Blog‎ > ‎

Show - don't say, PostgreSQL, VP9, IPv6, Hashes, DHCPv6, DNSWL, Azure Nano Server, Great Cannon

posted Apr 25, 2015, 10:02 AM by Sami Lehtinen   [ updated Apr 25, 2015, 10:03 AM ]
  • A few tricks how to handle things more efficiently using PostgreSQL and it's arrays.
  • YouTube starts using VP9 video codec to improve video quality and saving a ton of bandwidth.
  • It seems that during holidays there are tons of attacks towards public internet facing servers. I guess the 'bad guys' know that if they hack the servers during holidays, nobody's probably going to do anything to fix the situation for several days. Especially if they do it so, that they don't disturb it's normal operation and just run their own additional tasks with low priority. Nobody notices or cares anything at all.
  • Configured ALL servers to use IPv6 as well as configured corporate network to use IPv6. Servers were easy to configure and software & firewalls, but the corporate network configuration took some pain, because there was different router / firewall which I didn't have to deal earlier with. Had to use similar test system to test and troubleshoot everything before moving working configuration into production. It took quite a while to get everything confirmed cross checked and so on. Also had fun with DUID fields. SLAAC, DHCPv6 and dhcpv6-slaac-problem by IETF. But it was worth of the fun I got while doing it.
  • All of my servers are now using only SHA-256 based SSL certificates. Yes including the full certificate chain, so there aren't any intermediate SHA-1 hashes. But the funny thing is that Google says that SHA-1 is obsolete cryptography technology. Yet they're using it all the time. Like in case of Gmail's certificates.
  • I just can't stop loving projects which are absolute mess and extremely badly documented. Yeah, you can get things working, if you are brave enough to think and go through all possible configuration options as well as read source code if it's available. It's just so annoying. But well, things will get done, when you just put enough effort into it. Some times some key information is assumed yet if you don't know what it is, you're pretty much failing hard for a long time.
  • Added my servers IPv6 address to DNSWL whitelist for ensuring email deliverability.
  • Studied tons of stuff about DHCPv6 and Router Advirtsement Flags (M,R,O). I had to, because I'm planning to use it. Yet it doesn't seem to deliver (With ZyWall) some of the key benefits I would assume getting. Like knowing who's using which IP address and when. Unless full manual configuration is being used with DHCPv6 DUID.
  • Microsoft "Docker" style servers. Aka containerization with minimal over head. They call it Nano Server on Azure platform.
  • Finally after a weekend it seems that systems are now getting 100% correct IPv6 configuration, including Windows & Linux systems as well as mobile devices. That's just awesome. Now everything is 100% dual stack allowing IPv4 and or IPv6 traffic. Also many services which earlier used NAT or port redirection are now directly reachable. It's better than using constant port mappings. As well as horrible in protocol ALG in some cases (FTP). Only one workstation is failing, which is the workstation I've been using to test everything. So there's some kind of configuration issue somewhere. Let's see how this plays out.
  • It's good to disable ISATAP, 6to4 and Teredo which are enabled all on default Windows configuration: Just enter commands in elevated shell:
    netsh int ipv6 isatap set state disabled
    netsh int ipv6 6to4 set state disabled
    netsh interface teredo set state disable
  • I liked this approach mentioned in one blog: About Startups - Show don't tell. "I'm going to build this amazing thing" is a LOT less interesting than "I've built this slightly crappy thing that actually does something". EVERYONE is GOING to build something, most people never do...
  • Amazon EFS did look interesting yet it's extremely light on details, which really do matter in these cases. It's just so easy to make bold bogus claims like "low latency" or high IOPS. Those are very relative terms.
  • Tons of configuration work with DNS and IPv6 stuff. But it starts to be pretty much done now. Phew! Now even visitor WiFi network provides full IPv6 connectivity. Allowing both options SLAAC + DHCPv6.
  • Checked out Call for bids - When wondering what kind of new features OpenBazaar could implement.
  • China's Great Cannon - New stuff? I think the attacks mentioned here have been known well over 20 years. Shocking news right? It was in 95 when I were at office doing IP networking and it was back then already trivial to monitor and modify packets, messages and content on the fly. Yet people still doesn't seem to realize that email and other stuff are just "post cards" whizzing by which can be modified at will when and if required.
  • Also checked out: Data Analytics using Pandas and SQLite and Python Boltons