Tobi Waves

by Chris Welti

Motivation

Historically applications running over wide area networks was very bad and people got used to this. Today there is a lot of bandwidth available and the quality is quite good. Still there are performance is not as good as one might expect. Due to the big number of different entities involved in todays complex networks it is very difficult to debug end to end performance issues.

What is PERT

In December 2002 a group called PERT (analog to CERT) was created to help debug such end to end performance issues. PERT is a virtual team of experts. There are cross-discipline experts as well as subject experts. This gets the group both, a good overall as well as deep insight in specific areas.

What do they do

PERT accepts reports about performance problems and analyzes the end to end situation. Information is gathered from all parties involved. Once problems are identified, PERT organizes the implementation the solution as there is often a lot of know-how and know-who involved in getting this fixed.

Performance Hints

TCP buffer size on the sender and the recipient side should be about 2MB on machines which are trying to do fast transfers over wide area links. Default is often 64k. In a real world application this caused file transfers to go from 10 MB/s to 90 MB/s. Rule of thumb: |buffer = bandwidth * round-trip time|.

Duplex miss-match. This is mostly because of hand configured duplex settings on network cards. If one side is configured by hand this normally causes the other side to automatically assume it is on a half duplex link, regardless of the actual manual settings. Rule: always have both sides either manual or auto-negotiated.

Internal buffers of SSH are too small for fast transfer over vast high latency links (see first rule). Needs to be adjusted at compile time! See also (www.psc.edu ...) for more on this.

Small txqueuelen for Giga Bit Ethernet adapters on Linux. Make it larger: |ifconfig eth0 txqueuelen 1000|.

Large round trip times for

Methodology

After identifying the network path, entities and technologies involved PERT applies a divide and conqueror approach to home in on the bottle-neck.

Join the Effort

|pert-discuss@switch.ch|

by Rik van Riel

CKRM (Class-based Kernel Resource Management) is a framework for assigning resources to processes and network connections. Resources can be CPU time, memory, disk IO bandwidth and inbound socket connections. Additional virtual resources like "number of tasks" make the prevention of fork-bombs possible.

In contrast to other Resource Management systems, CKRM comes with a virtual filesystem |/rcfs| which can be used to get information but also t configure the resource classes. The rcfs supports normal permissions to govern access rights. Users can use the system for fine grain control of their own resources on the system. If I have the right to use 50% of the cpu with my processes, I can further define how these 50% are distributed among my processes.

|echo 1234 gt/rcfs/task_class/tc1/targt| moves process 1234 into the task class tc1.

For the automatic classification of processes and network connections there are classification engines available. For example the RBCE (Rule Based Classification Engine).

Inbound connection control can be used to protect server applications from remote denial of service attacks by assigning local addresses to a higher priority resource class.

CKRM is not yet in the mainline kernel. Several people from IBM are working on this full time. The current state of this extension is Beta level. Some interface changes can be expected when mainline kernel integration starts.

More info on (ckrm.sf.net ...)

by Amon Ott

Why

Classic Access Control is not sufficient to define secure access scenarios:

The granularity is way too small (only user group read write execute)

Every user can decide the access permissins for his files.

root can do everything

Solution

Other models (not one, but several appropriate ones) are required for describing security policies according to the requirements of the project.

RSBAC is a framework for implementing access control systems.

It can control individual users and programs as well as incoming and outgoing network connections.

The first stable version has been released in March 2000.

RSBAC can be extended with loadable modules.

Auditing and logging is supported at every level.

Architecture

Subjects - are processes acting on behalf of a user.

Object Types - like FILE, DIR, PROCESS, USERS, NETDEV, ...

Requests - abstraction of what the a subject wants to-do with an object. (eg. R_LINK_HARD, ...)

RSBAC acts on system calls. When a system call is received, the call gets intercepted and passed on to the decision-making facility where a decision is taken if the system call should be performed or not. Once a system call is performed a notification is generated so that the access control system knows what is happening and can take this into account for further decisions.

Models

RSBAC supports number of different access control models.

AUTH - Can be used to restrict which UIDS a process can change to.

Role Compatibiliti (RC) - Subjects and objects are sorted into roles and object types. The rules are then described based on the roles and object types. This makes simple to keep rules stable even though users and objects change.

ACLs - Who may access which object with which rights. RC Roles can be used in this.

File Flags (FF) - Secure Delete, Append Only.

Linux Capabilities (CAP) - lets you control normal Linux capabilities from outside the process.

Process Jails (JAIL) - Like BSD Jails (the better chroot)

Resource Control (RES) - File size, Memory, CPU time, ...

Pageexec (PAX) - anti stack smashing ...

How to get it

Kernel patch from www.rsbac.org

Test ist with the iso images from (www.adamantix.org ...)

Quote

The basic idea of RSBAC is to introduce a second level of security to make sure that errors and mistakes one makes in the first level do not lead to disaster.

by Fredy Künzler

Things I learned

There is no money in ADSL. Swisscom expects the market to be saturated next year.

In summer 2005 Swisscom will offer SDSL (probably 2mb symertical) everywhere. It will be over-booked and not guaranteed availability.

SDSL is like ADSL but without Voice Line on the same wire.

Bluewin 40 million loss per year.

Sunrise can only survive because of their GSM license.

There is no Money in ADSL

End user pays CHF 45.55 (+VAT)

Provider pays CHF 31.20 for the ADSL link to Swisscom. In addition to this the provider has to pay for the network bandwidth between his network and the ADSL backbone (backhaul) this cost CHF 391 for 1 Megabit/s per Month. With moderate overbooking he can fit 40 ADSL customers into one Megabit. This adds another CHF 10 for each of his cutomers.

This means at the end of the day the ISP gets about 4 CHF per ADSL link and month.

The normal wholesale price for 1 Megabit/s connectivity is CHF 100 per Month.

Whats worse, in spring 2003 WEKO got Swisscom to lower the prices they charge for ADSL connectivity by 20%. Swisscom is fighting this decision in court. If they winn, all ISP will have to back the 'missing' 20% back to Swisscom. This will cause a great many of them to go out of buisness.

A tutorial by Joost van Dijk.

About the IPv6 Header

It is much simpler than the IPv4 header. It has a fixed length of 40 Bytes.

Rule 1: Make the frequent case fast

Complex things like fragmentation are handled with extension headers. Because IPv6 routers do not do fragmentation anyway they can do with just looking at the base header. Fragmentation happens in the sending host. The sender uses Path MTU discovery.

With the flow label in the header, The router can see which packets belong together without looking into the packets themselves.

Extension headers can be inserted between the IPv6 header and the payload data. These extension headers come in a predefined order. This order again ensures that the routers only have to look at the first few extension headers because only they can contain information relevant to a router.

Each header has a field called next header which defines the type of the next header.

Implementations

Most current OSes and routers support IPv6. Since Windows XP SP2 there is a production quality IPv6 implementation for Windows as well. The first prototypes were available as a separate downloads from MS.

Enabling it on Windows XP SP2

netsh interface ipv6 install

IPv6 addressing

The first few bits of an IPv6 address define the type of the address. Every IPv6 interface has a link local address (private local address space).

Addresses are written as 8 colon separated tuples of 4 hex digits.

One sequence of zeros can be abbreviated to a double ::

2001:0000:0000:0000:0000:3233:da33:3ad3 becomes 2001::3233:da33:3ad3

The loop back address is ::1

Global Unicast Addresses are built like this

001 - 3 bit
Top Level Aggregator (eg. RIPE) - 13 Bit 
Reserved (these bits could be added the TLA or NLA field in the future) - 8 Bit Next Level Aggregator (ISP) - 24 Bit
Site Level Aggregator (Subnet) - 16 Bit
Interface Address - 64 Bit

RFC 3587 obsoleted this format recently. In the future, the toplevel registrars will decide where the borders are.

Because of the hierarchical nature of addressing the routing tables will become much shorter for IPv6 routing.

Currently only 3 TLAs are defined. Today most new addresses are from the 2001:: Sub-TLA Assignment range. There you get 13 bit sub TLA and 19 bit NLA.

The 48 bit Ethernet addresses can be mapped to the 64 bit IPv6 interface address: (first 24 bit, FFFE, last 24 bit) this is not required though. You can use a random number. Just make sure you get no duplicates.

Addresses starting with 0 ending with an IPv4 address can be used for automatic tunneling.

Current versions of the host dns lookup tool will find IPv6 addresses and it will do reverse lookups automatically when given a numeric address.

Multicast addresses

They start with "FF" there are some well known addresses like

ff02::1 - all nodes on the link

ff02::2 - all routers on the link

ff05::1:3 - All DHCP server at this site

There is a special entry in the routing table for multicast FF00::/8.

ping -c 2 -I eth0 ff02::1 will find all hosts on the local link.

In IPv6 there is a new version of the ICMP protocol (known from ping) it is now also used for ARP and multi cast group membership management.

Get the IPv6 routing table on Linux

route -A inet6

or use the shortcut notation

route -6

Getting an IPv6 address in IPv4 land through tunneling

On way, is to use 6to4. (tldp.org ...) Note that the gateway 192.88.99.1 is a global any-cast address which will automatically go to the closest IPv6 gateway. The 6to4 approach requires you to have a public IPv4 address on your machine or a NAT gateway which can do protocol 41 NAT (protocol 41 is used for 6to4 tunneling)

The new Teredo protocol allows even boxes behind a NAT gateway to get connected to IPv6. Windows XP SP2 has this feature built in. On Linux there is an implementation called miredo which can do the same.