Blog‎ > ‎

ZyWall 50 USG IPv6, Bloom Filters, Tableau, DE-CIX, Game-Theory, Hash, Pycon, BitHalo

posted May 1, 2015, 9:39 PM by Sami Lehtinen   [ updated May 1, 2015, 9:58 PM ]
  • Studied X-Road protocol version 6.0 - Which is governmental and national ESB integration solution which allows basically anyone to join in 'easily' and 'cheaply' compared to well many more traditional solutions.
  • Reminded my self about simple details of Magnet URI scheme - I think OpenBazaar should use something similar.
  • Created a few information flow diagrams (IFD) - to visualize how processes work between departments and to describe business process information flows.
  • Checked out: Google network edge, Google Cloud DNS, Google Carrier Interconnect
  • Watched tons of PyCon 2015 videos, Guido van Rossum's Python Type Hints which was especially interesting. Including Python Static Checking, Linting, Type Checking, Static Code Analysis
  • We all should be very familiar with this stuff already Hash Functions and You - Curtis Lassam, Btw. Excellent talk! Not too deep, but if you're not familiar with that stuff, watch it.
  • REST API Descriptive Language (API DL) Related: RAML, SWAGGER, API Blueprint, WADL, SOAP, WSDL, JSON, XML
  • Checked release notes and toyed around with Tableau 9.0
  • Reminded my self about Bloom Filters. I just needed those in one project to reduce database lookups and the great hash talks at Pycon reminded me about using those when needed.
  • Watched SpaceX CR6 first stage landing video, I guess everyone did. They were pretty close being successful, but it still failed. Also checked out SpaceX rocket engines - As well as reminded my memory about rocket propellants.
  • Had long talks with consults about project communication, documentation, management, scrum, agile methods, continuous integration, software quality management, version control, Trello, Sharepoint, Kanban and so on. All the business as usual.
  • Studied LightSail energy storage technology. So they don't waste heat energy from compressing air, nice? It's then secondary question where and how this thermal energy is stored. This is also the key, which has made most of earlier compressed air solutions so inefficient. Energy is lost due to heat loss during compression and decompression, if it's not stored somewhere and restored later.
  • Reminded my self about operators which are connecting directly to DE-CIX @ Frankfurt.
  • Thoroughly studied ARTS XML Digital Receipt Technical Sepcification Version 2.0 (April 21, 2001 - Candidate Recommendation) - Which is related to e-receipt stuff.
  • It seems that ThunderBird got some kind of bug when updating folders. At times it just hogs CPU and doesn't do anything at all. Clear infinite loop somewhere. After restarting the email client, everything works perfectly again. I don't know if this is known issue. But I just didn't bother to make a ticket about it. I've experienced it so many times now, that I'm sure there's a bug somewhere. Usually it's related to cases where large number of messages have been added or deleted to a folder other than Inbox. I've experienced hang with Sent and Deleted (Trash) folders.
  • Project to build new direct undersea fiber from Finland to Germany seems to be progressing. Currently they're mapping the seabed in detail and making plans for laying the cable there. Which will hopefully follow in about 4 months.
  • Checked out yet another "secure" email service provider Tutanota. It's just like so many others like it: Hushmail, Safe-mail, Protonmail, and so many others. HTTPS Webmail sending out links is kind of kludge, because it doesn't mean that the messages would be transported over SMTPS and that the SMTP server certificates would be used and verified. But certificates can be practically meaningless if it's too easy to obtain those. More about that later.
  • Gorilla Glass might seem like durable, but it's not shock resistant. I just dropped my phone for about 3 centimeters onto my granite table and glass did get multiple fractures. It's clear that it's hard, but it's way too hard to hand shocks when colliding with other hard and heavy objects.
  • Telegram Fist - It revelas who's sending telegrams using statistical analysis, even if you would think that Morse code would be pretty anonymous. There's just so much information leackage in many mediums. As well as it's possible to tell if radio is remotely operated or locally operated from the characteristics of transmission when sending analog messages. Yes, all of this is old stuff. But it just tells how much even much simpler systems leak side channel information.
  • OpenBazaar Thread Model Analysis by Dionysis Zindros.  Assumed adversaries and malicious groups, game-theory, incentives, censorship, eavesdropper, PKI, RSA 1024, Tor, GPG, HTTPS, CA, DNS, Bitcoin, RSA, ECDSA, SHA256, AES, Python, Javascript, Angular, Developers.
  • Studied BitHalo. Yet another Bitcoin and BlackCoin related trading platform bit like OpenBazaar.
  • Watched AirAsia crash plane crash documentary going through the events which lead to the unfortunate situation.
  • Why to blog if nobody's reading? Well, that's good question. Yet I've used often my own (web) log aka blog as my things I've done log. So it's easy to visit and check when I did and what, even if I'm not usually writing complex or deep articles.
  • Checked tons of different developing market ETF's, Africa, Asia, India, China, Saudi-Arabia, Russia. I'm also following Greece situation, as everybody else is too (?).
  • Bandwithplace is a nice HTML5 bandwidth tester like Speedtest. It doesn't require Flash or any software installation. It's also interesting to see how connections from Finland are wired to neighbouring countries. Because based on which operator you're using, fastest server can be in Amsterdam, Frankfurt or Vilna. Also the new Sea Lion cable straight to DE-CIX (?) sites can change this even further. I guess some operators will be utilizing it and others won't. Same thing applies here, some operators route directly to Vilna via Tallin and some operators route via Moscow or St. Petersburg and in some cases data takes trip to Amsterdam and then back to Vilna from Helsinki.
  • Swarming flying robot drone bots are here, under project name Sensintel Coyote LOCUST project. Straight out of movies where mothership comes and drops swarms of smaller fighters.
  • (Yahoo Mail) email delivery is just unacceptably slow. It took 5 minutes for Yahoo to deliver email out. Even if other service providers can do the same under a second. No go, that's a show stopper in modern world.
  • Once again checked IPv6 configuration stuff, now everything is working as expected. Yet I got a few things to wish about the IPv6 loggin with ZyWall USG 50.
    When using IPv6 DHCP:
    > netsh int ipv6 show int 11
    Router Discovery                   : enabled
    Managed Address Configuration      : enabled

    Interesting point is that you can't manually set those options on simultaneously in Windows. You either have Router Discovery or ManagedAddress enabled. But when RD is on and RA message announces DHCPv6 then MAC is also automatically enabled. It's kind of confusing at all on user interface level.
    When using Windows you can check neighbourhood cache using:
    netsh interface ipv6 show neighbors
    If you mess up your IPv6 configuration you can completely reset it.
    netsh interface ipv6 reset
    A reboot is required after reset.
  • ZyWall USG 50, IPv6 DHCP DHCPv6 Logging
    Yet I'm not entirely happy with the logging details when using ZyWall USG 50 DHCPv6 with IPv6:
    IPv4 DHCP log snippet:
    10   2015-04-14 01:54:07
         info                dhcp                   DHCP Request
         Requested from RANDOM(F4:58:D2:E9:09:F8)
    11   2015-04-14 01:54:07
         info                dhcp                   DHCP ACK
         DHCP server assigned to RANDOM(F4:58:D2:E9:09:F8)

    There you can see the MAC vs IP relation very nicely. But when using IPv6...
    IPv6 DHCPv6 log snippet:
    11   2015-04-13 15:57:00
         info                dhcp                   DHCPv6
         DHCPv6 [solicit] Destination ff02::1:2 from fe80::9bf2:488d:34c2:a2c7
    12   2015-04-13 15:57:01
         info                dhcp                   DHCPv6
         DHCPv6 [request] Destination ff02::1:2 from
    It's nice, I know that that 'they' got now IPv6 address. But what's the global IPv6 address being assigned to it? Nobody knows. What IPv6 address was assigned to requester via DHCPv6? No information about that what so ever is stored in logs. Great, just great. DHCP is better than SLAAC with privacy extension? No, it's not. It doesn't provide any additional information at least on logging / access level in this case. Of course it's possible to manually assign IPv6 addresses using DUID and fixed address lists, but that's not exactly what I had in mind for most of the networks. Without that and bad logging, DHCPv6 is just as good as SLAAC as far as I can see. When using SLAAC without privacy extensions, each computer get's it address which contains th MAC of the NIC. Then it's easy to control per machine outbound and inbound traffic using firewall. Because you know exactly which address is being used by which computer, without any manual configuraiton. So in that sense it's also on the same line with DHCP. Machines which do have 'unknown addresses' are of course fully blocked using firewall. Of course using DHCPv6 allows usage of smaller than /64 subnets if required, yet many discussion forums metioned that there "could be" potential problems, especially if there are clients using not so great IPv6 stack and potentially missing DHCPv6 support which is required in that case.
  • I made a ticket about this logging issue to ZyXEL. I also got confirmation from ZyXEL that this is known issue with ZyWall USG 50 model (and presumably with other USG models too). The current firmware doesn't simply log enough information even if debug mode would be enabled. This issue will be fixed in future updates to the firmware.
    Related RFCs:  RFC 2473, RFC 3315, RFC 4861, RFC 6106, RFC 7113, RFC 4861, RFC 1256, RFC 4291, RFC 6343, RFC 5969, RFC 2461, RFC 2463, RFC 4443, RFC 2710, RFC 3122, RFC 2473, RFC 2765, RFC 5237, RFC 6106. kw: Router Solicitation Message, Router Advertisement Message, , Neighbor Solicitation Message, Neighbor Advertisement Message, Full dual stack and native IPv6.