String around my finger
A 'blog to remember things I found.

My Home Page
I work for NIS ITS Monash University Australia.

Index

• hardware 19
• linux 13
• media 24
• misc 21
• monash 18
• networks 33
• oss 1
• security 1
• software 17
• voip 37
• windows 3

Flavours

Links
These are a few of my favourite links.

Subscribe
Subscribe to a syndicated feed of my weblog, brought to you by the wonders of RSS.

GeoURL

Click to call me FWD# 61159

au.pool.ntp.org - NTP for home / SMEs

For machines at home, instead of configuring to use Monash's NTP servers, use a pool of public servers.

To use this pool zone, add the following to your ntp.conf file:

server 0.au.pool.ntp.org
server 1.au.pool.ntp.org
server 2.au.pool.ntp.org

Of course, if you aren't in Australia, use the appropriate pool.

[ /networks | # ]

XORP

XORP is the eXtensible Open Router Platform.

XORP already supports IPv4 and IPv6, together with BGP4+ and RIP for unicast routing, PIM-SM and IGMPv2 for multicast, and limited SNMP support.

Similar to Zebra, but no OSPF.

Uses verbose nested thing { label : value } configuration language, e.g. config.boot.sample.txt

Update 07 Feb 2006
Now does OSPF. Version 1.1 has a (BSD) Live CD.

Being used for IP Multicast, for instance see this xorp-users thread.

[ /networks | # ]

Network Speed Test

The forums on Whirlpool point to several network speed test sites.

Visualware MySpeed Server is a Java client that interacts with a special server. It is installed at various sites such as InternetFrog.com, Bigpond (expired), Optus (expired), and Me (renewed). It reports Upload and Download speed test measurements, bandwidth consistency (QOS), Max Pause and Round Trip Time (RTT).

Oz Broadband Speed Test is a simpler scheme that just times how long it takes to download a large image from a server. No special software on the server, and Javascript on the client. Only reports Download speed.

Test run on 30/11/2005 @ 9:52 A.M.

Mirror: Optus
Test type: Cable

Your connection speed:

kbps: 3278.9
KB/s: 409.8625
Mbps: 3.20205078125

[ /networks | # ]

Optus Cable QoS - 2

From 17th Nov 2005, the upload speed on Optus Cable has changed from 128 kbit/s to 256 kbit/s.

This should make VoIP, videoconferencing etc much better.

[ /networks | # ]

Optus Cable QoS - 1

Optus Cable is asymmetric with downloads at 4-5 Mbit/s and uploads limited to 128 kbit/s. This asymmetry has strange effects on protocols which assume symmetric bandwidth.

As a baseline, here are some results while uploading a directory full of digital photos. [ 121 pictures, 190 MB at about 1 MB per minute. ]

[johnm@tower in]$ ping 130.194.1.1 -c 100
100 packets transmitted, 99 received, 1% packet loss, time 99390ms
rtt min/avg/max/mdev = 208.082/620.189/855.658/141.705 ms, pipe 2

J6$ mul ping /nu=100 johnm.dyndns.org
100 packets transmitted, 89 packets received, 11% packet loss
round-trip (ms)  min/avg/max = 176/564/843

[root@ns0a tftp]# ping -c 100 -q johnm.dyndns.org
100 packets transmitted, 95 packets received, 5% packet loss
round-trip min/avg/max/mdev = 400.331/644.053/871.804/131.181 ms

Pinging from home PC to work seems more relyable than pinging from work to home router. The long-term smokeping stats show about a 0.5% work to home router ping loss with no other traffic.

[ /networks | # ]

Enterprise QoS Solution Reference Network Design Guide

See the fine list of Solution Reference Network Designs at http://www.cisco.com/go/srnd/ There is a new, Version 3.1, June 2005, Enterprise QoS SRND.

This weighty tome (284 pages) has been updated to include e.g.

Scavenger-class QoS DoS/Worm Mitigation Strategy
AutoQoS VoIP (Campus)

Chapter 1 Overview

Chapter 2 lists for different switch models and different edge trust types -- what commands to enter, why, and verification commands. e.g.

Catalyst 2970/3560/3750 Conditionally-Trusted IP Phone + PC with Scavenger-Class QoS (Advanced) Model
-- goes the whole hog allowing 5 Mbit/s of mission-critical SAP traffic.

Chapter 3 is WAN Aggregator QoS Design

Well worth a read !!

[ /networks | # ]

InternetNZ unveils software for Enum

ENUM PUA Prototype Software Release

InternetNZ Announces the release of ENUM Personal User Agent Prototype software under Open Source BSD Licence.

"Personal User Agents (PUA) are software programs which act like firewalls; automatically filtering requests for ENUM contact information and deciding what information to release and how incoming calls will be directed based on rules that look at the inbound identity of the caller. This protects the consumer from address harvesting or privacy breaches.

http://www.internetnz.net.nz/public/enum/pua/README.txt

... Installation The system integrates with Asterisk - the Open Source PBX! (www.asterisk.org). ...

My guess is that to filter requests for ENUM contact information and to control routing of calls, the information must be stored locally, and not publised in the DNS (apart from some generic "send everything to the gateway box" info).

[ /networks | # ]

Australian ENUM Trial

ENUM is using the DNS to store data (indexed by reversed dotted-digit E.164 telephone-like numbers) that contains a collection of contact information.

The DNS resource records contain regular expression based rewrite rules that rewrite, then redirect or answer the query.

See RFC 3761 "The E.164 to Uniform Resource Identifiers (URI) Dynamic Delegation Discovery System (DDDS) Application (ENUM)" and RFC 2915 "The Naming Authority Pointer (NAPTR) DNS Resource Record". Example:

   $ORIGIN 3.8.0.0.6.9.2.3.6.1.4.4.e164.arpa.
     ;; order pref flags service regexp         replacement
      NAPTR 10 100 "u" "E2U+sip" "!^.*$!sip:info@example.com!" .
      NAPTR 10 101 "u" "E2U+h323" "!^.*$!h323:info@example.com!" .
      NAPTR 10 102 "u" "E2U+msg" "!^.*$!mailto:info@example.com!" .
  
   This describes that the domain 3.8.0.0.6.9.2.3.6.1.4.4.e164.arpa. is
   preferably contacted by SIP, secondly via H.323 for voice, and
   thirdly by SMTP for messaging.  

AARNet now run a ENUM Registrar Trial Service and are taking registrations in +615900xxxxx (a non-telphone number range).

I now have an ENUM, +61 590 000 007.

  $ dig NAPTR 7.0.0.0.0.0.0.9.5.1.6.e164.arpa
     ;; order pref flags service regexp                       replacement
     NAPTR 1 10 "u" "E2U+msg" "\"!^.*$!mailto:John.Mann_its.monash.edu.au!\"" .

I don't know of anything that uses this information yet.

[ /networks | # ]

IOS Undocumented Commands

Undocumented Cisco Commands contains an extensive list of commands. Last updated $Revision: 1.87 $ $Date: 2003/12/04 13:59:29 $

Project DOTU was the original list, but was last updated 2001.08.25.

Cisco routers run Tcl ... http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/multi_c/mcprt4/mcdglos.htm#wp9990 Cisco IOS Configuration Guide Master Index, Release 12.1

... Not only Tclsh is included in Cisco high level routers, but the their CLI part of the IOS is itself written in Tcl.

Hence, the new thing is that Cisco opened the access to the Tcl shell from the CLI. Tcl actually existed in Cisco routers since the early '90s.

TCL'ing Your Cisco Router Cisco has had Tcl in some routers for a while now, for use in providing Interactive Voice Response (IVR). ...

[ /networks | # ]

IPv6 Netflow Accounting

Cisco IOS NetFlow Version 9 s template-based. Templates provide an extensible design to the record format, making most of the fields optional. Each data record specifies which template it is using. There can be multiple templates defined, and I think there can be data records with different templates in an export packet.

This is radically different from NetFlow v5 (which we currently use) which has a fixed set of field in each data record (and only one type of data record from each collector).

NetFlow Version 9 Flow-Record Format and RFC3954 define the fields, options and templates. Version 9 includes the fields IPV6_SRC_ADDR, IPV6_DST_ADDR, IPV6_SRC_MASK, IPV6_DST_MASK, IPV6_FLOW_LABEL, IP_PROTOCOL_VERSION (4 or 6), IPV6_NEXT_HOP, BGP_IPV6_NEXT_HOP, and IPV6_OPTION_HEADERS.

How to configure NetFlow V9 export format.

I don't know which of the NetFlow Partners or freshmeat projects support v9.

pmacct promises to account and aggregate IPv4 and IPv6 traffic and do Netflow v9.

[ /networks | # ]

Cisco Catalyst 3750 software

Catalyst 3750 Release Notes [Please read before downloading]

http://www.cisco.com/cgi-bin/tablebuild.pl/cat3750-crypto

http://www.cisco.com/cgi-bin/tablebuild.pl/cat3750

http://www.cisco.com/cgi-bin/tablebuild.pl/cat3750-3DES-beta

http://www.cisco.com/cgi-bin/tablebuild.pl/cat3750-beta

[ /networks | # ]

IPv6 DNS

David Carmean wrote on the 6bone list:

You want the DNAME record:

http://www.isc.org/pubs/tn/isc-tn-2002-1.html

1.4. A very simple solution to this is the use of DNAME RR's (see [RFC2672]) to effectively "tail-rename" portions of the interim (IP6.INT) namespace into the standard (IP6.ARPA) namespace.

$ORIGIN c.8.0.6.8.8.3.0.1.0.0.2.ip6.int.
...
        DNAME  c.8.0.6.8.8.3.0.1.0.0.2.ip6.arpa.

Also see http://www.ietf.org/internet-drafts/draft-huston-ip6-int-01.txt

[ /networks | # ]

SmokePing

http://people.ee.ethz.ch/~oetiker/webtools/smokeping/index.en.html

SmokePing is a delux latency measurement tool. It can measure, store and display latency, latency distribution and packet loss. SmokePing uses RRDtool to maintain a longterm datastore and to draw pretty graphs, giving up to the minute information on the state of each network connection.

SmokePing uses latency measurement plugins for seamless extendability.

Now live at http://mrtg.its.monash.edu/cgi-bin/smokeping.cgi

Note: probes::SSH calculates latency using POSIX::times ticks/100. This should probably be /1000 on Linux, and another /8 to allow for the multiple round-trip times in a ssh-keyscan probe.

see also EchoPing
http://echoping.sourceforge.net/

see also SpeedyCGI
http://daemoninc.com/speedycgi/

see also fping
http://www.fping.com/

[ /networks | # ]

Windows to CUPS 2

Even after following previous instructions, I was having problems.

After a reboot, or a cups upgrade, printing from Windows would stop working! The failure was silent from the Windows client point of view - print job just disappears!

E [05/Dec/2004:21:12:36 +1100] print_job: Unsupported format 'application/octet-stream'!
I [05/Dec/2004:21:12:36 +1100] Hint: Do you have the raw file printing rules enabled?

application/octet-stream

def adjust_mime_types (allow_octet_stream):
    """Set or unset 'application/octet-stream' in the mime.types file.
    It needs to be set if there are any raw queues."""

The critical part is that it unsets 'application/octet-stream' if there are no raw queues. So, define a raw queues, even if you never explicitly use it.

[ /networks | # ]

addns.pl

http://www.funtaff.com/software/addns.pl/
Addns.pl is a fully equipped DynDNS.org updater, written in perl for most Unix/Linux operating systems.

• Multiple configurations and hosts in a single setup
• Automatic IP detection using UNIX network interfaces
• Web IP detection & configurable router IP detection
• Optional persistant automatic updating mode (ie. in place of cron)
• Abuse prevention (via log)
• Logging

Used for johnm4.dyndns.org.

[ /networks | # ]

IP Multicast

How to connect to the MBone
http://www.live.com/mbone/

Also: UMTP LiveGate, multikit, liveCaster

Multicast ISP list
http://www.multicast-isp-list.com/

http://www.multicasttech.com/

http://www.multicasttech.com/faq/

http://www.multicasttech.com/status/mbgp.sum

OnTheI Multicast Streaming Audio
http://www.onthei.com/

America Free & Creative Commons TV
http://www.americafree.tv/
http://www.americafree.tv/downloads/

TeleSuite virtual conference systems
http://www.telesuite.com/products/products.htm
http://www.telesuite.com/products/420m.gif

[ /networks | # ]

VNC

TightVNC
http://www.tightvnc.com/index.html
Windows, Linux and Java.

New Tight encoding is optimized for slow and medium-speed connections.

-via gateway
Automatically create encrypted TCP tunnel to the gateway machine before connection, connect to the host through that tunnel.

vncviewer -via gateway host
vncviewer -via host localhost

Ultr@VNC
http://ultravnc.sourceforge.net/
NT Domain and Active Directory based security. Other Windows features.

uVNC
http://www.sics.se/~adam/uvnc/
VNC is not restricted to remotely displaying computer desktops. It is also possible to export a display from embedded systems without any graphics hardware, much less a physical screen.

uVNC can run on 8-bit microcontrollers. The uVNC code uses the uIP TCP/IP stack in order to be able to communicate over the Internet.

[ /networks | # ]

x-desktop

http://www.x-desktop.org/
This project comprises a library for developing thin client application frontends using a browser. It helps developers creating (neat) application interfaces (GUI) for inter/intra- and extranet applications.

• 100% Browser based & no plugins required
• Supports all Operating Systems providing a DOM2 / Javascript Support Browser
• Simple, well documented Object Interface
• Customizable desktop & window skins

[ /networks | # ]

JXTA - P2P Java

http://www.jxta.org/
JXTA technology is a set of open protocols that allow any connected device on the network ranging from cell phones and wireless PDAs to PCs and servers to communicate and collaborate in a P2P manner.

JXTA peers create a virtual network where any peer can interact with other peers and resources directly even when some of the peers and resources are behind firewalls and NATs or are on different network transports.

http://www.sys-con.com/story/?storyid=44244 http://www.sys-con.com/story/feedback.cfm?storyid=44244

What's the ONE thing that P2P can do that client/server can't?

It's that the Client can be a Server.

WHY would the client want to be a server?

To share information. Easily and in different and even complex (only JXTA can do this) ways, in a 'User to User' way. In anonymous file-sharing there is an innate loss of wanting to share files. In a User to User perspective, there is an immediate desire to share.

There's the Benefit, and the complexity which only JXTA can handle.

[ /networks | # ]

Stager

http://stager.uninett.no/
Stager is a generic tool for storage, aggregation and presentation of network statistics. Stager consist of a web application for data presentation, and a perl back-end for data storage and aggregation.

The back-end provided with Stager 1.0 Beta is tailored to work with IP flow data like NetFlow and IPFIX.

Part of SCAMPI - A Scaleable Monitoring Platform for the Internet http://www.ist-scampi.org/

[ /networks | # ]

tkwifi

http://tkwifi.sourceforge.net/
tkwifi is a Perl-Tk application to monitor your Wireless and Ethernet connections, and switch between them. It also offers something called "Profiles", which is a list of SSIDs and WEP keys that you can use to connect to private or secure networks.

[ /networks | # ]

Console concentrator logging
http://freshmeat.net/projects/conserver/
http://www.conserver.com/
Conserver is the daemon that manages remote access to system consoles by multiple users via the console(1) client program and logs all console output. It can connect to consoles via local serial ports, terminal servers that allow network access, or to any external program.

http://freshmeat.net/projects/conc/
http://www.jfc.org.uk/software/conc.html
Conc is a console concentrator for Linux and Gnome. It features remote maintenance of systems over IP, and concurrent connections to consoles. Serial lines on multiple machines may be pooled into one system allowing a virtually unlimited number of consoles to be managed - ideal for large server farms, clusters or off-site server rooms.

[ /networks | # ]

DynDNS.org
Account jm493.

Dynamic DNS
The Dynamic DNS service is ideal for a home website, file server, or just to keep a pointer back to your home PC so you can access those important documents while you're at work. Using one of the available third-party update clients you can keep your hostname always pointing to your IP address, no matter how often your ISP changes it.

Hostname: johnm4.dyndns.org
Linksys WRT54G router configured to automatically update DynDNS address.

Static DNS
Hostname: johnm.dyndns.org

WebHop
The WebHop Redirection service is a web redirection service, which complements our Dynamic DNS and Static DNS services. The web redirection allows you to alias your long, hard-to-remember, ugly URLs to a short hostname within one of our offered subdomains. We offer this service, for up to five (5) hostnames, free to the Internet Community.

Hosts can be cloaked, hiding the true URL of your site from end users, or uncloaked. Cloaking for credited users (any purchased credit applies) is totally invisible, but non-credited users with cloaked WebHops will have a pop-up ad displayed.

Mozilla happily blocks the pop-up ad. Cloaked Web site

[ /networks | # ]

Windows to CUPS
http://www.tldp.org/HOWTO/Debian-and-Windows-Shared-Printing/sharing_with_windows.html#share_cups_config
The basic problem is that in the Unix model, applications create print files in whatever generic format they wish (e.g. PostScript), and the print system spools it as-is and changes it into whatever (binary print stream) the printer needs just before sending it to the printer.

On the other hand hand, in the Windows world, each application calls a print driver to create the binary print stream that the destination printer needs, and the print system blindly shuffles the bytes to the correct place.

So, a Unix print system given a application/octet-stream doesn't understand what format it is, and doesn't know how to translate it into what the printer needs.

You must configure CUPS to accept the pre-formatted output by uncommenting the following line from /etc/cups/mime.convs:

application/octet-stream   application/vnd.cups-raw   0   -

application/octet-stream

Also, http://networking.earthweb.com/netsecur/print.php/10951_2236011_2 it should be possible to directly print to a CUPS printer from Windows via a URL like

http://192.168.1.2:631/printers/hplaserjet 

[ /networks | # ]

TraceProto

http://traceproto.sourceforge.net/
Traceproto is a traceroute replacement written in c that allows the user to specify the protocol and port to trace to. It currently supports tcp, udp, and icmp traces with the possibility of others in the future.

see also http://michael.toren.net/code/tcptraceroute/ http://www.mainnerve.com/lft/ http://wiki.hping.org/

[ /networks | # ]

BGP Looking Glass
Lists:
http://www.nanog.org/lookingglass.html
http://www.traceroute.org/ (traceroute)
http://www.mkm.ro/lg/

http://looking-glass.connect.com.au/
http://looking-glass.optus.net.au/
http://lg.roedu.net/lg

[ /networks | # ]

BGP to South Africa
musa-gw extract

router bgp 19232
 neighbor 32.113.103.65 remote-as 2686
 neighbor 32.113.103.65 description BGP to zajhbg2101er2 AT&T
 neighbor 168.209.120.173 remote-as 3741
 neighbor 168.209.120.173 description BGP to IS, route advertisement session
 neighbor 168.209.255.250 remote-as 3741
 neighbor 168.209.255.250 description International feed from IS

http://looking-glass.optus.net.au/
BGP routing table entry for 168.210.50.0/24, version 2285181011
Paths: (3 available, no best path)
  Not advertised to any peer
  7473 3561 1273 3741 19232, (aggregated by 19232 168.210.50.94)
    203.208.148.57 (inaccessible) from 203.202.143.24 (203.202.143.24)
      Origin IGP, localpref 52, valid, internal, atomic-aggregate
      Community: 7473:12075 7474:1403
      Originator: 203.202.143.15, Cluster list: 0.0.0.1
  7473 3561 1273 3741 19232, (aggregated by 19232 168.210.50.94)
    203.208.148.57 (inaccessible) from 203.202.143.19 (203.202.143.19)
      Origin IGP, localpref 52, valid, internal, atomic-aggregate
      Community: 7473:12075 7474:1403
      Originator: 203.202.143.15, Cluster list: 0.0.0.1
  7473 3561 1273 3741 19232, (aggregated by 19232 168.210.50.94)
    203.208.148.57 (inaccessible) from 203.202.143.20 (203.202.143.20)
      Origin IGP, localpref 52, valid, internal, atomic-aggregate
      Community: 7473:12075 7474:1403
      Originator: 203.202.143.15, Cluster list: 0.0.0.1

BGP routing table entry for 168.210.0.0/16, version 2286661526
Paths: (3 available, best #3)
  Not advertised to any peer
  7473 3356 7018 3741
    203.208.148.5 from 203.202.143.20 (203.202.143.20)
      Origin IGP, localpref 53, valid, internal
      Community: 7473:12065 7474:1403
      Originator: 203.202.143.16, Cluster list: 0.0.0.1
...

[ /networks | # ]

Nest

http://www.targeted.org/nest/
Nest 3.0, point-to-point IP VPN tunnel for FreeBSD
Uses IP packets (default protocol 99, ipip), or icmp echo request (out), icmp echo response (in) packets to bypass firewalls.

[ /networks | # ]

OpenVPN
http://openvpn.sourceforge.net/
OpenVPN is a full-featured SSL VPN. Can tunnel any IP subnetwork or virtual ethernet adapter over a single UDP or TCP port, (default is UDP port 5000).

http://projects.drzeus.cx/openvpn-initscripts/
http://projects.drzeus.cx/openvpn-server/
Add-on tools for OpenVPN

[ /networks | # ]

OpenSSH
http://www.openssh.com/
Can be used to setup port-forwarded reverse links, e.g.

blowie4$ ssh -R 2022:blowie4.its.monash.edu:22 johnm4.its.monash.edu
johnm4$ ssh -p 2022 localhost

johnm4$ ssh -L 2022:blowie4.its.monash.edu:22 sg1.its.monash.edu
johnm4$ ssh -p 2022 localhost

[ /networks | # ]

PasTmon - The Passive Application Response Time Monitor

Sniffs network traffic to determine application response.

http://pastmon.sourceforge.net/

[ /networks | # ]

OpenVMPS

VMPS (VLAN Management Policy Server) is a way of assigning switch ports to specific VLANs based on MAC address of connecting device.

http://vmps.sourceforge.net/

[ /networks | # ]

chownat

chownat (pronounced "chone nat") allows two machines behind two different NATs to communicate with each other.

http://chownat.lucidx.com/

[ /networks | # ]