Utah Open Source Planet

My review of Fatpipe WARP has appeared in InfoWorld.

I've had a Comcast cable Internet connection for years. Last year I got a shiny new fiber connection from Mstar. But rather than uninstall the cable connection, I asked FatPipe Networks if they'd be willing to let me perform an extended test of the company's flagship route clustering product, WARP.

WARP is a 4U, rack-mountable network appliance that allows up to three WAN connections to be aggregated without the need for complicated BGP (Border Gateway Protocol) routing configurations. The unit provides traffic load balancing over these connections, allowing both inbound and outbound traffic to take advantage of them. Being able to handle connections of varying speeds from different providers makes WARP a great choice for businesses seeking to add extra bandwidth and increase the reliability of their connectivity.

From Product review: WARP your WAN for performance and reliability | InfoWorld | Review | 2008-08-28 | By Phillip J. Windley
Referenced Mon Sep 01 2008 10:25:41 GMT-0600 (MDT)

I eventually shut the Comcast connection down and now get by with the fiber connection (15 Mbps symmetric). But while I had it and the WARP set up, it was pretty cool to be able to push load onto one connection or the other.

Tags: infoworld networking fatpipe

While I am working on a post-fudcon report.  Its kind of hard to work when the network continues to drop packets.  Currently, I’m on-site in Los Angeles, teaching a course.  Why, oh why does this happen?

Cheers,

Herlo

For those of you who don't know, Vyatta is an open source network appliance that functions as a router, firewall, and VPN device, all running on a customized version of Debian Linux. I have been following the progress of Vyatta for over a year now, and things are looking very promising. The latest release is called VC4 (Vyatta Community edition) and it includes a bunch of useful new features:

• New command shell allows you to modify Linux settings and network settings from one common interface
• Redesign of routing protocol offers greatly improved stability and performance
• Role-based user access
• Equal-cost multi-path routing
• Remote access VPN
• Support for IP tunneling protocols
• PPPoE support, commonly used with DSL connections
• WAN load balancing of outbound traffic across two or more WAN-facing interfaces
• Quality of Service policies provide congestion management and traffic conditioning

As you can see, a lot of exciting changes have been made in the short six months since the previous release. The routing improvements are related to the change from XORP to Quagga. The added QoS capabilities will make Vyatta a good fit for VoIP deployments. The only negative to this release is that Vyatta had to temporarily remove the GUI web-interface until they can integrate it, which is scheduled for July, 2008. Overall, Vyatta is becoming a a compelling option for replacing some of your over-priced network equipment.

Where does Vyatta fit in my network?

Vyatta can be deployed in several places on a network. The most obvious function for Vyatta is to replace your WAN routers and branch routers. Vyatta has made it easy to compare their products versus similar Cisco routers by funding third-party studies. You can read the results versus a low-end Cisco router and a high-end Cisco router. I am hoping that their next report will be a comparison with a security device like the Cisco ASA, which has similar functionality to Vyatta (router + firewall + VPN).

Another way to deploy Vyatta is within a virtualized infrastructure like VMware or Virtual Iron (which uses the open source Xen hypervisor). These technologies are often found in data centers, and are becoming more and more popular due to the advantages of virtualization. Vyatta can take advantage of the virtualized infrastructure because it runs on the same hardware as the data center servers. This means that you can install dozens of Vyatta network appliances in your server farm using standardized hardware, as opposed to buying proprietary network gear that is severely overpriced.

Keep in mind that Vyatta will not soon replace switches with high-density ports and high-speed backplanes. In these cases, hardware ASICS are required to achieve high performance at an efficient price.



What is the Vyatta business model?

The Vyatta open source project is sponsored by a commercial entity named Vyatta. All of the source code used to create Vyatta is freely available under the BSD or GPL license. Vyatta releases a community edition once every 6-months that is completely free to use. This community edition works great for testing environments, small deployments, and budget-starved projects. However, most serious businesses using Vyatta will require access to security updates and bug fixes that come out in between the community edition releases. These businesses will want to purchase a Vyatta subscription which provides software updates, along with two levels of technical support. Vyatta also sells a few hardware appliances that include Vyatta pre-installed and certified.

The future of Vyatta

Based on the tremendous improvements Vyatta has made over the past year, it is likely that they will continue to add new features, higher scalability, and more stability to their product. Planned improvements are listed in a public road map, and users can even vote for their favorite features. Customers with paid subscriptions get more votes than non-customers.

The road-map shows that Vyatta is going to focus on security and simplicity for the next release. The security improvements include adding intrusion detection and prevention (Snort), anti-virus (ClamAV), and SSL VPN connections (OpenVPN). The simplicity improvements will include an updated web-interface, and perhaps a cross-platform, clientless, remote-access VPN using SSL.

Disclaimer: My company sells Vyatta products and services.

I'm a fan of Thomas Barnett's gap-core lens for understanding world events. My simple paraphrase goes something like this: states that are part of the core (and that's a lot of them) don't make war on each other, don't sponsor state terrorism, and are, in general, predictable players on the world stage. Those who are not connected economically and culturally to the core are the trouble makers. (Tom, if I got it wrong or simplified it to much, forgive me.)

Radical Islam, when viewed through this lens, is an attempt to stall and hopefully stop the integration of Islamic states into the core. In their worldview, the core is secular, godless, and will destroy their culture. They're probably right in many respects. Other religions, including my own, have had times where their efforts to avoid integration caused lots of folks considerable heartache. Most have realized that getting past the pain requires being able to live in the world as it exists without giving up your fundamental values. We continue to have that argument on all kinds of fronts in the US, but without the overt violence.

This story about recent undersea cable damage not being an accident fits the Core-Gap model pretty well (more here). After all, the Internet is the prime tool that the Core has for connecting more of the Gap. If Barnett's theory is right, then the result will be decreased violence worldwide. Surely one can't doubt the effect of such connectivity on Eastern Europe in the 80's and on China now.

Gizmodo is dubious:

I don't know how a saboteur gets that deep to cut cables in the first place, let alone five of them, so I'm highly skeptical. I mean, come on, aren't we giving the terrorists a bit too much credit here? This isn't a James Bond movie.

From Terra: International Telecommunication Union Claims Cut Cables Were Sabotage
Referenced Tue Feb 19 2008 14:47:11 GMT-0700 (MST)

I don't think we have to imagine this being the work of run-of-the-mill terrorists. Most of the leaders of Gap states are personally motivated to restrict and resist connectivity. They're power depends on it. I don't know enough about these states to know if one or several is capable of deep sea operations sufficient to cut a cable, but it's more plausible than imagining a rogue Al Queda cell in Baghdad doing it.

I'll be interested to see what future inspections turn up here.

Tags: terrorism networking politics

Last Friday I asked a question about how to set up a network in Xen with a machine attached between a public and private network, like you might use in a firewall or load balancing situation. I want to be able to mimic real world networking situation in Xen for experimentation and modeling purposes.

There were numerous replies and I'm grateful for all the help. In the end, Steve Fulling (he's not as pointy haired as you though) came up with a pretty simple solution.

To use virt-install to create a bridged, public machine, you'd do something like this:

virt-install --paravirt --vcpus=1 --name $1 --ram 500 \\
             --file /var/lib/xen/images/${1}.img
             --network=bridge:eth0 \\
             --file-size 10 --nographics \\
             --location http://192.168.1.150/fedora8-i386

To use virt-install to create a private machine, you'd do something like this:

virt-install --paravirt --vcpus=1 --name $1 --ram 500 \\
             --file /var/lib/xen/images/${1}.img
             --network=network:default \\
             --file-size 10 --nographics \\
             --location http://192.168.1.150/fedora8-i386

The trick to getting a machine on both is to issue two --network commands:

virt-install --paravirt --vcpus=1 --name $1 --ram 500 \\
             --file /var/lib/xen/images/${1}.img  \\
             --network=bridge:eth0 --network=network:default \\
             --file-size 10 --nographics \\
             --location http://192.168.1.150/fedora8-i386

There are other, more complex scenarios. For example, you might want to create multiple VLANs, etc. I found these resources helpful:

• Xen network configuration and multiple VLANs
• XEN networking explained

Tags: xen virtualization networking kynetx

Here's a couple of very interesting articles about Google's home grown 10Gb Ethernet switches and how it builds it's own servers.

Tags: google computers networking

Hi all,

While at work today, setting up test environments for Ubuntu Gutsy (7.10), I needed to check something with the ubuntu.com DNS entries. So I ran the following:

# dig -t ns ubuntu.com

And got something very interesting and entertaining. Can you see what it was? Yes, the mythic-beasts are definitely alive and well within Ubuntu! Now that you are having fun, try these commands immediately afterward:

# dig -t ns mythic-beasts.com

And

# whois mythic-beasts.com

Note the other nameservers. Quite an entertaining 5-10 minutes of your life.

Enjoy,

Herlo

Okay, okay.  I’m taking a quick break from my SUSE comparisons (and I will reply to all the comments I’ve been getting as well, keep them coming, its great) to entertain you all with this lovely picture my friend Aaron Toponce just sent me.  I laughed out loud when I read it and knew it had to be posted online ASAP.

Sorry Aaron if I am stealing your thunder….

Enjoy,

Herlo

I don’t know if I can last an entire week with openSUSE 10.3. I can’t believe I even thought it possible. I am jonesing for Fedora right now, even though any other distro would probably do…

What’s wrong with SUSE you ask? Just about EVERYTHING! I’m not comfortable at all in this rancid environment. It sucks the life right out of you. I hope some SUSE people come running to save me from this turmoil I feel as I currently hate using this distro. Here’s my first impressions: (beware, the list is rather long)

GOOD

The items below are positives and the openSUSE team deserves credit for all of their hard work in these areas.

• Wireless works (+1)
  • My Intel wireless card from my T60p is recognized and associates with my access points
• The nautilus-open-terminal package is enabled by default (+2)
  • This is the right-click on desktop –> Terminal option, (something severely lacking in fedora and not easily installed in a kickstart)
  • Having this feature, its very simple to get started with the terminal which is definitely needed for the power user in me
• Install allowed me to choose not to use their grub (0) [while this is nice, if I had installed their grub, it would have wiped out my fedora grub components]
• zypper is much improved over the previous rug (10.1) tool (+1)
  • still needs work though
  • easy to add repos compared with fedora
    • packagekit can solve much of the incontinuity in fedora
    • though its nice to have a simple gui to add repos, knowing which repos is still a bit of an exercise in futility.

Positive Score: +4

BAD

Whle there is some good in openSUSE, its apparent to me that there is much to be improved.  As noted below, many more things are in need of improvement, to put it nicely.

• The install takes much longer than necessary (-3)
  • Still uses ugly YAST text user interface
    • YAST didn’t recognize my video driver, but could have just used the VESA driver for the gui install
  • Asks too many questions about details that could easily be simpler
  • Did not work well with other OSes (GRUB)
    • YAST installer wanted to overwrite my fedora GRUB configuration, shouldn’t Linux play well with each other in this sense?
• One-click install is more like 10-click (-1)
  • From opensuse.org, you can do what is called a “one-click install”, and about 8-10 clicks later its installed. If its one-click, its should be one (maybe two) clicks total.
• The initial GNOME config of openSUSE is too Windows-like (-1)
  • If I wanted my Linux desktop to look like Windows, I’d use KDE (or even run Windows)
  • It has only one bar, and at the bottom, not enough room for status apps
  • I had to add workspaces as only one was provided by default, that seems limiting
• bluez-gnome doesn’t have hidd or any sort of recognition for my bluetooth mouse (or anyone’s bluetooth mouse, for that matter) (-2)
  • dbus fails to recognize bluetooth mouse
  • There’s even a bug on it blaming others, yet it works in Fedora - https://bugzilla.novell.com/show_bug.cgi?id=330461
• The bash prompt is ugly - (0)
  • This one is a personal preference, but its hard to tell when I am the root user and when I am not. As such, I will modify my .bashrc and fix the PS1 value
• The wireless driver for my T60p is not the new iwl3945, but the ipw3945 proprietary from intel - (-1)
  • The open driver has been out for quite some time
• Proprietary codecs were not easy to find, nor install (0)
  • Fedora doesn’t make this simple either really.  Yet, when I found them in Fedora they worked first try, gstreamer failed miserably several times in openSUSE
  • an attempt at a codec buddy like tool was made, but doesn’t work…
• zypper does not inform you of the dependencies needed to install even though it reports how much it will download (-1)
  • I want to know what packages I’ll be installing before I install them

Negative Score: -9

Total score for day 1:  -5 OOPS - that’s not good!

To be honest, I think I’m being very generous in some of the points I’m giving.  OpenSUSE makes it very difficult for my lifestyle so far.  I’m not sure what they can do with 10.3 to make it better, but I’d like to hear comments and suggestions on ways to help.

I’m sure hoping that day two will be better.  I’m already starting my list and will be testing such things as; video, development, lvm, raid, kvm/xen virtualization and much, much more.  As I continue to suffer through this bluetoothless mouse world openSUSE has created for me.

Cheers until tomorrow,

Herlo

Recently, I’ve been quite overwhelmed with keeping up with my latest ambition, the Utah Open Source Foundation, which has made it a bit difficult to keep up on my blog here. I’ll be doing some updates to this blog soon and you should start seeing regular updates from me here in the very near future.

In the meantime, I’ve got a post that may knock your sock off! If you’ve not yet heard about it, there’s a new transport protocol on the way, and its called Stream Control Transmission Protocol (SCTP). Its an amazing new way of looking at the network, providing multi-stream transmissions through one port.

Have you ever thought it would be nice to take three network connections, one ethernet, one fiber and one wireless and bond them?  What about using those three connections to stream video?  Or to manage data on one and have a control connection on another?  TCP/UDP can’t really do this for you without some external elements, but SCTP might just be the thing you’re looking for, and its already here.  Currently in testing, SCTP looks to be a great replacement (augmentation) to the already popular TCP and UDP prototols.

Linux Journal is doing a 3 part series on this protocol which started in last months article: Introduction to Stream Control Transmission Protocol.  This article is a quick look into how this protocol works.  The follow-up, in this month’s issue (not yet available for non-subscribers) talks about how the protocol is implemented in the Linux kernel and even gives some good code references.

I suggest you take a look at SCTP if you’ve not yet heard of it.  I am very excited to see where this protocol could take us in the future.

---

© herlo for Sexy Sexy Penguins, 2007. | Permalink | No comment

Add to del.icio.us

Search blogs linking this post with Technorati

Want more on these topics ? Browse the archive of posts filed under Networking, Tools, Tech.

Background

Digium is the company behind Asterisk, the popular open source PBX. Digium was founded in 1999 by Mark Spencer, the creator of Asterisk. Since then, Asterisk has been deployed around the world on millions on computers. Despite that fact, Asterisk still does not have a large market share of the PBX market. Why is this? In the past, there were many reasons for this:

• No brand recognition of Asterisk
• No proven track record of successful implementations
  
• Commercial support was needed
• No Linux expertise on staff
• Afraid to use open source software

These concerns were once valid, but today most of them have been addressed by Digium.


They made Asterisk easy to use

Digium has been working hard to overcome the historically steep learning curve associated with implementing Asterisk. They have accomplished this with two major improvements. First, Digium created an open source software appliance called AsteriskNow! that bundled Asterisk inside a pre-configured version of Linux. Most of the work for this appliance was done by the magic pixie dust known as rPath.

Secondly they have developed a simple web-based interface called Asterisk GUI to configure the PBX. This is a great improvement when compared to manually editing multiple text-based configuration files!

More recently, Digium has acquired a company called Switchvox. This was done so that Digium could take advantage of the advanced GUI that Switchvox had created. The best part about this acquisition is that Digium is going to be releasing the Switchvox code under the GPL license! Check out this quote from Mark Spencer:

So as a contrast right, look at what Fonality did. They bought an open source project [trixbox/asterisk@home] and then turned it into a proprietary product. What we are trying to do is go the other way. Take something that started out as a fully proprietary product and to try to leverage that to bring some additional technologies into open source.

They offer professional services for Asterisk

Digium now offers a wide range of professional services to meet the needs of any organization. This includes consulting, training, and technical support. They also offer a product called "Asterisk Business Edition", which benefits from the usability improvements listed above.

Digium appliances


Digium has also recently started selling a hardware appliance called the Asterisk Appliance. This appliance is designed for deployments of up to 50 users. It supports 8 analog ports, and can process 25 concurrent calls. There are no moving parts in device, which means no hard drive to crash. Instead, it uses an upgradeable flash card to store voice-mail, greetings, configuration settings, and recorded calls. Digium offers three levels of support for the device, including a 24x7 option.

This appliance is great, but it only serves the small business environment. I have heard that Digium is working on a larger appliance that will support hundreds of users. This is a great thing, since it will allow Asterisk to be deployed in a majority of businesses around the world. Only the largest deployments would require more than the this new appliance can deliver.

It was also recently announced that 3com would be selling a 3com branded Asterisk Appliance. This means that Asterisk will reach a much larger audience through the 3com brand. 3com is offering support services for their version of the appliance.

What does the future hold?

Digium has made great strides in making Asterisk both powerful and easy to use. However, one area that I see lacking is scalability. Asterisk works great for a few hundred phones, but how about a few thousand phones, like you might see at a University? The most common way to increase scalability of Asterisk systems is to use a SIP-proxy such as SER or OpenSER. For instance, the University of Pennsylvania is rolling out a 15,000 unit Asterisk-based phone system. To achieve the scalability they needed, they decided to implement SER along with Asterisk.

How does Digium expect to support large Asterisk installations if they require a third-party SIP-proxy that doesn't even offer commercial support? My guess is that Digium will acquire a SIP-proxy like SER or OpenSER so that they can offer a complete solution without needing any third-party software.

Another obstacle that Digium faces is Microsoft. Microsoft is about to enter the small-business VOIP market with a product called Response Point. The biggest advantage of this product is that it includes intelligent IVR, or speech recognition technology. This will allow users to dial anyone in the phone directory simply by speaking their name. This commonly used feature could persuade businesses to choose Microsoft over Digium.

Digium has several options to respond to this threat. First, they can try to create a working system based on open source projects such as Sphinx. I have no clue as to how much work this would be, but I expect that it would be difficult and time-consuming to achieve high-quality IVR. If you know anything about the current status of Sphinx, please leave a comment. How well does it currently work? Can it provide a voice directory feature like Microsoft Response Point does?

The second option for Digium would be to partner with a commercial IVR company. They are already partnered with Lumenvox, but I am not sure what this includes. For instance, I do not know if this will provide the voice directory feature mentioned above. I think it would be a good idea for Asterisk to provide advanced IVR functionality that is integrated with their software. The easier it is to implement the better!

I just received an email from a Cisco vendor who is pitching a new product that Cisco has acquired. Within this email, the vendor discredits open source in a couple different ways. Here is some of the content of that email:

* Scalability – Our operating system supports up to 10k simultaneous connections per appliance regardless of hardware platform. We developed our own OS (AsyncOS) and do not rely on Linux, Sendmail etc.

* Built from the ground up as a Sendmail/open source replacement

* Truly fire and forget – All our spam and virus fighting technology is dynamic and updated every few minutes. We do not rely on any open source technologies, all our technology is developed by IronPort. You will not spend any time updating the appliance or trying to find ways to block new spam, that’s our job.

No thank you, Cisco. I believe that open source is something to be proud of and not the liability that you claim it to be. Cisco claims to have developed their own operating system, but I doubt that they started from scratch. What they probably did is base it on BSD-licensed code, since there is no requirement to redistribute their modifications. This is yet another reason to support the GPL over BSD type licenses.

Introduction

If Ubuntu wants to be taken seriously in the workplace, it needs a secure remote desktop. Many people have a need to connect to their work computer from home using remote desktop technology. Currently, the Ubuntu Remote Desktop is a front-end for VNC, which allows you to remotely manage your desktop. It works well, and a nice feature was recently added that alerts you when someone is remotely controlling your desktop.

The Problem

The problem is that VNC provides very little security. It does encrypt the password that you use to connect with, but all other traffic is not encrypted. This means that if someone is intercepting your traffic, it will be possible for them to watch what you are doing (including typing passwords). Another problem is that VNC has a maximum password length of 8 characters, and it does not require a username. This means that an attacker only has to guess 1 to 8 characters correctly in order to connect to your machine. If you use the Ubuntu Remote Desktop, it would be a very good idea to add a password to your screensaver.

This lack of security will make the Ubuntu Remote Desktop a violation of many corporate security policies. Therefore, it is a barrier to the adoption of Ubuntu in the workplace.

You Can Use Duct Tape

You may know that there are many ways to use the current remote desktop securely. Probably the most common method is to forward the entire remote desktop session through SSH. As you can read, this method takes quite a few steps and multiple commands at the terminal prompt.

Here is what I do to connect to the Ubuntu Remote Desktop on my work computer. First, I connect to our VPN server, which encrypts all my traffic. Then I connect to my machine, which is configured to only let me connect through the VPN. To do this, I use the powerful yet simple FireStarter firewall. See my firewall config below: (I am also running FTP and TFTP services on this box)


Long-term Solution

Ubuntu needs to provide a secure remote desktop by default. It should not require tweaking configuration files or typing commands at the terminal prompt. One solution would be to use FreeNX, which can be installed on Ubuntu today. Another solution would be to use the SSH forwarding technique, but to hide all that complexity behind a GUI. All that users need to see is a checkbox that says "Use Encryption". In addition, the maximum password length needs to be increased, and the login should require a username.

References

To learn more about the security problems with Ubuntu Remote Desktop, check out these two essays:

Vino - The Remote Desktop Project

Vino - The Remote Desktop Project - Take 2

Should I use my real identity when communicating on the internet, or should I have a separate online identity? That is the question I have been thinking about as I watch my internet footprint grow with every blog entry, blog comment, forum post, mailing list reply, and IRC chat message. (FYI - IRC chat messages are often logged and posted online.)

I do not have a reason to keep my privacy now, but who knows what the future holds? I may have new enemies in the future that I don't want to know personal details about me. Once data is on the internet, it stays on the internet. It is usually impossible to erase your writing from the public domain.

I can only think of two options:

1. I can continue to use my real identity, but I must always keep in mind that what I write may be used against me in the future. This can be in the form of a job opportunity, an evil stalker, a political campaign, a business deal, or a lawsuit.

2. Create a new nickname that serves as my online identity. I must be careful to never refer to the real identity from this one, and vice-versa. This may provide me with some more freedom of speech, but there is a possibility that my two identities will be linked. In fact, it would not be very hard for a motivated person to accomplish.

Both options have large downsides. Is this just something that we must accept with online communication? Are there any other options that I have missed?