Blog‎ > ‎

IPv6, SSL/TLS, CNC, CDN, Encryption, Authentication, Mobile Broadband, NFV, SDN, CN, NFC

posted Jun 28, 2015, 9:24 AM by Sami Lehtinen   [ updated Jun 28, 2015, 9:24 AM ]

Some light stuff during summer vacation...

  • Just tested IPv6 with my mobile 4G LTE, and it works perfectly. Now all of my systems are running full dual stack (IPv6 + IPv4). How long we're going to need IPv4 if all systems are using IPv6? It's still overhead to support both and legacy systems. Is it time to get rid of those? I guess that many of the system I'll be configuring from this point for 'internal / servers only / personal' use, will be IPv6 only, because I don't see any particular reason to support IPv4 anymore. IPv6 only might be coming soon. When firewalling systems, I'll probably only whitelist IPv6 addresses and leave IPv4 blocked completely.
  • Confirmation from phone: Now my Android phone is fully working with native IPv6 and IPv4 CG-NAT dual stack... Nice! Using G+ over IPv6. Also IPv6 only seems to be working perfectly without IPv4 support.
  • About SSL certs and let's encrypt. And certificate & key trust: AFAIK: For high security purposes self-signed is the option available. This of course means that you'll have to personally confirm the certificate fingerprint and add it to your lists. But this is always better than trusting any third party. Yet it requires work from you. Isn't this how SSH and OpenPGP keys have worked for ages. I meet you, I'll get you key, and I'll know it's your key. It's not some shady government agency or corrupted money making organization telling that now I can trust my secrets to 'you'.
  • Checked out Superlubricity. Because MIT news post about vanishing friction was interesting.
  • China Net Center operations (CNC) fixed the CDN speed issues I reported in last post based on my comments. Their CDN delivery time to Finland improved whopping 15x times. That's good result. It's not "great" yet, but it's okish considering that it's Chinese caching CDN like CloudFlare and it fetches the source data from China if not being locally cached already. It was just funny how CDN networks own pages were extremely slow before they fixed it. I might even choose to statically edge cache own pages, because those won't consume a lot of resources and it would give a good impression to potential customers. Yet this isn't the first time I encounter similar situation. CDN providers don't see their own pages important about to be cached or delivered using their own CDN. I don't remember anymore which one it was I encountered earlier, but they had similar kind of issues. Maybe their internal invoicing for such services is prohibitively high. Lol. It's always nice to notice that reporting issues do sometimes make a difference. Yet I often feel like reporting problems is waste of time. Some companies do not understand that feedback even if negative is really important, it helps to fix issues. If just they just mind about their customers and customer experience. Actually it's really nice to see companies which do value negative feedback and fix the issues. You don't believe how often it isn't happening.
  • All of my email systems are configured to use opportunistic encryption. There are list of domains which require encryption, then there's list of domains which require secure connection (certificate confirmed) and then there are list of domains, which require specified certificate with fingerprint. I'm using all levels. To be honest over 99% of email goes to those domains which either use secure connection or fingerprint. Fingerprint can be used in cases, where high security is required. And it won't do anything to 'secure the chain'. So anyone can forward the email delivered securely to non secure destination. Of course. Even if it would be any secure system, they can just photograph the message and share it publicly on Facebook or Twitter. There's no easy way of stopping it from happening.
  • Identification and trust issues: But when two banks setup VPN between their data centers, do they use Comodo SSL (or any other) certificate and externalize key system trust to Comodo or do they trust their IT departments? I personally prefer managing most important keys and I believe many do so. Yet I can see why externalizing trust could be very handy at times. And actually that's just and exactly what I asked in my authentication post. Why does your data center software defined network management console require anything else than Facebook or Twitter login? It's just so handy when you can link roles to existing identities and by using these services you'll get free 2FA too? No need for expensive RSA key generators.
  • See my Google+ random thoughts post about having multiple authentication systems. When I'm entering US and border guard ask me for ID? Why Can't I just show that I'm logged in Facebook? It would be actually handy, and that's what I would like to see. Universally trusted strong on-line identity just like   documents are right now. Except again, I'm sure some instances won't trust the passport, but they still want to implement parallel strong identity solution for their own employees for what ever reason. Estonia is trying to fix that.   Finland issued strong PKI identity cards a long time ago, but nobody wanted to use those. Now Yle is trying to launch (weak) identity service for Finland and Finnish users to compete with Facebook, Twitter, Instagram and Google+. Whole identity and trust management is one huge big mess. Why do we need so many parallel identities? Especially if we don't want to be pseudonymous or anonymous and we've got nothing to hide? (Let's not discuss how ridiculous that last claim is.) e-Estonia reference. There's constant competition in Finland for official strong on-line identity system. So far banks have been dominating the market, but telecom operators want to get their share via mobile authentication. The new mobile authentication in Finland is actually so strong that if Police asks you for ID you could technically use it and it shouldn't be highly trusted personal identification.
  • Gofore is going to build the national service channel for Finland (Finnish), which is based on ESB concept, Estonia is using similar mode under name X-Road.
  • Read an excellent write up about PHP 7.0 new hash table implementation.
  • Checked Blancco's new SSD eraser program. - AFAIK, that means they have to certify it separately for each SSD, firmware version and so on. So it really does it's job. Yet, as mentioned, advanced malware could still tweak the drive to lie about being clean.
  • Mobile Broadband prices in FInland? 150 Mbit/s 24,90€/mo (incl. VAT), 50 Mbit/s would be 15€ / mo and it seems that 29,90€ / mo would now buy you 300 Mbit/s 4G LTE, but my phone doesn't support it. Also no operator so far has limited tethering in Finland. Always when I hear discussion about it, it makes me laugh / cry. AFAIK, for most cases faster than 21 Mbit/s on mobile is most probably waste of money, unless you're using tethering and torrents or downloading something else large from network repeatedly. Wifi / WLAN is basically 300 Mbit/s but of course that varies wildly as we know due to radio issues. Fiber is quite common, 10Mbit/s is often free in newer buildings and 100Mbit/s costs something like 5-19 € / mo depending from situation and 1 Gbit/s is often available in buildings where there is FTTH / Ethernet installed, because it can't be delivered over VDSL2. Finland is large country, so actually 4G is important, because there are large areas (of course) majority of the country where you can't get Fiber. So the optional availability for fast 4G is really great compared to Fiber. And it's usually much faster than what could be delivered using VDSL2 or ADSL2+ in those areas due to distances involved. There's one operator TeliaSonera (Telia, Sonera) which does have 10 Gbyte / mo data cap but other competitors don't have that.
  • Performance testing LclBd has shown that even with current el-cheapo server this site can handle more than 4 million hits / day and deliver data at constant 50Mbit/s+ rate for dynamically generated content. I'm really happy with that. uWSGI and Python are doing great job. And the server is ultimate low end server. So using anything defined even as normal desktop, could easily to 10x that and real servers 50x. This result is without CDN or content caching. If required tuning those parameters would further improve performance a lot. Most annoying problem with current service provider are random and potentially too long (15+ seconds) freeze ups. I told them that they have to get the issue fixed asap, or I have to vote with my money. Yet as usual, I assume they don't care a bit and I have to relocate my servers to new service provider. I've been planning to use Vultr or RamNode next.
  • Performance and load testing for LclBd has shown that even with current super el-cheapo server this site can handle more than 4 million hits / day, from dynamically generated content. I'm really happy with that result, it's more than I expected. Linux, uWSGI and Python are doing great job. And the server is ultimate low end server. So using anything defined even as normal desktop, could easily to 10x that and real servers 50x. All static content can be easily delivered up to 500Mbit/s which is the maximum bandwidth currently available for the server.
  • Watched IPv6now Finland seminar video stream. Yet as I've said, all of my systems (at home and at work) are already fully IPv6 compliant and actually using IPv6. IPv6 RIPEness - IPv6 Capability at the ASN Level. Russia is lagging, Norway is leading a lot and in Sweden it's bit higher than in Finland. 6rd RFC5969 ala Sonera. Native IPv6 without NAT with DNA.
  • Thoughts for one project: I could add [b]bold[/b] [i]italic[/i] [q]blockquote[/q] and [c]monospace aka code[/c] modes if required. Or of course what ever markup could be used for those like *bold* /italic/ """blockquote""" and ~code~. = Header= maybe required? Btw. It's just wonderful how many different competing markup standards there are. Also one user sent me an email asking about possibility to add a 'user signature' feature? I personally don't see signature necessary. It was used with Usenet news and BBC systems BEFORE there was user profiles. Now you can dump your 'signature' stuff to user page to user introduction box and link to your alternateprofiles and so on. Therewfore I don't see a need for signature feature, which is often used to spam non-related repeated stuff to posts on many forums. Not mentioning any right now. But I guess you know what I mean.
  • Checked out Thuraya SatSleeve which will turn your cellular phone (smartphone) in to full blown satellite phone working cross 161 countries without roaming charges.
  • Veikkaus, Finnish Betting company starts to accept Divers licence or Social Security Card as their loyalty card. That's great. I've always hated the way companies want to issue loyalty cards which I should carry with me. No, I don't want to do that. If I can use existing card, that's great. Just like I wrote about the identity systems, why every system wants to manage their own identity system? And why email addresses are being used as identities etc. Annoying.
  • Checked out network functions virtualization (NFV), Software-defined networking (SDN), Carrier SDN and Cognitive Network (CN)
  • NFC Credit Card relay attack - Yep, that's what I've been thinking for a long time. Such attacks could be partially limited using tight latency controls. It's easy to make things slower, but sometimes it's really hard to make those a lot faster. Relay attacks adds considerable latency and radio waves pass at light speed, so using latency to stop this kind of attacks could be one way of prevention. Of course there are situations where relaying the identification can be greatly beneficial. Just as Steven Gibson demonstrated in Security Now show. If I use SQRL lock on my door, you can just send me image of it, and I'll open the door for you. Also HTML5 based web application could be interesting to play with. And if it works well, maybe even for actual use.
  • I've been seeing some traffic from Applebot/0.1 which power Siri and Spotlight search engines for Apple. Yet those crawlers doesn't seem to extensively crawl sites. It seems likely that they pick data from Twitter firehose and crawl all URLs mentioned on Twitter.
  • Checked out world democracy index and world competitiveness rankings for countries. Many countries I like rank really high on that list. Canada, New Zealand, Australia, Singapore, Hong Kong, Belgium, Germany.