s network connection through the public wireless network to a trusted end-point, but most of those options require a subscription to a VPN service or a VPN installed in a corporate network. I thought about using one of the open source VPN implementations with an Amazon EC2 instance, but it isn’t possible with the EC2 network configuration judging from the comments on the Amazon Web Services support forums. (Besides, installing one of the open source VPN software implementations looks far from turnkey.) Just before I lost hope, though, I saw a reference to using the open source DD-WRT consumer router firmware to do this. After plugging away at it for an hour or so, I made it work with my home router, a AT&T U-verse internet connection, and iOS devices. It wasn’t easy, so I’m documenting the steps here in case I need to set this up again.

Prerequisites

DD-WRT comes with support for a point-to-point-tunneling-protocol (PPTP) server. I know PPTP has some inherent security risks. At this point I’m just aiming to be harder for someone passively listening on the public wireless network to eavesdrop on my connections. I’m not doing anything ultra-sensitive that I need advanced encryption; I just don’t want to make it easy to watch what my devices are doing.

Setting up the AT&T U-verse Residential Gateway

1. Connect to the web interface of the residential gateway, select the Settings tab followed by the Firewall tab then the Applications, Pinholes and DMZ tab.
2. This screen has two steps: 1) Select a computer; then 2) Edit firewall settings for this computer. Click on the link to “Choose” the DIR-825 router (by name).
3. In the second step choose the “Add a new user-defined application” link. Use “PPTP” for the Application Profile Name.
4. Select “TCP” and put “1723″ in the From text box, under Application Type select PPTP virtual private network server and leave the rest of the boxes blank for the defaults; click on Add to List.
5. Repeat everything in the last step except choose UDP in place of TCP.
6. Click on the Back button to return to the Allow device application traffic to pass through firewall screen.
7. Select the Allow individual application(s) radio button, click on the User-defined applications list, pick “PPTP” from the Application List, and click on Add.
8. Click Save.

The U-verse residential gateway will now pass everything inbound on ports 1723/TCP and 1723/UDP to the D-Link router. You’re done with the residential gateway setup now.

Setting up the PPTP Service on DD-WRT

1. Log onto the DD-WRT web interface, select the Services tab then the VPN tab.
2. Enable PPTP Server, Broadcast support, and Force MPPE Encryption.
3. Put in the WAN IP (listed in the upper right corner of the web page) in the Server IP box. (Some instructions I have seen said that this can be left blank and the firmware will automatically pick it up. That didn’t work for me.)
4. For Client IPs, put in a range of LAN-side IPs that aren’t being used by the DHCP server. In my case I’m using “192.168.68.200-210″.
5. Put in one or more CHAP-Secrets. These are the username and passwords used on the PPTP client to connect to this server, and they follow a weird form: username-space-asterisk-space-password-space-asterisk. For example:

   username * password *

6. Leave Radius disabled.
7. At the bottom of the screen, pick Apply Settings.

The second step is the startup script:

1. Select the Administration tab then the Commands tab.
2. Put this in the Commands text box, then select Save Startup:

   #!/bin/sh
   sed -i -e 's/mppe .*/mppe required,stateless/' /tmp/pptpd/options.pptpd
   echo "nopcomp" >> /tmp/pptpd/options.pptpd
   echo "noaccomp" >> /tmp/pptpd/options.pptpd
   kill `ps | grep pptp | cut -d ' ' -f 1`
   pptpd -c /tmp/pptpd/pptpd.conf -o /tmp/pptpd/options.pptpd

3. Go to the Management subtab of Administration and at the bottom select Reboot Router.

This script comes from the PPTP Server Configuration page. The bulk of it is from the iOS 4.3 heading with the addition of the sed line to force encryption.

Configuring the iOS Device

iOS PPTP VPN Configuration

1. In the Settings app, choose General then Network then VPN.
2. Select Add VPN Configuration…
3. At the top choose PPTP and give this configuration a descriptive label.
4. For Server put in the IP address of your U-verse residential gateway. (Setting up something like Dynamic DNS with DD-WRT is left as an exercise to the reader.)
5. For Account put in the username field from the CHAP-Secrets text box above.
6. Leave RSA SecurID off and put in the password field from the CHAP-Secrets text box.
7. Under Encryption Level select Maximum.
8. Select Save in the upper right hand corner.

Now when you connect to a public network, before starting any applications that will access the internet, go into the Settings app and near the top will be a choice to turn on the VPN. Give it about five or six seconds to make the connection, and you’ll then see a blue VPN icon in the status bar at the top next to the WiFi icon.

Acknowledgements

Last week in DLTJ Thursday Threads I posted an entry about running out of IP addresses. Since I posted that, I’ve run across a couple of other stories and websites that bring a little more context to the consequences of last week’s distribution of the last blocks of IP addresses from the world-wide pool of available addresses. The short version: channel any panic you might be feeling into making sure your systems are ready to communicate using both the existing network standard (IPv4) and the new network standard (IPv6).

The Imagined Frequently Asked Questions

Will the internet stop working?

There will not be a so-called “flag day” when everyone’s computers switch from IPv4 to IPv6. (There wasn’t the last time the internet went through a similar upheaval in the 1980s — see the “History” section below.) IPv6 will coexist with IPv4 for probably most of this decade, based on what I’m reading, as computers at the edges will communicate over both IPv4 and IPv6. Some magic in the Domain Name Service (DNS) will enable this to happen. There will come a day, though, when IPv4 addresses are truly exhausted and new services will only be reachable via IPv6. Whether we get there before IPv6 is widely deployed is a topic of much debate.

Am I ready now?

The Internet Society is calling for a World IPv6 Day on June 8, 2011. “Google, Facebook, Yahoo!, Akamai and Limelight Networks will be amongst some of the major organisations that will offer their content over IPv6 for a 24-hour ‘test flight’. The goal of the Test Flight Day is to motivate organizations across the industry – Internet service providers, hardware makers, operating system vendors and web companies – to prepare their services for IPv6 to ensure a successful transition as IPv4 addresses run out.”

I manage networks. Should I care?

Okay, that probably won’t happen. Your gear either supports IPv6 addressing and routing (perhaps with a software upgrade), or as you phase in new gear it will support IPv6. You do have a lot of work ahead of you, though, to get your network ready. The IPv6 Act Now has suggestions and links.

I manage hardware. Should I care?

I write software. Should I care?

How can I help?

Bits of History

ARPA sponsored research on computer networks led to the development of the ARPANET. The installation of the ARPANET began in September 1969, and regular operational use was underway by 1971. The ARPANET has been an operational service for at least 10 years. Even while it has provided a reliable service in support of a variety of computer research activities, it has itself been a subject of continuing research, and has evolved significantly during that time.

In the past several years ARPA has sponsored additional research on computer networks, principally networks based on different underlying communication techniques, in particular, digital packet broadcast radio and satellite networks. Also, in the ARPA community there has been significant work on local networks.

It was clear from the start of this research on other networks that the base host-to-host protocol used in the ARPANET was inadequate for use in these networks. In 1973 work was initiated on a host-to-host protocol for use across all these networks. The result of this long effort is the Internet Protocol (IP) and the Transmission Control Protocol (TCP).

These protocols allow all hosts in the interconnected set of these networks to share a common interprocess communication environment. The collection of interconnected networks is called the ARPA Internet (sometimes called the “Catenet”).

The Department of Defense has recently adopted the internet concept and the IP and TCP protocols in particular as DoD wide standards for all DoD packet networks, and will be transitioning to this architecture over the next several years. All new DoD packet networks will be using these protocols exclusively.

The time has come to put these protocols into use in the operational ARPANET, and extend the logical connectivity of the ARPANET hosts to include hosts in other networks participating in the ARPA Internet.

As with all new systems, there will be some aspects which are not as robust and efficient as we would like (just as with the initial ARPANET). But with your help, these problems can be solved and we can move into an environment with significantly broader communication services.

The transition plan for NCP to TCP called for roughly a year-long process in 1982 to transition hosts from one network stack to the other. There were gateways between the two networks during that time. In January 1983 all the gateways between the NCP-based hosts and the IP-based hosts were turned off.

Vint Cerf, one of the parents of what we call the “Internet”, reflected on IPv4 addressing at the 2008 IPv6 conference. A DLTJ post from 2008 has a transcript of Dr. Cerf’s comments.

Footnotes

1. Adapted from the SANS Internet Storm Center entry The End Of IP As We Know It. Check it out for more techie questions and answers.

This week of DLTJ Thursday Threads covers a wide range of topics. First, from a public policy perspective, is news that the U.S. Senate has a bill proposing the study of an internet “kill-switch” that some are speculating could behave like what happened in Egypt last week. Next, from a technical perspective, is the fact that we’re running out of IP addresses, which is going to make some engineers’ lives pretty messy before it is ultimately fixed. Lastly, from a research perspective, is a paper that characterizes the demographics of users using peer-to-peer for piracy.

Continuing last week’s sidenote, I think I have found the fundamental problem of why Thursday Threads hasn’t been coming out via e-mail on, well, Thursday. Although the underlying issue still remains, a workaround has been put in place that will hopefully eliminate the symptomps.

Internet ‘Kill Switch’ Legislation Back in Play

Legislation granting the president internet-killing powers is to be re-introduced soon to a Senate committee, the proposal’s chief sponsor told Wired.com on Friday.

The resurgence of the so-called “kill switch” legislation came the same day Egyptians faced an internet blackout designed to counter massive demonstrations in that country.

The bill, which has bipartisan support, is being floated by Sen. Susan Collins, the Republican ranking member on the Homeland Security and Governmental Affairs Committee. The proposed legislation, which Collins said would not give the president the same power Egypt’s Hosni Mubarak is exercising to quell dissent, sailed through the Homeland Security Committee in December but expired with the new Congress weeks later.

The bill is designed to protect against “significant” cyber threats before they cause damage, Collins said.

Wired.com has this article about proposed legislation to “direct the Department of Homeland Security to undertake a study on emergency communications” (the bill’s title). The text of the legislation is not available at this time, but when a similar topic was debated in the last congressional session, the United States Senate Committee on Homeland Security and Governmental Affairs — chaired by Senator Joseph I. Lieberman with Senator Susan M. Collins as ranking minority member — issued a four-page Myth-v-Reality document [PDF]. That bill also seemed to do more than simply request a study — it actually established in the Executive Office of the President an Office of Cyberspace Policy. The bill died before coming up for a vote in the final days of the session. At the time, the American Library Association joined with dozens of other groups to send a letter [PDF] to the committee expression concerns with that version.

There is some really wacky stuff going on here. For instance, the Wired.com article reports on an aide to the Homeland Security committee gave an example when the limited power given to the President would be used: “An example, the aide said, would require infrastructure connected to ‘the system that controls the floodgates to the Hoover dam’ to cut its connection to the net if the government detected an imminent cyber attack.” This, of course, begs the question of “Is the system that controls the floodgates of the Hoover Dam connected to the public internet?” followed closely by “If so, why?” I think this one is going to be worth following to see what happens.

No more IPv4 addresses

The Internet has run out of IPv4 address space.

The Internet Assigned Numbers Authority (IANA) assigned two of the remaining blocks of IPv4 addresses – each containing 16.7 million addresses – to the Asia Pacific Network Information Centre (APNIC) on Tuesday, as predicted.

This action sparks an immediate distribution of the remaining five blocks of IPv4 address space, with one block going to each of the five Regional Internet Registries (RIR).

Internet Protocol (or “IP”) addresses are the unique identifiers that direct traffic from one computer on the network to another. When the experiment that we now know as the Internet was created — known as IP version 4 or “IPv4″ — the number of possible unique addresses was set as 4,294,967,296¹. It was thought that such a number would be sufficient for experimental purposes. The internet, of course, has taken on a life of its own, and with the assignment of unique addresses to home computers and cell phones, it was only a matter of time before we ran out.

Well, as stated in the article from Network World where the above quote came from, that time is quickly coming. The very top layer of the IP address bureaucracy assigns addresses in blocks of about 16.8 million to five regional registries that correspond to roughly continental boundaries. Those registries then assign smaller blocks to various internet services providers to use. How long it takes for each regional registry to run out of addresses varies from months to years, but with the exhaustion of the top-level registry the internet engineers know that we have reached the first milestone on that path.

There are various techniques that can be used to stretch the number of addresses, but the end-game is going to be the adoption of IP version 6. IPv6 will give us 340,282,366,920,938,463,463,374,607,431,768,211,456 unique addresses. That’s 340 undecillion, 282 decillion, 366 nonillion, 920 octillion, 938 septillion, 463 sextillion, 463 quintillion, 374 quadrillion, 607 trillion, 431 billion, 768 million, 211 thousand and 456 addresses. Think that will be enough?

A research study identifies who uploads the majority of the content to the P2P piracy networks

Users who publish contents on BitTorrent dedicate a large part of their own resources (bandwidth, storage capacity) and assume the risks involved in publishing contents that are protected by copyright laws. So, is this altruistic behavior or is there some type of economic incentive at work? “The success of BitTorrent is due to the fact that a few users make a large number of contents available in exchange for receiving economic benefits”, explain the authors of a study carried out by the Telematic Engineering Department of the UC3M, Professors Rubén Cuevas, Carmen Guerrero and Ángel Cuevas. Their analysis demonstrates that a small group of users of these applications (around one hundred) is responsible for 66 percent of the content that is published and 75 percent of the downloads. In other words: the great success of a massively used application like BitTorrent depends on a few users.

This quote comes from a summary of a research study presented at 6th International Conference on emerging Networking EXperiments and Technologies (CoNEXT) late last year. It would seem to suggest that if one wanted to shut down piracy on peer-to-peer (P2P) file sharing networks such as BitTorrent that it would only take convincing or eliminating “a few users” to make it happen. That this hasn’t happened perhaps points to the difficulty in locating and stopping those users, but still I thought this made for an interesting read none the less. [Via ACM TechNews from January 26, 2011]

Footnotes

1. Okay, when one takes out the reserved private addresses and the multicast addresses, the number is somewhere around 4,006,000,000, but who is counting?

Back in the early days of this blog, I had a post on Buzzwords Galore and Bandwidth that May Rival Your Station Wagon. The topic was a “hybrid optical and packet network” being deployed by Internet2 in 2006, and in the tail end of the post text I explained the reference to the station wagon part of the post title:

When you think you have a really zippy network connection, someone will (should?) bring up an old internet adage which says “Never underestimate the bandwidth of a station wagon full of tapes.”

In the post comments, Walt Crawford asked “How about a 747 full of BluRay discs?” I must have been bored, because I calculated that bandwidth as 37Tb/s, and I even showed my work. Last week an internet citizen going by the name “Steveo” updated the table for an Airbus A38-800F. He (or she) and I arrived at different numbers (Steveo seems to have mistaken cubic feet for cubic meters in the calculation and didn’t update the maximum airspeed figure), so perhaps it is time to revisit this topic. (And while we’re at it, we’ll throw in numbers for Boeing’s latest freighter aircraft: the 747-8F.)

Boeing 747-400F Main Cargo Deck. How many rectangular boxes can we fit in a round space?

Now, by contrast, the latest notice I could find of high-speed data transfer over a network was a mention in December last year. In a press release from Caltech with the title “High Energy Physicists Set New Record for Network Data Transfer” is this paragraph:

The focus of the exhibit was the [High Energy Physics] team’s record-breaking demonstration of storage-to-storage data transfer over wide area networks from two racks of servers and a network switch-router on the exhibit floor [of SuperComputing 2009 in Portland, Oregon]. The high-energy physics team’s demonstration, “Moving Towards Terabit/Sec Transfers of Scientific Datasets: The LHC Challenge,” achieved a bidirectional peak throughput of 119 gigabits per second (Gbps) and a data flow of more than 110 Gbps that could be sustained indefinitely among clusters of servers on the show floor and at Caltech, Michigan, San Diego, Florida, Fermilab, Brookhaven, CERN, Brazil, Korea, and Estonia.

So, 110 Gbps from a network and 217,648 Gbps from a Boeing 747-8 Freighter. (We’re not counting yet the capacity of the theoretical Airbus A380-800F.) Only three orders of magnitude before the proverbial station wagon full of tapes is put to rest.

Updates

Footnotes

1. The original posting listed 159 as the capacity using a source that is no longer on the web. According to the Boeing site, 159 is the capacity of the lower deck, which doesn’t include the 605 cubic meters of capacity on the main deck. Go figure.
2. Converted from Mach to knots via Google.
3. “Maximum Level Speed” from specs converted from mach to knots via Google.
4. “Includes 15 minute bias”

My place of work has installed a VPN that moderates our access to the server network using the OpenVPN protocol. This is a good thing, but in its default configuration it would send all traffic — even that not destined for the machine room network — through the VPN. Since most of what I do doesn’t involve servers in the machine room, I wanted to change the configuration of the OpenVPN client to only send the machine room traffic through the VPN and everything else through the (original) default gateway. As it turns out, this involves tweaking the routing tables.

In its default configuration, the OpenVPN client establishes a default route pointing to the OpenVPN server as the gateway. What I needed to do is remove that default route to the OpenVPN server gateway, recreate the original default route to the underlying interface’s gateway, and add a new specific route for the machine room network using the OpenVPN server gateway. These additions to the “ovpn” file were:

route-delay 2
route-up "/some/location/openvpn-default-route-reset.sh"
route 193.20.135.0/24 255.255.255.0 vpn_gateway

The “route-delay” line forces the two subsequent changes to happen after all of the OpenVPN-driven routing changes are made. The “route-up” line runs a shell script that deletes the OpenVPN-supplied default route and adds the one pointing back to the underlying interface’s gateway. (More on this shell script below.) The “route” line adds the machine room specific network through the OpenVPN tunnel. ¹ (The “vpn_gateway” is a keyword in the configuration file that is replaced by the gateway address of the OpenVPN tunnel at runtime.)

For reasons I don’t understand, I couldn’t delete and re-add the default route via the OpenVPN configuration file. Instead, I needed to create an external shell script with those commands and execute that script via the “route-up” configuration line. The contents of the shell script are really simple:

#!/bin/bash
/sbin/route delete default
/sbin/route add default $route_net_gateway

OpenVPN will push a bunch of environment variables in to the subprocess, and one of them is $route_net_gateway that gets the “pre-existing default IP gateway in the system routing table.” That value is used in the third line to reset the default gateway. This script gets run as root, so perform due diligence to protect the script (chmod it to “700″ and chown it to “root”).

With that in place, my network routing tables look something like this:

Internet:
Destination        Gateway            Flags        Refs      Use   Netif Expire
default            192.168.2.1        UGSc           40        0     en1
10.242.2.1/32      10.242.2.9         UGSc            0        0    tun0
10.242.2.9         10.242.2.10        UH              4        1    tun0
127                127.0.0.1          UCS             0        0     lo0
127.0.0.1          127.0.0.1          UH             12 15704029     lo0
192.168.2          link#5             UCS             2        0     en1
192.168.2.1        0:c0:49:ff:8c:c5   UHLWI          42      108     en1   1158
192.168.2.3        127.0.0.1          UHS             0        9     lo0
193.20.135         10.242.2.9         UGSc            2        0    tun0
193.20.135.2/32    192.168.2.1        UGSc            1        0     en1

Footnotes

1. Note, this really isn’t the machine room network of my place of work.

The famous 1993 cartoon from The New Yorker has the caption “On the Internet, nobody knows you’re a dog.” The question at the moment is: when you’re on the internet, how do you know you are not talking to a dog? When you ask to connect to a remote service, you expect to connect to that remote service. You probably don’t even think about the possibility that “myspace.com” might not be “myspace.com”. But what if you couldn’t rely on that? How about “mybank.com”? Believe it or not, you may exist in such a world today. Last week, US-CERT issued a “Vulnerability Note” on Multiple DNS implementations vulnerable to cache poisoning. What does that mean? Read on…

DNS: The Internet’s Addressbook

It is the Domain Name System, or DNS, that translates an easily recognizable name to an IP address. DNS is a distributed database of names-to-numbers (and numbers-to-names and all sorts of other mappings). A network machine — say, your desktop computer — is running a program (a web browser) that needs to connect to a server. It relies on a DNS client to perform the name-to-number mapping. This figure shows a simplified relationship between all of the parts.

Sequence Diagram Showing Normal DNS Operation

On your computer, the web browser makes a request with the local DNS client to one of the DNS servers it knows. (You’ll see this DNS service listed if you look at the network properties on your computer.) DNS servers can, and typically do, remember the answers to recently asked questions from other DNS clients (a feature called “caching”); if the DNS server can answer the question from its cache, it will. If not, one of two things can happen: 1) DNS Server 1 can send a message back saying it doesn’t know but suggest where it might go to find an answer; or 2) attempt to find the answer itself and send it back to the DNS client. The latter is what is pictured above and is called “recursive name resolution”. DNS Server 1 can also cache the information so as to answer a subsequent question for the same information without having to go out and ask another DNS server for it. ²

When DNS Goes Bad

An attacker with the ability to conduct a successful cache poisoning attack can cause a nameserver’s clients to contact the incorrect, and possibly malicious, hosts for particular services. Consequently, web traffic, email, and other important network data can be redirected to systems under the attacker’s control.

In other words, some rogue agent out on the net tries to inject bad information into a DNS cache by sending specially constructed answers to questions that the caching DNS server never asked. That looks something like this.

Sequence Diagram Showing the Effect of DNS Cache Poisoning

As the US-CERT advisory points out, this is a bad thing. Many internet services rely on the fact that when they ask to connect to a host with a specified name that they will in fact be talking to a host with that name. You want to know that you are sending and receiving e-mail from the servers you expect and that the websites you get information from are the true, correct servers. DNS cache poisoning effectively hides this because the address bar in the browser looks correct.

Beyond Phishing

One Possible Workaround, One Possible Problem

However, in the course of writing this posting, I discovered that OpenDNS itself is engaging in something moderately equivalent to DNS cache poisoning itself, and it is doing it with the address of the most popular website: www.google.com. The problem seems to stem from issues that OpenDNS users were having with hidden software installed on Dell machines as a result of a Dell/Google agreement. David Ulevitch, Founder and CEO of OpenDNS, posted about the impact of Dell/Google’s actions and OpenDNS’s response on the OpenDNS blog last year.

About a year ago Google and Dell announced a partnership to include the Google Toolbar on new Dell computers. At the same time, Google was trying to convince the Department of Justice that changing the default search engine in the (then) new IE7 was too difficult (when in reality it’s really simple). Installing the toolbar meant that users would have Google as their default search engine in IE7. It also meant that Dell and Google would share some of the revenue from the advertising clicks that resulted from these installations, much like The Mozilla Foundation does with its Firefox browser. …

The solution to this problem was to route Google requests through a machine we run to check if the request is a typo or one of your shortcuts. If it is a typo or shortcut then we do what we always do, just fix the typo or launch your shortcut and send you off on your way. If it’s not one of those two things, we pass it on to Google for them to give you search results. This solution provides the best of both worlds: OpenDNS users get back the features that they love and Google continues to operate without problems.

This is what it looks like in a picture:

Sequence Diagram Showing the OpenDNS Response to Dell/Google

Danny Sullivan of Search Engine Land has a more in-depth analysis of Google’s and Dell’s actions. David offers a defense of OpenDNS’s response in a comments on a post to Slashdot (this is the sharpest and most poignant). If offering OpenDNS as a fix for DNS cache poisoning is two steps forward, then OpenDNS’s response to the Dell/Google action is, at best, one step back. I would prefer that Dell not automatically install functionality like this on my PC. I would also strongly prefer that DNS resolvers not try to be too cute. Fortunately, it is possible to turn off this behavior in OpenDNS, which I prefer to do. But, all told, this is just one more lesson about how important the Domain Name Services is to the fundamental operation of the internet, and how easy it is to take for granted.

Updates

Also, there is a C|Net news article talking about how this broad, deep, and important problem was discovered and incrementally disclosed. It is a very interesting read for those who like to know about how internet security happens.

Footnotes

1. This happens with a technique called “Network Address Translation” or NAT. NAT was created to conserve the internet address space (among other reasons) by putting multiple computers behind a device that makes all of the computers look like one machine to the outside world. If you connect to the rest of the world via a small hub, you’re probably using NAT. If the IP address of your computer starts with “10″ or “192.168″ you are definitely using NAT.
2. The amount of time a caching DNS server can hold onto information on behalf of an “authoritative” DNS server is specified as part of the DNS protocol, but such consideration is outside the scope of what is being talked about here.

Via a weekly wrap-up post by Dion Almaer on the Google Code Blog comes mention of a Google Tech Talk video from their IPv6 Conference 2008. It is a panel discussion called “What will the IPv6 Internet look like?” and it offers insight into the difficulties of transitioning to the next generation IP transport protocol. Although it has been years since I’ve seen the business end of managing an actual IP network, I found the discussion a fascinating look at the issues that are ahead of network engineers and device manufacturers around the world.

The part that caught my ears, though, was an exchange between Vint Cerf, vice president and chief internet evangelist at Google, and Bob Hinden, chief internet technologist at Nokia Networks. It starts at 13 minutes and one second into the video with Vint as moderator of the panel addressing a question from the audience about whether the panelists are proud of the work done on IPv6.

Vint Cerf

Well, just speaking for myself — like I said earlier this morning — I believe that v6 is the only thing that we can do right now to make sure that address space is available and that we preserve as much as possible the end to end structure of the network.

Bob Hinden

Can I get one other comment in here? You reminded me of something. So back when Vint and everyone was starting the v4 — the current internet — was not a sure thing. Back, you know, 15, 20 years ago. And there were lots of –

Vint Cerf

I’m sorry, it’s 30 years ago because the decision — [laughter]. No, I’m serious, the decision to put a 32-bit address space on there was the result of a year’s battle among a bunch of engineers who couldn’t make up their minds about 32, 128 or variable length. And after a year of fighting I said — I’m now at ARPA, I’m running the program, I’m paying for this stuff and using American tax dollars — and I wanted some progress because we didn’t know if this is going to work. So I said 32 bits, it is enough for an experiment, it is 4.3 billion terminations — even the defense department doesn’t need 4.3 billion of anything and it couldn’t afford to buy 4.3 billion edge devices to do a test anyway. So at the time I thought we were doing a experiment to prove the technology and that if it worked we’d have an opportunity to do a production version of it. Well — [laughter] — it just escaped! — it got out and people started to use it and then it became a commercial thing. So, this [IPv6] is the production attempt at making the network scalable. Only 30 years later.

Dear future self,

If you are reading this, you are remembering a time when you ran into a really nasty interception proxy¹ and you are looking for a way around it. Do you remember when you were sitting in the Denver International Airport using their free wireless service? And remember how it inserted advertising banners in HTML frames at the top of random web pages as you surfed?

After about a half an hour of this, you started looking for solutions and found that the secure shell client can act as a SOCKS proxy². Using ‘ssh’, you set up a tunnel between your laptop and a server in the office that encrypted and effectively hid all of your network communications from the interception proxy. And if you are reading this again you want to remember how you did it.

Set up the SOCKS proxy

ssh -D 9050 [username]@[remote.server.name]

To refresh your memory, here is an extract from the ‘ssh’ manual page for the -D option:

-D [bind_address:]port

Specifies a local “dynamic” application-level port forwarding. This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. Currently the SOCKS4 and SOCKS5 protocols are supported, and ssh will act as a SOCKS server. Only root can forward privileged ports. Dynamic port forwardings can also be specified in the configuration file.

Using the SOCKS proxy

Next you need to tell the applications to use the SOCKS proxy. If you are still using a Mac when you are reading this, you’ll probably have it pretty easy. Mac OSX lets you set a proxy system-wide that all well-written Mac applications will use to get their parameters. It is in the “Proxies” tab of the Advanced… network settings. On Mac OSX version 10.5 (Leopard), it looks like the graphic to the right.

If you’re using some sort of UNIX variant, the application may have a setting to use a SOCKS client, or you may need to use the ‘tsocks‘ shim that intercepts the network calls of the application. And, future self, if you are using a Microsoft Windows box right now, please remember how much simpler life was when you used a Mac or Linux desktop. If you find yourself in such a spot, some reader of this blog posting may have left a comment for you below that will help you use a SOCKS proxy with a Windows platform.

Hope this helps. Sincerely,

Self, circa February 2008

Footnotes

1. Version of the “Proxy Server” Wikipedia page when this posting was written
2. Version of the SOCKS Wikipedia page when this posting was written

A while back we created an LDAP directory to consolidate account information for various back-room services, and when we created it we decided to use the individual’s e-mail address as the account identifier (uid in LDAP-speak). It seemed like the logical thing to do — it is something that the user knows and it is a cheap and easy way to assume that the account identifiers will be unique. This is not uncommon for many internet services, of course.

Now we’re bring up a Drupal content management system and of course want to tie the authentication into the existing LDAP directory. The initial configuration appeared to work, but there were odd, unexplained failures — most notably, Drupal would not consider it a ‘real’ account because it didn’t have an e-mail field. Even weirder was the fact that we configured Drupal to know exactly which LDAP attribute to use as the e-mail address (mail, in LDAP-speak). It wasn’t until one of our system engineers wondered out loud if the at-sign (‘@’) in the user id wasn’t causing problems that we started making progress towards a solution.

As it turns out, he was right. Without spending so much time in the guts of the Drupal code to know exactly if this is true, it seems like Drupal wants to reserve the ‘@something‘ construct for inter-Drupal authentication. In other words, if you have an account on one Drupal server (let’s call it DrupalA) and want to access a second (let’s call it DrupalB) — and if the two servers agree to share user accounts — the account from DrupalA would be recorded in the database of DrupalB as “UserId@DrupalA“.

The ‘at’ symbol for us, though, is just a normal part of an e-mail address. We really didn’t want to reconstruct our LDAP account scheme, so the best choice seemed to be to find a way to trick Drupal into accepting these account identifiers. This, unfortunately, was no easy task. I couldn’t find the root cause of the problem, but did diagnose enough of the symptoms to force a patch into the system. The patch, in the form of a new module (code included below) forces the account to have two necessary attributes that seem to go missing whenever a ‘@’ character appears in the user id. If you have similar problems, I can’t claim that this will work for you, nor can I guarantee this approach will be supportable in the future. All’s I know is that it seems to work for us in our situation right now.

 <?php
 
function olinkldap_help($section) {
  $output = '';
  switch ($section) {
    case 'admin/modules#olinkldap':
      $output = 'olinkldap;
      break;
    case 'admin/modules#description':
    case 'admin/help#olinkldap':
      $output = t('Sets up OhioLINK-specific LDAP parameters.');
      break;
  }
  return $output;
}
 
function olinkldap_settings() { }
 
function olinkldap_user($op, &$edit, &$user, $category = NULL) {
  switch($op) {
    case 'load':
      olinkldap_user_load($user);
      break;
  }
}
 
function olinkldap_user_load(&$user) {
  // Calculate the DN for the user -- you'll need to adjust this to match your LDAP base DN
  $ldap_dn=sprintf("uid=%s,ou=People,dc=somewhere,dc=outthere", $user->name);
 
  // Create a new array with the two LDAP-specific values that seem to be missing.
  $forced_data=array('ldap_authentified' => 1, 'ldap_dn' => $ldap_dn);
 
    // It seems like this should work, but it doesn't (it throws a segmentation fault)
    //  user_save($user_edit,array($forced_data);
    // so we're going to interact directly with the database
  if ($user->uid) {
    // Get the 'data' field for the user and put it in the $data array
    $data = unserialize(db_result(db_query('SELECT data FROM {users} WHERE uid = %d', $user->uid)));
    // Put all of the attributes from $forced_data into $data
    foreach ($forced_data as $key => $value) {
      $data[$key] = $value;
    }
    // Reserialize the $data array and update it in the database
    $v[] = serialize($data);
    db_query("UPDATE {users} SET data='%s' WHERE uid=%d",array_merge($v,array($user->uid)));
  }
}
?>

Save this as ‘olinkldap.module’, update the DN to reflect your LDAP server’s base DN (see comment in code), copy it into your Drupal modules directory, and activate it. Your ‘@’-impaired userids should start working again. If you are using the inter-Drupal account sharing (we’re not) this might break something for you. That’s not interesting for us, so I’m not testing it against that condition. If you use this and find that it works or doesn’t work, or you have a better way of solving the problem, please leave a comment or traceback…