Kurtis's Blog

Security is extremely strict. EU and US meeting with civil society
representatives due to the Tunisian police blocking access to their meeting venue. Interesting action in for a parallell conference to the meeting on Internet transparency. Outcome yet to me known....

A pretty good description of the envirnonment can be found at...

I also run into Carl Malamud this mornign that told me that he last night while trying to get some photos of the moon got picked up by the police and questioned. Inside the actual venue there seems to be quite a few film crews though.

Progress in the continuted prepcom-3 last night after Canada was leading an editorial team consisting of among others Canada, Singapore, India, Cuba, China. They produced a paper on what areas there was agreement on.

Precom-3 this morning started with a review of this paper and
additions of text. Some of what was taken out last night was proposed to be put it. Personally I find the paper from last night acceptable although I would prefer much more clarity on many of the issues that are raised in the paper.

Two of the more controversial points seems to be the writing on what role governments should play in the management of their ccTLDs. All seems to agree that governments should not have influence over other ccTLDs that what concern themselves. This however leaves the question of Taiwan for example, and other more general gTLDs. This text can potentially be dangerous unless clarity is made to what are considered ccTLDs and what are considered gTLDs and what rules apply where.

The other contentious point seems to be what forum (new or existing) should deal with Internet Governance, and what is considered Internet governance. The good news is that proposed language explicitly says it should not be duplicative and not deal with day-to-day operations or technical matters.

Prepcom-3 is to resume at 16.

My general observation is that there is a complete lack of power-outlets at the conference although there is wireless...

Goole maps has been critizised by my US based friends. I love it! I have still to use it for finding directions, but what I love are the satelite maps. Someone even went through the trouble of listing the most interesting sites!

A friend of mine pointed out something more interesting about the Google Maps site though. It shows that you can make a really good, useful, interesting and technically advanced site - for any web-browser. Remember Mosaic? When there was just one browser and web-sites just worked? Then came the browser wars and the web has never been the same. It's been a segregated community, but Google shows it doesn't have to be that way. Good!!!

SAS has for ages been saying that their web-site is so advanced that they can only make it run for Explorer. At same time Lufthansa has a more advanced web-site that is faster and works on any platform. Go figure. Latest news from SAS is that they are going to "simplify it". Finally....

Oh, and I did't spend last night reading email. I spent last night clicking through the link of sites on Google Maps and searching for my friends houses. And the Cisco offices. And I realised I knew the building numbers on the satelite map. "You know you bought too much Cisco gear when...."

The piracy hunters in Antipiratbyrån today strikes back after the loss in the verdict from the Data Inspection Agency. In an article in the swedish Internetworld magazine, they claim that the verdict also makes firewalls illegal. They base the assumption on the fact that the verdict ruled against large scale collection of IP address information.

This is an interesting discussion. I would like to argue that there are several dignificant differences. Firewalls log abuse and potential illegal activity against property (networks) that the operator of the firewall directly control and own. Antipiratbyrån to my knowledge logs IP addresses that have "published" copyrighted material. In other words, Antipiratbyrån have logged actions taken by a third party. I would also like to argue that most firewalls do not keep their logs over time, while from what I understand Antipriatbyrån have been doing correlations of the data. Last, I also understand that Antipriatbyrån have stored information about the users of the IP addresses. I have no idea if my understanding of what Antipiratbyrån where doing are correct or not, but I do think my points show differences between widescale storage of IP address data by a third party and a firewall.

Washintonpost and Wired are today quoting an OECD report that concludes it is difficult to link the music industy's shrinking revenues and file-sharing. This should come as no surprise. We have gotten used to software manufacturers, the music industy and the movie producers multiplying the number of shared copies with the price in the shop. This is a fundamentally flawed assumption in that with todays pricing they would most likely still have sold the numbers they do today. Perhaps a few more, but I doubt anyting that would have made a real difference.

What is interesting to observe how the music industry is continuing to drive consumers into the filesharing networks. They are still only focusing on hunting down pirate copies, instead of focusing on giving consumers what they want. An easy and affordable way to get the songs they want. The rights owning industry could have been ahead the development instead of trying to catch up with it. It's tragic when Apple, a computer hardware manufacturer, are leading the way to give consumers the music they want.

At the same time, the iTunes store does show the power of the net. You can make money, and you can be innovative. Even post-dot-com-era. It also show something that most of the dot-com-era companies never manged to prove, how the Internet will render the ones that can't keep up obsolete....

I think that BT Fusion is a really interesting product. And I mean this in more than one way. It's a cool technical concept first of all, but it is also a daring change in business model from an old incumbent. Traditional POTS business models, centered around the concept of "calls" made the assumption that you could statistically predict call patterns. This meant that customers would never experience network congestion problems. This predictability led to the notion of "telco grade" network capacity. In reality this was a huge over-provisioned network that could handle the preciation charges as long as costs could easily be matched to income under the monopolies. In reality the statistics models also often failed, for example when hughe TV-shows had call-ins.

Why then is the BT product so interesting? First of all it finally shows that the statistical models are out. There is no way of knowing how often the users will migrate back and forth between the wireless networks. Imagine a sunny day and the users are going back an forth between their gardens and their kitchens. Second of all, this again shows (I hope) the clever use of financial models. The fixed line network is depreciated since years back (hopefully; and with good assistance of your tax-money), and the dominating factor in network costs should be the build-out and operation of the wireless networks. Following the traditional "non-congestion" model of voice networks modern wireless networks are most of the time hugely over-provisioned (with the noticable exception of New Years eves at midnight; Funny enough wireless operators seems to get away with ; that). BT Fusion could be seen as a step into bringing additional use into the network.

Now, when this business model becomes interesting is when we start imagining the future. There is no one in their sane mind that do not believe that the next generation wireless networks (4G) will not be IP based. By this time all fixed voice will already be VoIP (we will get back to why). With IP based 4G networks, BT Fusion like products will look like the base-line. This is when these types of models start to get interesting financially. Packet based networks have the financial advantage that statistical multiplexing will allow increased utilization possible at marginally more capacity useage. Read, you can produce the same services as in the POTS network at a lower price. And you can throw in all those extras at no cost. Operators will need all the extra sales they can get. The fixed line operators are today stuck with maintaining an ageing network at high costs and low useage. Packet based networks will help their financial models. The temptation most seem to have follen for so far though is called walled-gardens. The model where one operator gains a time-limited (to the contract period) monopoly on several hierarchies in the value chain. Operators still seems to believe this is a viable modle. At the same time their users are doign their long-distance calls over Skype, while the traffic looks like ordinary web-surfing to the operator.

Times and business models are about to change. And the end-users are the big winners.

So, first day. Already started with the mistake of staying in the bar last night, trying to solve the worlds problems. Had to get up for a 7.15am meeting. Was ok once I was up

Then I was "just" going to upgrade the MySQL installation I use for the blog among other things....should have known better. Now 12 hours later it's up and working...

As for the IETF sessions, I had three presentations today. First one was on operational requirements for TLDs. A document the IAB decided to push for in DNSOPS long before I got on the IAB. While editing the document I realized that we are actually talking about two documents. One outlineing the technical operations. This can be physical environment, configuration parameters etc. The important point is to document the trade-offs and the result of the trade-offs. The second document is a guidelines document for how to run registry operations such as EPP interfaces etc. The second document is a complex issues, mostly for political reasons, and it also have relatively little to do with DNS.

DNSOPS seemed to support the idea of a technical BCP for master/slave operations. What to do with the second document was left for a later discussion. The problem now is to word the document in such a way that it is not seen as a political tool that can be used for example by ICANN to determine how TLDs should behave. There is an important observation to be made that describing non-normative technical criteria is a good thing. If that is the used as a reference in a contract between a entities, it's probably a good thing.

My other presentations was on mine and Joe Ableys anycast BCP in grow. Not much comments so I guess we will last call it and then publish.

Last presentation was on shim6 status in GROW. Turned out a no-op. Geoff Houston presented an idea on how to secure route advertisment (or really reception) last in GROW. It will need some more thinking. I think it's a good idea basically beacuase we are in such a bad state with false route advertisements today that it can hardly become worse. All ideas needs to be evaluated, and it they work they need to be implemented. Geoff's idea seemed like a good intermediate step.

It's now past midnight and it's time to head to bed...

Just finnished charing the first shim6 slot. We managed to severly run over and is now way behind the schedule for tomorrow.

Discussions seemed to go back to work that has already been done in multi6. Especially the relations to various transport protocols seems to come back over and over. I think we have to get used to various feautres being replicated through out the stack. That is a result of the compartemented stack and the fact that we have transport protocols that have very differing characteristics. It does bothers me a bit that we keep having this discussion though. Shim6 will have to interact with all types of transport protocols, and that is well understood since long back.

There are also quite a bit of concern regards shim6 from what is often reffered to as the "operator community". This is a community that is used to have a lof ot influence and to a large part consists of long time members of the general Internet community. I think that most of their concerns are close to a "not invented here" problem. I think there are use cases, and we do know that shim6 is not a drop in replacement for PI addresspace and will not solve all problems with multihoming. Then again I know of no drop-in replacement for PI that scales.

What is encouraging is that there seems to be a lot of use cases that could / will benefit from a shim layer. These needs are existant today and would have a real benefit from a him layer. Unfortunately these cases are today forced to go and develop their own solutions, each at their own level in the stack. Getting these requirements written up in the applicability document will be good.

So I finally had the courage to move away from my old 120Mhz Pentium III mail-server. Moved to a brand new Athlon XP 2600+.

All of a sudden reading email and syncing IMAP folders over SSL over IPv6 is just.....well...fast...

I should have done this much earlier...

I have been following the WSIS/WGIG process on Internet governance. What strikes me is that most of what is being discussed have absolutely nothing to do with governance. Most of the discussion instead is focusing on the clark duties of registration and process execution.

WGIG seems to focus entirely on the domain names (not entirely true, but enough to prove the point) and the accredition problem of who owns which TLD. This is a "fairly" simple issue. In principle the WSIS should determine the process for accreditation. ICANN should then follow this process, which in turn should be audited by either a well known auditor (like KPMG, etc) or ITU, the UN etc. Instead WSIS is sidetracked into the discussion of WHO should execute the process. They still have to determine the process though. There is a risk here that the outcome is tha the whoever get's to execute the process also ends up defining it. This is less transparent than today.

It looks like I might be going to Tunis so I guess I will have plenty of opportunity to write more then...

I have been trying to follow the Prepcom-3 discussion in Geneva for
the past week. I have all respect for the negotiators, and the right
for everyeone to express their views. I might not share the view of
many if not most of the delegates but that is irrelevant. "I might not
share your opinions but I will fight for your right to express them"
as the saying goes. I think the WSIS process in and off itself is
important and have help force the understanding of Internet governance issues to many governments and privat sector palyers. I think this is important. It has also forced many of us that have strong views on the governance of the Internet to express that, and explain what the Internet is and what it does.

Netnod had it's first boardmeeting discussing the 2006 budget assumptions. This was also the first discussion on the preliminary outcome of the customer survey. There is a lot of good feedback in that surevey. This has given me more work for this autumn that I had anticiapted but it has also given ideas to a fairly large restructure of how we operate Netnod today. I see some really exciting and interesting months ahead. I also see very little sleep...

Yesterday was covered with IEPG and IAB meetings. Today the working-groups started. IAB meeting spent a lot of time discussing the future of multihoming in IPv6. Shim6, which comes out of one of the working-groups I am charing have been questioned by some participants of Nanog which led to a the IAB holding a BOF at the Nanog in LA.

Discussions here seems to indicate that partly the people that spoke at Nanog against the shim6 proposal are not aware of what the proposal is. Similarly they also seems to have a very different view of the world of what I have. One of the strong opinions is that the path selection and hency bandwidth usage decision should not be put into the end-hosts. I want to make the observation that if I have two circuits to two different providers, I do expect to be able to use both of them. At my choosing. This might not fit the current low-margin product line expectations with carriers, but it is an unavoidable problem that they will just have to deal with. Customers will more and more use the actual bandwidth that they are buying.

Swedish media today report that Björn Eriksen that registered the .SE TLD, sent the first email in Sweden and more or less brought the Internet to Sweden passed away on Saturday.

I never had the priviledge to work closely with him, but with my work in EUnet Sweden, KPNQwest Sweden, Swedish Operator Forum and lately i.root-servers.net, I got to meet ber and work with him.

I think we today have a tendency to see people like ber as odd men out from a distant time that have long passed. But I think we need to realize that it's the daring quiet, hardworking men like ber that gives us progress. Progress in society, economy and technology. They are the unsung hereos.

In the IETF standards come in different maturity level. The more stable a standard is, the "higher" the standard will get evelated. It looks like the core IPv6 working-group that have been working on some of the core IPv6 protocols might be meeting for the last time. This seems like good news. We are after 10-15 years coming to a point where we are satisfied with the standards.

You can have a long argumenting session weather IPv6 is happing at all, or if it will ever get widely deployed. I think everyone by now agree that the day when we will have turned off IPv4 on the last node and IPv6 will be the only protocol will be far after we are retired, if it will ever come. That said there is wide scale deployment , and IPV6 is happening, although not always for the reasons we though.

I happen to think that one of the most useful outcomes of the IPv6 development process has been the increased understanding in the Internet engineering circles about how the Internet really works and how various protocols and standars interact. I think that we have learnt a lot and that we will never again see the type of "forklift" upgrade of the Interet as IPv6 attempted. We will instead see gradual deployment and updates of parts of the arhictecture. I als think we are becoming increasingly better att building objects and modules that fit into the existing network.

So, go and ask your provider for IPv6 today!

By most standards I think that the past IETF64 was a pretty calm event. Some people in the hallwys called it boring. I don't think it was boring at all. Instead I think it was a quiet meeting where real work got done. This was the first IETF when the IAOC could announce that it had made substantive progress. The administration issues where no longer on the table. The only heating point was the PESCI BOF, the discussion on the process for process change. A topic that might seem ridiculed, but that is deeply serious for any standards setting organisation. The PESCI BOF did not lead to any concret action this time, but I am sure we will see follow-ups. There where some disagreement on where the problem really is and what the starting point for change should be. It's an interesting debate I encourage people to follow!

One thing that casted it's shadow over the IETF, although it was not directly related was the IAB shim6 BOF held at the Nanog in Los Angeles. As co-chair of shim6 I would really have liked to participate, but couldn't due to other travel and "day-job" work. Instead I sat through three summary presentations during the IETF week and ended up watching the video recording during my stop-over at Frankfurt airport.

My first reactions from listening to the summaries at the IETF was that it must have been a highly uninformed discussion. Watching the recordings puzzled me even more as there where people that have been somewhat active on the list, and following the work making remarks that where not in-line with the currently proposed protocol. While the shim6 protocol certainly have issues that needs to be worked out, many of the comments made seemed to either be from people that felt their business model threatend or that did understand what was being proposed.

Talking at the IETF it was clear that we need to document the use cases for shim6 better and try to list and address the concerns that where raised better. I might have gotten volunteered to write that document

I do belive that the idea of a serious of sessions where the IAB takes topics out to a wider operationally focused community is good though. It does open up more communications channels and does highlight an eductaion gap that needs to be filled on both sides.

So I have arrived in Tunis. Flight from Vancouver to Frankfurt was uneventful. But 12hs layover in Frankfurt was painful. Then arriving in Tunis at 0.45 Monday morning. We where forced to take their shuttle busses that took for ever and we realized that that hospitality staff and busdrivers had no idea where to hotels where. Finally got in bed at 3.15am (the taxi ride is around 15 minutes from the airport to the hotel). Then I got up a 7am. So I am down to some 8hs of sleep since Saturday morning in Vancouver

Security is extreme. There are metaldetectors at the hotels and there are roadblocks every kilomter on the roads. Even at the venue you have to constantly id your self with the badges. I have it somewhat easier being part of a delegation.

I will try and write on the blog as I hear and see events unfold. HOWEVER THESE NOTES WILL BE AS I PERCEIVE THE SITUATION AT THAT MOMENT. So they can not be seen as official notes or commentary from me or someone else...

I have been reading all kind of press articles around the Netnod statistics from yesterday analysing the police raid against the Pirate Bay. Most of this analysis leaves a lot to whish. It wasn't until an hour ago that a journalist for the first time bothered to call us and ask for our opinion.....

I think that says something about the level of understanding of what is happening. My credits to the Swedish morning paper Dagens Nyheter that actually bothered to very facts before publishing.

My favourit so far is George Hedfors, security consultant at Pinion that has "analysed" the traffic that pases the various Internet exchange points in Sweden. Hillarious! I assume this guy have looked at the public Netnod web-pages...This makes Telekom Online stand out as medium...

I am at the DNS operations workshop pre-Nanog in San Jose. I think this is a really good initiative and I hope to see more of these workshops. But it does highlight one issue. It used to be that all network operators and "operationally aware" individuals also did DNS and services. Perhaps they did not operate it inside their companies but they did have the knowledge. And DNS operations used to be part of Nanog.

Now we are seeing a new track beeing born and we see more and more more companies and people moving into specialising in DNS. This is probably becuase DNS is now considered more ciritical infrastructure, and therefor more money is associated with it.

Don't get me wrong, I belive some diversion is good, but there is also a real risk of balkanisation of services and knoweledge. As the Internet get's more and more complex people will focuse on a particular area. This leads to a lot of the overlap in engineering we are seeing recently and recursion of features at different layers of the protocol stack. This worries me greatly and I believe this is a serious threat to the stability of the network.

I still think the meeting is interesting though :-)

pending two days at the Nanog meeting in San Jose. Listening to the discussions here it's pretty amazing how often video distribution is coming up. This is clearly the next application that is going to go out big on the Internet, and handling the bandwidth needs is going to be a challenge.

We are talking HDTV over IP with encoded streams in the size of 13Mbps per stream. Now, a lot of this could be cached at the edges, but there are (as pointed out to me by Dave Oran earlier) three events that can't be cached. Breaking news, sport events and rock concerts. These will have to be sent live over the Internet. These today make up 40% of the revenue for the entertainment industry. This means a significant traffic volume. To make this scale today, we either need to push this out through a content distribution network or we need to go multicasting. For the latter, we have a lot of inter-provider political hurdels to overcome to make this work and to make multicast available universally.

And this is still just the beginning. A "real" TV camera for sports events at 180fps will generate an uncompressed video stream of 10Gbps.

To make this worse we, don't really have the hardware to shuffle these volumes of traffic. If this takes off fast, we have no way to catch up. State of the art today is 40Gbps. We can build 100Gbps equipment but the cost of cooling it makes it economically unfeasible. I.e the margins of shuffeling IP packets today are so low that we can't pay for upgrades to 100Gbps capable equipment before we have 65nm electronics, which is assumed to be in full swing around 2010. At the same time the number of packets to be forwarded are about to expload. When these two facts meet....we are in for troubble...

When deciding on new blog software I got stuck on Movable Type. I am not convinced this is a good idea and it seems more people are happy with WordPress so I might still re-consider. However one small issue I found at installation was that you will get errors of a missing 'user_styles.css' in the mt-static directory. After some googling I found several suggestions that this is a missing file and that creating an empty one with the same name had solved the problem. It certainly let the installation finnish but the back-end user-interface looked horrible. There where also lot's and lot's of entries with references to MT and user_styles.css in japanese. Unfortunately that didn't help much.

After some looking at the code I instead decided to copy styles.css to user_styles.css, and now it looks much nicer and works a lot better!

I still have to figure out how you do publish of an entry without having to do preview first...

- kurtis -

Thanks to the caches of Google and Yahoo! I actually managed to recover most of the old blog entries. I think I might have all but the most recent ones. Will not try and write more often...

I don't think I ever realised the extent of blog spam. But with my blog up for less than 12h's I had the first spam entry in the comments. Sigh.

The ITU has decided to help with the high cost of International Internet connectivity. This is actually somewhat surprising. Cost of Internet connectivity to a large extent comes from ones ability to localise traffic and therefor being able to minimise the amount of bandwidth and infrastrucutre needed to transport the packets.

In light of this, development of Internet Exchanges and local competition is a first vital step. However in many countries this is still just a dream. Countries in Africa and Asia mostly have created regulatory frameworks and legal barriers, not to say out right confiscated local Internet Exchange points - all to the benefit of their local telco monopoly.

In the light of this the ITU effort is somewhat interesting. The ITU have several times before tried to tackle the difference in how Internet traffic exchange agreements are settled to how the traditional voice traffic is settled. In the voice world you pay per minutes exchanged and both parties pay. In the Internet world you either agree that the two of you are of equal value to each-other (which is normally within some defined boundary) and then no money exchange hands - or one part buys access to the other part. In addition to this normally both parties have to pay for the transmission access.

Now this is at the heart of what the ITU think it needs to solve. As there are countries where providers only pay to get access it is deemd unfair that noone pays them. These countries normally get some income in the voice world due to complex call re-routing schemes. This is something they of course are keen to protect. However, it has little or nothing to do with cost of Internet access. In these countries the state own monopoly normally have control of all outgoing bandwitdth. Either through sea-cables or sattelite uplinks. If competion was free and several players could bid for multiple contracts in the country - bandwidth prices in the country as well as the cost of International Internet access would drop as a start. But that would hurt revenues of the monopoly.

What is also often forgotten is that the Internet model actually takes into account who ended up paying the lion share for transporting all that traffic through infrastructure for handoff to the customer. In other words, someone have to pay to get the traffic over the undersea cable links.

In light of this, as the ITU has it's strongest supporters among current or former teleco monoplies around the world, I am actually a bit surprised they decided to take this on.

I have been back to Åland, the group of islands in the middle of the Baltic Sea, for the weekend. I had some good food, a bit of party and managed to catch up with some old friends.

This morning as I went on the ferry to go back I discoverd somewhat to my surprise that ofcourse there is Wlan on board. This way I have Internet access the 2.5hs the ferry takes. Not that I commute there anymore but it's easy to see how these things make it a lot easier and convinient for those that have to commute here and give them an extended work day. Now the ony thing missing are more power out-lets.

When my father turned 70 last year I promised him a classical concert anywhere in Europe. We never got anywhere last year, but this year we went to see Paavo Berglund conduct Sibelius'Swan of Tuonela with the London Philarmonics. We got amazing seats and the evening was a memorable one.

However on Sunday I went with my father and Bij out to Bletchley Park. Originally I wanted to go as I had read that this was the opening weekend for the operational demo of the Colossus computer.However it turned out this was also a veteran weekend. This meant that the place was packed with people that had actually worked there. On the tour we took there where also people that had worked in the clanderstine service during WWII and had been on both the receiving end of the decrypts as well as part of information gathering for Bletchely, which lead to really interesting first hand accounts of BP when it was in operation.

The place was much larger than what I had thought. But I learnt that at it's hight there where 12 000 people working there in 3 shifts. Our guide, Peter Jarvis, made a really interesting tour. He also associated a lot of the results achieved at BP into terms of success in the war and what that meant to the people of Europe. Apparently it's assumed that the codebreaking at BP shortened the war with two years. Translated into decreased suffering this is an astonshing acomplishment.

There where lot's of stories from BP that could and should be retold, still I believe we today have a hard time of really appreciating the effort that was undertaken at Bletchley Park. To build machines that could process the required amount of information at that time is an amazing achievement. Apparently the Colossus, although special purpose built still was used into 90's. The Poles that gave the Brittish the knowledge to break the codes as well as mathematicans such as Alan Turing advanced computer science in a hughe leap. Therefor I am glad that Tony Sale and his friends managed to save BP from destruction so that they are able to tell the story and make sure it's not forgotten.

I can recommend a visit! Just make sure you have eough time! I am definetly going back!

I am currently at theNorduNET confernce in Gothenburg. Listening to some of the presentations today, that outlined some of the future networking needs of for example radio astronomy and medical imagery data, I am left even more convinced than before that we are behind in developing networking equipment. I was asked by a friend how come the commercial world is always asked what is needed and always qouted on the future technology needs. That's a good question. Perhaps the answer is actually releated to why we are behind in the development cycle. I think the stock-crash of 2001 is at least part of the explanation. Vendors are more careful in their development programs unless they know they will get a timely return on investment, so you listen to the people with the cash. Also, the oversale of the possibilities of the Internet at the dot-com boom still means that expontential growth curves, no matter how well underbuilt they are, are met with hughe scepticism.

Lastly, I belive that with the hughe write-offs that occured in the chapter 11 filings, operators where led to believe that CAPEX costs where low, which set the price expections of the customers. Now we are in a deadly circle where operators are forced to sell IP packets at extremly low margins and instead trying to make a living on the margins of 'value added products'. This means that investments in IP forwarding releated equipment and capacity is pushed forward as long as possible. Unfortunately the development of value added services and new technologies assumes an ever growing bandwidth availiable to the user. There is a risk that the needs will not be met by the market at these prices, AND/OR that we will run into real capacity shortages. Then we will most likely see a hughe rise in cost for IP forwarding. Hopefully that is just a hypothesis.

I read in Expressen today that the hospitals in Stockholm have had a computer outage that have prevented them from communicating and this has led to delays in submissions of patiens among other things. This strikes me as bizzare.

Hospital submissions have predated the Internet with decades, so here we have a case where operational proceedures have been diluted due to increased reliance on technology. This scares me. Operational practices should always be capable of dealing with worst case scenarios and technology should be deployed to make these procedures more robust, faster etc. Not worse. That to me signals lack of understanding of the goals with the opertion you are trying to support.

I was pointed to the following blog posting by Todd Underwood, CTO of Renesys. In this post Todd writes

I regard it as a largely straightforward presentation of the facts: IPv6 is used by virtually no one, is not seeing significant adoption and has lost in the marketplace of new ideas. Since we will, in fact, run out of IPv4 address space eventually, and since IPv6 is obviously not the solution that people want for this problem, let's start working on a better one right away.

I am not sure I agree with him even that far. The fact that IPv6 is not seeing real wide-scale deployment, probably has more to do with lack of perceived need that anything else. IPv6 is just more address space, nothing more nothing less. At the NorduNET conference last week I gave a talk on current status on IPv6. In it I noted that IPv6 probably has been done more harm that good, by politicising the deployment. I.e Japan, Korea, the US and the EU have all invested political capital in deployment, rather than looking at opeational realities. So in order to do the sales, arguments like increased security and QoS has been made. Both of which are nonsense. Again, the main drivers behind the development of IPv6 was a larger address space, which IPv6 certainly has (we can have a lenghty argument if it has enough though).

Now, a larger address space is not something that you will have inceased reveneue or margins from, on the other hand, deploying IPv6 most likely will mean increased operational expenses. I am more doubtful that IPv6 will have an impact on CAPEX, i.e investments. Those are upgrades over time that would have happended anyway. I believe this is the major factor as to why we are not seeeing more adoption of IPv6.

Perhaps on the contrary to what most people (well, some at least) believe, operator networks are rarely, if ever, upgraded 'just in time', i.e when bandwidth run out. They are upgraded by 'just in time troubleticketing'. I.e when the pain of not upgrading get's high enough, you will order the new router/switch/bandwidth.

Todd in his blog posting goes on with

Of course, the presentation contains juicy quotes like:

"The market has spoken: IPv6 is the wrong technology at the wrong time and most organizations will profit from simply ignoring it"

"NAT and IPv6 are both evil, but IPv6 is the more dangerous of the two."

"IPv6 was designed with no migration strategy from the real Internet."

For a text that starts out with 'largely straightforward presentation of the facts', these bullets seems to be extremely poorly underbuilt. In what way will you profit? As opposed to? Why is IPv6 and end-to-end addressing in the same domain worse than IPv6? And isn't the counter proposition then IPv6+NAT? What's the 'real Internet?' And why would you migrate away from it with a new addressing model? And wouldn't that also then be migrating away from the real Internet?

The text leaves the reader with a lot more questions on Todd's real motives than it answers. I would really have been interested in a detailed analysis of the proposition or counter arguments to IPv6 based on the hughe data-set that Renesys have. Instead you are left with the feeling that it's CTO is on a crusade against the IPv6 wind-mills...

Today a swedish higher court have found a 29-year old not guilty of illigal distribution of copyrighted material. He was charged for having distributed the movie "Hip hip hora" on the Internet. The lower court found the man guilty and sentenced him to fines. The lower court argued that while file sharing as a phenomenon might have serious economical consequences for the movie industry, a single movie can not be argued to carry that much harm. Therefor we was not convicted to jail.

Now a higher court rules that there is not enough technical evidence to bind the man to the action. Apparently the court was presented a set of screen dumps from the down-load and the court argued that they would have needed binding forensic evidence. This is turn would have required the policy to conduct a house search, but warrants can only be issued if the possible sentence is prison.

While I certainly am no fan of law breaking and I do believe that the creators of the content have the right to get paid - I also believe it to more of more benefit to society of the policy spends it's limited resources on violent crime instead. Also, as I have said several times before, I believe that the movie and recording industry, with their constant attempts of blocking acceptance of new technology mostly have themselves to blame. They where against casset tapes, CD-ROMS and DVDs. The same with content distribution over the Internet. They should have made sure they where the ones that controlled the habits of how people access content rather than waiting for enternity for the foolprof copyright protection. History have shown us that no copy protection have survived so far. Had the recording industry instead embraced on-line sales and distribution and met consumer demands, they would be in control of peoples habits for content access. They didn't, and are now paying the price.

As I wrote yesterday, a higher court freed a man that had been accused for violating copyright law by sharing a copy of movie on the Internet. The court based their verdict on lacking technical evidence. It turns out that the court believed that it could not be prooven that this was really the man at that computer at the time. IT turns out that the police investigation was based on correlating the screen snapshots from the "anti-piracy" organisation with the DHCP server logs from the ISP. However, there is nothing that proves that these in reality are correlated.

In recent years, several criminal investigations in Sweden have been delayed waiting for clues in order to correctly correlate timestamps from surveilance cameras. If we had a more widespread useage of correct time, i.e time sources that can be traced to UTC, the problem would go away. It would not solve the case with the filesharing, as the ISP servers most likely are synced, but the client PC isn't. Even if if where, without signed queries and replies we have no idea of knowing that the clients actually are correct. But that is a development task for a future NTPv5 (which happens to be something that some of us are looking at doing. Stay tuned).

In the mean time, if you just want to increase the accuracy a bit, Netnod provides an excellt service with NTP traceable to UTC(sp). For more information see Netnod's homepage.

I read that VSNL International is planning for a new sea-cable system linking India and Singapore as well as their other sea-cable systems. My guess is that VSNL are trying to fend of the competition/threat from Reliance and their subsidiary FLAG, that are also deploying new cablesystems in the region.

Now to me this is starting to look like the Atlantic battle of the late 90s. Several consortia built or planned sea cables linking the US and Europe. Enormous amounts of money was attracted on the wolds capital markets, most of it lent by a few (by some accounts three) banks. Funding was raised on the belief that the growth of Internet traffic would increase the value of the cables and their associated systems and products. Global Crossing as well as FLAG where formed as a result of these predictions. In the end both FLAG and Global Crossing survived under Chapter 11 protection and where sold for scrap. Their cable systems still in use.

As bandwidth demand on the Internet indeed did increase, the cable systems are filling up. In a not to distant future, we will either need to deploy new sea-cables or start pushing the envelope on what can be done with the optics on the current ones, i.e increase the bandwidth per wavelength. At the moment it seems people are betting on the latter across the Atlantic at least.

So what is the lesson? That India's boom market might seem as spot on with deploying the railways of the 21th century. However, traffic in absolute numbers is still very small, and the investments are huge. There is a clear risk in my opinion that the consortiums that are providing the equity for the new sea-cables in this region are overestimating the ROI, which might lead to a similar sea-cable bubble that eventually struck FLAG and GC. That said, they where also very much victims of the dot-com bubble burst. They had unique tangible assets that should have been visible in a strong balance sheet, but over optimistic accounting and revenue targets became their downfall as well. Let's see what happens in India.

Microsoft and Cisco have announced a cooperation around what is in the IETF standardisation called Network End point assesment, or NEA. Eric Rescorla have already made an excellent summary of the issues around this technology, so there isn't much more to add. What strikes me as somewhat strange is that the enterprise security people are buying this type of technology. They if anyone, I would assume, would understand how easy it is to have a lying client and what the problems are with having your employees take the laptops to another network where they all of a sudden are offered new patches that might or might not work with their corporate software.

I have said this before, it's a great inventory tool - but that's basically it. And as someone on the ietf@ietf.org list observed: Couldn't we do this with just netconf?

I am sitting at ISOC-SE's session on Internet Governance. One of the questions that came up is freedom of speech in various countries and how ISOC-SE and other Internet communities should try and work this. However the examples taken where how the Russian government tried to close down a Tchechen web-server in Sweden, and how Google helps the Chinese government filter content.

Now, while I certainly sympathise with the view that anyone should have the freedom to express their opinion, I also believe that these examples are examples of something else.

The content above is illegal in their respective country. There are several examples of illegal content even in the western world, Denying the holocaust of Jews during WWII, Denying the holocaust of Armenians, just to pick to examples. So if someone in the 'traditional' printed world would violate this, the country would deal with this and we would all be happy with it - probably even encouraging it. Now, we have judicial systems, in other countries asking other countries or corporations active in their companies to lend judicial support in another country or a corporation to abide by law. In other context, like copyright protection, we would of course find this completely reasonable and desirable.

But where to you draw the line? And isn't this in reality more about trying to harmonise legislative systems? Or getting better at having judicial co-operation for crimes? Do we believe that breaking laws will help the cause of free expression in regions of the world where this is limited?

Personally I believe that the Internet Governance Forum that will convene in Athens, Greece in a few weeks should spend their time on these important but really thorny issues instead of who should edit a text file of little real relevance (that's the root-zone file).

The above is a very quick scribble and not really a full examination of the issues. I believe an improved international legal harmonisation for 'Internet issues' is of critical importance to the continued success of the Internet, and perhaps I will (or should) come back to this topic for some further analysis.

So I have started to wonder loud about is if multihoming really is the dominant scaling factor for routing table growth...

First of all, SMEs today are complaining about the cost of their Internet access, the idea that they would be willing to add a proportional amount of costs to me is questionable. The counter argument is that they are so dependent on their business that they will want to have redundancy. This leads me to two observations. The first is that it's a pretty horrible review of the performance of today's operators, second this seems to indicate there is market gap to be filled. Either with hosting services or multiple connections from the same provider. I.e just package it correctly....

So, my next concern is 'all this other stuff in BGP'. I.e VPNs. AFAIK there is no data on how fast these routes are growing in large MPLS VPN carriers today. But we do realise that these are one of the largest anticipated growth markets for operators in the future. So will this grow more/faster than multihoming? In absolute numbers, how many routes are we talking about?

I think we have some more analysis to do here...

Sitting in MUC airport I am again annoyed by something that I just can't get. Any airport that pretends to be international these days have at least one Wlan provider, or several, or a portal where you can choose. There is no end to access. But power? At MUC power seems to be distributed along the corridor side where people are running to catch their flights. Not along the comfy chairs. How useful...

I am the one blocking access on the floor between G41 and G42.....next to the power...

In today's 'International Herald Tribune' there is a article on the building of 3G operator '3's network in Sweden. The responsible project manager notes that the largest uptake and user base is in predominantly immigrant or poor areas.

This brings me to one of my favourite topics. Travelling the world where Internet is still emerging in countries like Nepal, Bhutan and India, I am struck by the innovativeness of users. I.e to find new uses for technology. I believe this comes from the fact that in most cases there are no old, run in systems that people are used to. They are solving needs (often clerical or bureaucratic ones) for the first time.

In the western world, I find that we often are much slower at adoption and at accepting new ways of doing old tasks. We believe that the way we have always been doing things is the best way. There is a risk in the long run in my opinion, that countries and regions where technology uptake is faster, will be where we see the next generation of applications developed and the next generation of software giants being born. Also, partly because the these regions normally have a much larger potential user and subscriber base.

I believe that the EU should devote more of it's resources into procurement and regulation around member states procurement towards new technologies. Funding research is good, buy is better. I believe this to be one of the successes you can learn from countries like Korea and Japan.

...you are sitting in one of the best hotels in one of Europe's Financial capitals and you get the following Internet access at 0.30 CET :

185 packets transmitted, 105 packets received, 43% packet loss
round-trip min/avg/max/stddev = 64.578/85.778/351.411/36.836 ms

Hotel Intercontinental, Frankfurt.

PS. It's consistent 24h a day...

To add to my last posting....

1 192.168.2.254 (192.168.2.254) 3.092 ms 3.373 ms 1.408 ms
2 172.30.10.1 (172.30.10.1) 125.586 ms 2.610 ms 64.987 ms
3 10.134.248.86 (10.134.248.86) 10.910 ms 58.876 ms 30.611 ms
4 172.28.206.1 (172.28.206.1) 81.812 ms 44.496 ms 20.203 ms
5 172.28.206.48 (172.28.206.48) 73.532 ms 106.196 ms 41.688 ms
6 172.28.74.22 (172.28.74.22) 53.529 ms * 17.715 ms
7 172.28.76.19 (172.28.76.19) 18.250 ms 18.517 ms 19.557 ms
8 172.28.76.33 (172.28.76.33) 82.418 ms 18.778 ms 40.104 ms
9 172.28.75.17 (172.28.75.17) 18.658 ms 18.923 ms 86.564 ms
10 172.28.87.4 (172.28.87.4) 22.471 ms 102.690 ms 71.777 ms
11 172.28.218.241 (172.28.218.241) 164.287 ms 93.658 ms 32.447 ms

Frankfurt airport.

- kurtis -

I was pointed to a really interesting presentation at the last UKNOF meeting. IT describes some of the issues that made the Internet win over OSI. I wasn't actually at the meeting, but the slide set also has some really interesting quotes that I think we should ponder over and think today

Telcos would run email, just like they ran the PSTN.

and

Telcos saw it as an opportunity to hold their share.

The presentation also have some other thoughtful words

The role of the standards bodies
•A desire to cover all cases, in all scenarios.
•A refusal to say no to any stakeholder.
•No realisation of how the world was going (away from incumbent telcos, towards market liberalisation)
•Never again would anyone push an unproven standard. Until SNMP, HTML 3.0...

These are reasons that the IETF and the Internet once led the path to innovation and productivity. As the technology matures and the use becomes more widespread coupled with more dependency on the technologies - it will also inevitably stagnate. This is to be expected and is also a matter of success. As my friend Peter L. puts it, "perhaps we where a bit too good, and too successful for our own good". We all, users, developers, standards organisations and governments, however need to make sure that this stagnation is turned into something positive, and that we still care for and nurture innovation over the network. After all, this is the benefit that once drew us all to use it!

The bad parts of IPv6 include having to replace most routers, as well as any performance hit that may come a jump in packet size -– today’s packets average 63 bytes, while IPv6 packets will weigh in at 87 bytes. But the real hit will come from inadvertently broken parts of the network, like anything based on Asynchronous Transfer Mode (ATM) technology. ATM uses fixed 53-byte packets with eight bytes of address. Switching from eight-byte to 32-byte addressing will decrease the packet data payload from 40 bytes to 16 bytes, which is not good. IF ATM survives it will require either a NAT-like kludge, new ATM equipment that runs 2.5 times as fast, or a simple acceptance that the new Internet is slower than the old one it replaced.

So I had an exceptional culinary experience tonight. Jim took us far out on the Isle of Sky. Literally behind the end of the world. And there was Three Chimneys. It was fantastic. Setting, interior, service, food, drinks, everything.

I want to go back. It is a bit far though...but I want to go back. Soon.

In yesterdays on-line edition of IDG you could read(Swedish) that one of the local ISPs in southern Sweden had given in to pressure from the rights holder association in Denmark and started to block their customers access to the Russian web-site allofmp3.com. I don't support illegal activities, and I don't believe that the best way of working for changing of perhaps broken legislation or regulation is to break the laws or rules, but I think this is just plain wrong.

I believe that giving in to the pressure of interest groups, now matter how powerful is leading us down a very dangerous path where money and connections will take over the roles of the courts and police. That is not a democracy. If the various rights holder associations in world have a problem with a site, they need to take that up with the police and prosecutors in that country. If local legislation in that country is not enough, they should focus their resources on changing that - which is the only thing that will scale in the long run.

It also worries me that we have such weak national authorities, that small ISPs such as the one in the article feels that they need to comply. Instead, they should have had the ability go get help from the Swedish foreign department to explain how a legal system in a democracy works, which most of the rights holder associations seems ignorant about. That is a real tragedy.

Watching the Nobel Price ceremony here in Stockholm, I am again struck by an observation that I have made several times. There is non or little Internationally recognised awards for Networking in Computer Science. There is the Turing award for Computer Sciences, which is probably the closest you get. But that is for computer Science in general.

I have long argued that the 'Internet community' in a way are missing some of the networks that have traditionally carried, defended and developed other sciences. What do I mean with this? Most other sciences are old, have grown out of century old institutions and have adopted their, sometimes very formal, networks and structures that where fashionable then. These structures have carried great influences through PR and lobbying through the decades. But Computer Sciences have sometimes tried to revolt against traditions, and mentally more grown out of the anarchistic and revolutionary ideas of the 1960s. This has lead to innovation and freedom in the community, but also often lack of understanding and sometimes outrage scepticism from the rest of society.

As the Internet in particular and Computer Network sciences in particular are gaining more prominence and importance to society and nations, I believe that the Computer Networking field needs to adopt more of the traditional structures of networking. I want Computer Science and Computer Networking to have their own chapters of the Royal Academy of Engineering Sciences. Actually I think Computer Science should be it's own chapter under the Royal Academy of Science. And where is the old and honourable membership in the Club of Computer Scientists? The ACM with all due respect, doesn't cut it for me :-)

Am I disappointed as I do not get to put on my black tie often enough? Not really, but I do think that these old structures do play an integral part in creating influence and legitimacy for fields of science - and influence on politics and governments in general.

Now, all we need is a testament from a wealthy individual in the field of Computer Networking :-)

so this afternoon we again got a new Nordea phising attempt that exploits their one-time pads. Sigh...

- kurtis -

I note that the experts invited to talk on the relevance of the Nobel price for keeping Swedish industry developing, came from the pharmaceutical industry. Nothing wrong with that per se, but they stressed that Sweden's development is dependent on future development of the bio-medicin field. While that is what could be expected, it disturbs me that this will now be the prevailing view among the population in general. I believe this just proves my point about the need for a 'Computer Networking' Nobel prize.

After winning the award 'IP Priset' 2006, I was asked to give a public presentation at SNUS, on current Internetworking. I have been asked for the slides a few times, so here they are!

While I was off ski touring last week, it appears that some journalist saw an attack on the Internet. I have to admit that I am involved in the operation of one of the 13 root-servers of the Internet, and therefore feel somewhat limited in what I can write and discuss around this incident.

That said though, I do think there are a few observations that are worth writing down.

1) BOT-nets are indeed a problem. This is a problem that is bound to get worse and worse as end-user bandwidth availability is increasing. The existence of these BOT's are a threat to the Internet, and we indeed need to address the source of these - the applications and OSes that makes the infection and spreading work.

2) The attack itself was most likely an advertising campaign or pure marketing. The operators of the BOTnet are either trying to show-off or needed a well published attack to refer to in future racketeer schemes. And publicity they got.

3) The Internet's DNS system itself was never at risk. It continued to perform and the design worked exactly as planned. AFAIK not a single end-user experienced any problems.

I would also like to point out the observation that very few root-server operators have actually sad anything publicly or shared actual data of the attack. While I can't speak for anyone else, I think we need to keep this in mind when assessing the news reports. Also the root-server operators are dealing with attacks, capacity planning and other day-to-day operational issues 24x7 365 days a year. Last week was another week, perhaps with a bit more calls from journalists.

This said, I don't want to downplay the attack. As I said above, BOT-nets are a serious threat to the Internet, and to the applications on the Internet. We need to start working on this problem. We need to educate the end-users, we need to get better patching schemes in place to fix discovered software issues and we need to get better at regression testing of commonly used code on the Internet. And we need to look at how to handle the attack traffic. There is a lof of work to be done, but not for the DNS system.

I am currently at the ITU-T workshop on Identity Management at ITU HQ in Geneva. I haven't been here since 2000, but it's fun to see that not much have changed. They have added wireless Internet access, but the 14 phone boots with faxes are still here. Unfortunately I forgot my camera at the hotel. I will need to bring that tomorrow.

Also, while Mac's today is probbly 30-50% at an IETF I think I am the only Mac user in here...

Ok, I am somewhat sold. Not that I have doubted the success of VoIP in the past, but this week I got sold. We are migrating the office to using SIP instead of POTS, and while here in Bali and installed X-Lite from Xten, configured it against the SIP server in Stockholm and - it just worked. Even with using just my PowerBook G4's internal speakers and microphone sound was good!

I now have my desk phone with me everywhere. I am not sure that is such a good thing though...

I am in Bali for APRICOT2007. I have got quite a few comments about vacationing while getting paid but in reality it took me four days before I finally got the see the beach which is 30m outside the hotel :-(.

I spent last week giving a IPv6 training course here. Hopefully I didn't come along as one of the IPv6 evangelists, I try quite hard to point out it's just more addresses. What did surprise me during this session was to find that two of the local providers actually have deployed IPv6, all the way to the end user.

Now, while being here on the other side of the earth, of course my home server where among other things my web-server lives decides to have a disk crash. So you will not see this and the other posts until I am back home or I have got someone to fix it :-(

I am currently on the flight from Singapore to London on my way returning from APRICOT2007. All in all I think it was a really good event. It was only my third APRICOT but as Internet conferences goes it was among the better ones.

Interesting topics, a good spread of topics and every now and then engaged discussions. I really like the lightening talks formats that is borrowed from Nanog. Short talks on topics that come to peoples minds.

Next APRICOT will be in Taipei. Let's see if I make it there....

A friend of mine pointed me to a new The Register article covering the attack on the root-server system. The article is based on an ICANN 'fact sheet' that tries to give information regarding the attack. Personally I believe that the usefulness of releasing such a paper is doubtful. I fear that it mostly serves the purpose of the attackers by gaining more hype and press-coverage.

But let's ignore the merits of the fact sheet for a while and instead read the article. It's highly amusing reading, claiming among other things that the root-servers run on a variety of OSes that seems to include Windows(!)and OS/2(!). I have no idea how The Register clears articles for publication, but this one certainly leaves some to wish for, and underlines the point I made in an earlier post that the lack of commentary from the first hand source, i.e the root-server operators, is striking. It is certainly true that the root-servers run on a variety of OSes but to the best of my knowledge, neither of them run on either of NetWare or OS/2 (is either of those still supported by the vendors?).

Oh well...

I have said this before in public, but not in writing, but I thought that time has come too. The IPv6 'marketeers' is one of the largest threats to IPv6 deployment. Simply because they have created an unreasonable hype that is guaranteed to disappoint adopters. So let's get that first thing sorted out, IPv6 is IPv4 with a larger address pool.

Nothing more, nothing less.

'No magic'.

There is nothing I can do with IPv6 that I can't do with IPv4 (well, short of address more devices) already.

Now, 'just being able to address more devices' might not sound as much, but it is. I will however leave the discussion on other shortcomings for IPv6 for now, just noting that there are certainly problems to be solved. Now that we got that out the way, let's focus on what made me write this in the first place. So back to the IPv6 hyperbole. On one of the IPv6 marketing lists a link to this article was posted, cited as a reference of yet another advantage study for IPv6. A first glance seems to indicate that it proposes a wider use of VPNs. Which I agree with and that I think would be a god thing. However, let's look a bit closer.

Skype's service, when it first came out, was impossible to stop. Two hundred engineers from France Telecom were put onto the task of working out how to kill skype, and they failed. Skype uses SIP for the voice traffic

Uhm, nope. Skype AFAIK does not use SIP. It's again AFAIk a modified version of SIP.

so, three years later, real-time SIP Quality-of-Service deprioritisation proxies can now be used by ISPs to trash it unless you pay them money to use their version of Skype - and suddenly the service gets great quality.

"real-time SIP Quality-of-Service deprioritisation proxies" ? If there is a reader of this blog that could explain this to me - please send comments. Moving on, I assume that the author with "their own version of Skype" here is referring to a VoIP product implemented by the carrier (presumably using SIP as signalling protocol), as AFIAK the Skype protocol is proprietary.

TCP/IP is very similar to directional radio waves. You can send data to a destination (an address) and you can send it on a frequency (a port). The problem is that the "airwaves" are getting extremely cluttered, with utter shit from spam, with microsoft anti-virus downloads, with viruses, with bittorrent "illegal" downloads and a multitude of badly-designed VoIP systems, the majority of which use SIP.

I.e, the end users have started to actually use the bandwidth that they have been paying for all this years....

Oh, and ignore the virus and spam claim. It's nothing compared to YouTube and HD movies in DVD form over Bittorrent...

SIP, as I've pointed out before, is especially bad because the ports over which RTP is negotiated (RTP is the actual voice bit of SIP) are chosen by the wrong end! You therefore need to mess badly with your firewall, opening up a range of incoming UDP ports, or you need to have a SIP proxy which sits on the outside of your firewall, NAT-proxying the audio packets onto a sensible small range.

Right end? Am I the right or the wrong end of a communication?

The following part of the article are a few paragraphs of ranting about....eh...anyway...( I think the message is that spam used up all your bandwidth. I think the author hasn't done the numbers).

Instant Messaging is about the only communications system that actually works, and has made it onto the Internet mostly unmolested. The only pity is that, other than CSpace, and Skype, every other IM protocol is centrally controlled. Oh - other than our old unix friend 'talk' which for some reason nobody uses any more :)

Not really sure what this has to do with anything - and my standards based IM system is not central, not listed above and still works - Jabber is your friend.

The article goes on with some outlining on how the carriers can prioritise or deprioritise traffic depending on traffic and their business model. It then goes on the claim that Skype should have included a generic tunneling mechanism for doing peer-to-peer of any data type and if we encrypted it noone could tell us to stop or even inspect the packets.

and now for the grand finale

But - for now, I wanted to expand on the much simpler approach, which is hinted at, above: to use just the spread-spectrum technology over IPv4 to tunnel IPv6. The great thing about this idea is that, strictly speaking, you don't need encryption, all you really need is compression (which makes it not look like a VPN, which is banned by some fascist ISPs in the U.S.) Also, you can use the spread-spectrum algorithm as a way to encode the session (port + IP address or other state information), so you can do away with that silly tunnelling header that is put on front of VPN packets!

In fact, strictly speaking, this algorithm is not really a VPN at all: it's a tunnelling system. It's a carrier wave. It's a proxy. It's a bird. no, it's a plane!

Now, here's the bit that's nice: the spread-spectrum concept doesn't have to just include port numbers, it can also cover IP addresses, and you would automatically get load-balancing over your IPv6 VPN, for free.

So, I have all the sympathy for widespread use of encryption, web-of-trust, opportunistic etc. Go or it! And hiding things in peer-to-peer tunnels isn't exactly new either. And oh, even the IETF is looking at peer-to-peer SIP ala Skype. The part I don't get above is - IPv6? Why? What does it add? Why not IPv4?

I am lost. I am sure there is a new use here that is fantastic. I just don't get it.

So, I think this BOF started off wrong from the start with just the way the presentations was organised. The fact that they paid as much attention the presenters network as they did to the problem statement (if not more) just made the audience hostile. This is unfortunate and should have been helped by more experienced IETF participants coaching the newer members that where presenting.

To the actual content of the BOF. I think this is driven by a regulatory requirement in a particular country, China. This translates into a problem where a provider will have a pretty well defined statement - i.e the validation of a source address inside their domain. Here validation means that you can tie the src address to a user, subscriber or similar.

Now given this constraint, I think you could envision a framework where you can validate src addresses of packets inside a providers network, and where the rest of the packets are either unvalidated or simply denied. With this we have to realise that the majority of packets will not be validated, and your policy on handling them will have consequences as follows.

Under a regulatory environment where the above is true, you can still assume that providers implement this inside their networks, and perhaps even establish some trust relationships between each-other in order to increase the trusted domain. However, it is not a solution or scenario that is universally deployable. I.e this is not a replacement to BCP38 or other existing filtering mechanisms. Unfortunately this is not the way this was presented.

I have some doubts on the proposal even working in the constrained environment above due to the complexity of the proposal, but I think the BOF at least should have focused on the actual problem that was trying to be solved, rather than having it extrapolated to an Internet wide problem/solution.

So last Thursday I order a workstation and a 'server' on the Dell Internet-site. I get a confirmation mail saying that within 72 hours my order will appear in the order system and I can track on the web. So I wait.

On Tuesday this week I start getting somewhat suspicious and I can't find my order in their ordering system. So I call up Dell and ask. I am then told that my order is not yet processed as I ordered a server a sales representative will need to talk to me. I ask them why? Dell then tells me that all orders that include servers needs to go through a sales representative. I try to explain that they actually sell the same hardware as workstation, and so if I would have bought that I would already have a processed order. The lady replies "yes, of course". Now, the problem with Dell is that you can not buy a workstation without Windows. It is impossible. I want FreeBSD on my server or have it shipped with nothing. So I had to order the 'server-version', which is more expensive.

I finally ask to talk to a sales representative and I am told he can't be reached, but she is sure he will call me. I explain to her that he hasn't called yet and I thought my order would have been processed and on it's way. When I hang up I decide not to give up, so instead I call back and ask for sales. I get through to a girl, give her my order number and I am told I would have to talk to 'my' sales representative. I ask for him, and I am again given the answer he is not available, but she is sure he will call me back.

An hour passes and the sales rep actually does call me. He starts with telling me that there is now way he could have called me as they just have to much to do. I ask him if that is my or his problem - and if it wouldn't be a good idea to tell people their orders are delayed until a sales rep had the time to call me - instead of saying it will be processed in 72 hours? He gives me some sort of avoiding yes answer...I am then told it will take 10 days to process the order. I ask from when the 10 days is counted, he tells me from today (Tuesday). I tell him that in my book we count from last Thursday or if I would have been a nice guy 72 hours later. He tells me we need to go through the order to ask me if there is anything more I need to order. Excuse me? He explains that he just want to check that what is in here is really what I want - like two network ports. I tell him I want EXACTLY what I order, nothing more nothing less (perhaps with the addition of actually having it shipped...). He asks me 'oh, your are going to use it as a firewall'? I tell him that all he should care about is getting my system shipped. I am told he will do what he can (I am starting to get worried).

So time passes, not a single email, confirmation or anything from Dell. Not even a carrier pigeon. So today I decided to call them up as I still can't see my order in the order system. Now I am told I have two orders, none of which match my original order number. And that I should know that. After a small, short, and of course very polite monolog on my behalf on my thoughts about Dell, the order history etc, I am told the two machines are currently in Denmark and will be delivered next Wednesday. I decide not to ask what they will be doing travelling from Denmark to Stockholm for 5 days and hang up.

Seeing is believing....

So, I have the server back up and running and I have posted a number of back-logged posts. It turns out there is some magic that really does not want me to have this server up. I came home from APRICOT to find that it was reporting a lot of disk errors and investigating some further lead me to believe it was actually the disk controller. So I bought a new motherboard, installed it, mounted disks and things seemed to be going fine. I left it in the office and went off for the weekend. When I came back it simply refused to boot. Actually, it simply refused to powerup. Nothing. Dead. No combination of hardware etc would make it work. After having spent to much time on this problem, I decided to go ahead mount it all in an unused old server from work - on which it is now running.

In parallel I decided to buy a new server. Which I have yet to be convinced was a good idea....but that is for the next post...

Ett fel uppstod. Vänligen ring 0770-727 727 för att kontakta kundtjänst. (101)

After lot's of problems I finally have a working new system up and running. Phew...

so hopefully there will be more frequent posts again...

At the Swedish Internet conference 'Internetdagarna', I last year spoke of the importance for the Government to provide information to the public in terms of crisis also on the Internet and that the government validated the function of the various agencies web-sites and internal connectivity. This was in November last year...

Yesterday the Swedish Emergency Management Agency, KBM led an exercise in central Stockholm simulating two simultaneous terrorist attacks in Stockholm. However, according to several news reports, the exercise was hampered due to the fact that the participants couldn't get to the web-site where they instructions and phonenumbers where kept....

Last year when I made my presentation, outlining how really poor the Swedish government agencies where handling their Internet access and information distribution, I was met by several agencies saying they had decided that Internet was not a critical resource. If we for a while agree that that might be true (while I don't believe that), the problem is still that not all of them can do this. So, KBM had stepped up to this task - only to crash during their own exercise. I will also note that the agency responsible for the information in times of crisis does not have a signed web-site. So I have no idea what I am looking at...not that I am convinced that a end-user wouldn't click "OK" on the certificate warning...

Anyway, the offer some of us gave the government last year to help them develop a working information and crisis management system still stands. But we still won't do it or free our with our own money as have been proposed in the past. Last time I heard they wanted to do another survey and a report. Perhaps now is the time to realise that they don't need more reports, they need action...

The problems I blogged about yesterday regarding the Crisis management agency made me think some more. .SE was the first TLD in the world to be signed and are now selling this as a commercial value add service to it's customers. If we for a moment ignore the question of how much sense that makes, and instead look at how this is being pushed, we can make some interesting observations.

.SE says that their first primary target groups are the banks and the government agencies. Now, this to some extent make sense, as I as and end user would find it more valuable to get a signed .SE answer for a bank than for Joe Random's Aquarium web cam. But it also comes with a problem. The problem with online banking is not spoofed DNS replies, it's with trojans and phising, neither of which DNSSEC will protect against.

The problem is even worse for the government (and have on and off been for the banks), where the problem based on my study last fall was to reach the agency web-sites at all. This means that there is a chance that I can't actually get the signed replies and perhaps I can't even reach the site pointed to by my signed reply. Once I have a signed reply, I have no idea if the server responding actually is the site I wanted to view as none of the government agencies are signed.

Basically, DNSSEC is the path of least resistance, let's tick the box of, announce that we are taking security seriously, and then down with the head in the sand - quick!

What is lacking is a deeper understanding of the problems, and a will to change. Change to a model where the citizens can use the web for government business with the same level of trust and reliability as they can use their banks, buy books, or gamble online.

The government have a far way to go...

Last night SAS lost my luggage in transfer at CPH. The ground staff at ARN was nice and helpful, and you get a card with your tracing number and a small leaflet with information. So far all is good. Then I start reading the information. It says that you can find out the status on the web. Great! There are two URLS listed. http://www.scandinavianairlines.com, which while a bit long useful. However, the second URL is http://www.worldtracer.aero/filedsp/sk.htm I wonder who came up with that one...

Today the Swedish government started selling their shares in TeliaSonera. Personally I think this is a good thing. However, watching the evening TV news, Aktuellt, they where interviewing staff of TeliaSonera, who claimed that TeliaSonera shares shouldn't be sold by the government. The reason they gave was that TeliaSonera somehow would act more responsible than other Telecom operators and would have a responsibility against society.

This is utter nonsense. Society can not be dependent on one provider. Instead all providers should have to act responsible under regulation. If not - why would I ever choose another provider?

This logic is bad, and politically coloured. The fact that the interviewing journalist also was clearly on the side of the communist partyleader in the debate didn't make it more factual :-(

No, sell TeliaSonera, and create clear and useful regulation that can't be dragged in courts forever, as is the case now. Also make sure that the tooth-less regulator actually act. There are recent signs that the government actually are pushing the regulator - which is also a really good sign...

I have, or rather had, a Finnish drivers license. I was stopped in a police check-point entering Verbier a few days ago and when trying to put the old one into my wallet again, it broke. Now, that might not be the end of the world except for two things.

1) It was an old Finnish drivers license, that expired when I turned 70 in 2044. I thought that was handy...

2) I don't live in Finland anymore.

So I called up the Swedish government entity that is handling replacement of foreign driver licenses, as you need to replace it to the country where you live. After being passed around for a while as this is one of the tasks not described on their web-site, I was told that all I needed to do was to take a photocopy of the broken license and that would be valid for driving (duh. More exciting will be to rent a car on it in a week - but I guess I will get back to that), and then send it in with a personal registration certificate. Now, these certificates you can order on the web, or just go to the tax office and get. As I work close to the tax office, I decided for the later to speed things up a bit.

So I show up at the tax-office, ask for my certificate, get it - and walk away. Now that is service isn't it!!!??? It probably would be, if it was not for the fact that she never asked for an id. And that with these certificates you can change persons records.

We often look at digital privacy, and personal integrity, but in our paper based governments we forget how much depends on just your social security number, without any form of verification. I wonder if we actually would not gain more transparency and accountability with more digital processing and cross verification of government registers.

Nicklas Lundblad have on a mailing list and on his blog asked for help to advertise a hearing in Stockholm regarding copyright law.

If looks really interesting and if I wasn't on a plane to the US then I would attend. I hope you all will have a good time!

The above is the headline (in Swedish) of an article in Swedish tabloid Metro.

Now, if you read the article it says that the Swedish regulatory agency, PTS, have released a report stating that small attacks on the border routing infrastructure against the larger providers would take out 70-80% of the traffic in Sweden.

I somewhat took part in the report and also reviewed it before releasing it. I think that 1) Metro is trying to make the issue larger than even PTS intended it to be 2) The report makes a few assumptions, and points out well-known weaknesses and how you can protect yourself against them. It goes on to simulate attacks if you do not protect yourself against these well know weaknesses.

Well, if you don't protect yourself against well known weaknesses you will always run the risk of being attacked. The solution is simply to use the well known protection, or help to develop something new that do not have these weaknesses.

Unfortunately PTS doesn't seem to have released the report in English.

In my October presentation at Internetdagarna, I talked about Sweden being under attack for 24hs (well, I only made for a few hours and Sweden was gone).

Back then I outlined the attack scenario as being an individual event by a news paper that triggered an out-lash against Sweden as a whole. There was some discussions on the viability of the scenarios and the threats. I am currently in Tallin, Estonia for the RIPE meeting, where for the last week, large parts of the government web-sites have been DDoS following the unrest in Tallin a few weeks ago. After some interesting discussions with the people fighting these DDoS attacks on the barricades over dinner last night, it is striking to me how similar the real world events here are to my scenario.

Events and attacks like these are really hard to handle. What is yet to be seen is attacks against the actual content of the sites. In this case, luckily, I don't think it's in the interest of the attackers, or at least they have little to gain. But assume the scenario where someone wants to create panic. I had this in the slide deck as well. In my scenario someone altered the content of a large news site to outline that there had been an accident at the nuclear powerplant north of Stockholm, and that fall out was blowing towards Stockholm with the winds. In this scenario I, as a citizen, would like to have an authoritative site, where content is monitored, signed and secured. Monitored for alternations, signed for verification, and secured to handle roughly one request every minute from each household in Sweden.

At discussions over dinner last night, I discovered that the Estonian government actually already have this in place. It also appears to me that they are quite capable of running the defences and that they are digging up the criminals responsible for these activities, of which the first is already arrested.

I wish the Estonian government good luck for the coming days in fending of the attacks as well as brining the responsible criminals to justice.

The discussions last night gave me a few new ideas for this years followup talk for Internetdagarna, and now I have two real life verification cases for these attacks. the KBM failure and the attacks on Estonia. Now all that is needed is that someone in Sweden would actually care too...

The newspaper Nyteknik have also picked up the PTS report and how vulnerable the Swedish Internet providers are. Given my previous posts and the general awareness of how to handle a critical situation, I think PTS should spend more time and energy on making the current Internet work rather than worry about future protocol development...

But what do I know...

Over lunch today, Alan Durand pointed me to the fact that Geoff Huston have published a new run-out date for IPv4.

Projected IANA Unallocated Address Pool Exhaustion: 13-Dec-2009

Projected RIR Unallocated Address Pool Exhaustion: 23-Jul-2010

This is interesting, it means that we have 2 years to figure out what to do next. My guess is that we will see the trading of IPv4 address space picking up. I also believe that we will see larger deployment of IPv6, even though we don't really know how to use it yet - or at least not how to do better than what we are doing with, for example routing today.

As a matter of fact, I believe that we will see initial deployment of IPv6 with the same inherent scaling problems as with IPv4, i.e with PI space and swamp. These are problems that should have been solved when IPv6 was designed - but wasn't. Now IPv6 is IPv4 with more addresses (larger address field), nothing more nothing less. Now, while this will help us on December 14th, 2009 - it's far from enough.

The IRTF RRG group as well as the IETF shim6 and hip (at least) are looking at ways to mitigate the problems. Let's hope that this will materialise soon.

On F-Secures blog you can read about the recent attacks on Estonian government sites. The F-Secure blog also points to this excellent report by Helsingin Sanomat. Being Tallin for the RIPE meeting I have had the opportunity to study the work by the Estonian CERT closely and I am pretty impressed by the co-ordination that is going on.

Every now and then it is suggested that technology can be a useful tool for reaching wide audiences in terms of crisis or natural disasters. I think this is a good idea, it's long since the FM radio stations where the most obvious way to reach a large percentage of the population.

I had had the (mis-)fortune to study, what I believe to a somewhat similar event unfold in the last 12 hours. For the weekend, I am planning to go with some of my friends from Verbier to London. Now, as blogged about before, I am therefor of course affected by the SAS strike. While the SAS cabin crew get absolutely now sympathy from me, their poor colleagues at the booking centers do as they are left with trying to clean up the mess left. So yesterday I called SAS to find out what was going to happen. I called at around 8.30 and was advised more information was to be provided at lunch time yesterday - on their web-site. I thought that was a great concept and at 11.53 news where posted that SAS would indeed cancel a large number of flights today. The disturbing thing was that the only mean to fix your ticket was through calling SAS - which I did. Now, I couldn't get through to SAS Sweden, so I called the International booking centre in Denmark. They had no information about the strike but a quick look at their own page told them the same information I had. The friendly lady promised to look into it and call back. Unfortunately I got stuck on the phone, but to my surprise she instead sent me an email with confirmation that I had been rebooked through Oslo to London! Great!!! I was impressed!

At 16.00 SAS even sent out an email, which seems to have been to either everyone with a reservation or all Eurobonus members, I can't tell from the email. I was still pretty happy.

Then I decided to try and check in on-line. It just says I need a paper ticket. I suspected this had to do with the rebooking, and that I got an upgrade to fit in on the plane Oslo-London.

This morning I woke up and realised something funny. At 0.30 I had received an SMS from SAS telling me that there would be a cancelled flight due to the strike. The funny thing is that it appears as if the SMS was sent at 16.00 CET yesterday. Now, my suspicion is that the SAS SMS gateway either could not handle the volume of SMS:es they where sending out, or the SMS got somehow queued at the provider.

Now this highlights part of the problem with how do you do mass notifications to people. SMSing people through the mobile phone network seems like a reasonable idea, but seems poor at doing instant notifications as you most likely will end up with the "New Years eve" syndrome, i.e you just can't get that volume through. Now, I realise that is a very simplified view of how the mobile network works, but it does hold some truth. The Internet and email on the other hand, seems readily made for mass distribution, but has the drawback that short of me and perhaps a handful of others, it is unlikely to work as an immediate notifier. This clearly poses a challenge for crisis management on a national level - in today's world, what do you use for wide spread notification instead of the FM radio? I think there is a lot of work to be done here, and most likely investments that needs to be made in the mobile networks - investments in over capacity that the network operators are unlikely to pay for.

As for my flight ticket, I just got an SMS from SAS saying they had fixed by booking and that I can now check in on the web...

A friend pointed me to this article that tried to analyse the lessons learnt from the attacks on various web-sites in Estonia.

I personally think that the article is naive at best.

First of all it claims that this was the first government to be attacked, this is certainly not true. While not a government I was fighting (actually I was in the EUnet NOC watching Pierre and James fight, but anyway) Yu attacks on the Nato web-site during the bombing raids on Sagreb, and I am sure it had been done before. There where also several reports of various forms of attacks against Iraqi infrastructure before the start of the second Iraq war.

The article goes on to claim that no collateral damage was done. This show a pretty poor understanding of the nature of these attacks. In most cases, there certainly will be collateral damage as the attacks can be large enough to never reach their intended destination and therefor infrastructure used to provide service to others is also taken out. However, even the notion of collateral damage get interesting when you talk about cyber attacks. If I attack an on-line bank web-site used for on-line trading. The users of that site is likely to loose money as they are not capable of completing their planned transactions. Are they 'real' damage or collateral damage? Does it matter? The term collateral damage is used in real warfare as a way to separate intended (read legitimate) targets from casualties that whose non-loss wouldn't have affected the ability to conclude the intended operational goal. Cyber attacks on banks and/or government web-sites seems highly unlikely to help in achieving these operational goals from a military point of view. Command and control systems of foreign forces, sure - but I am sure the Estonian government would not succumb to Russian rule just because their web-site could not be reached....

Third the article brings up the (lack of) panic created by the attacks. Having had the luxury of being invited to the Estonian CERT and had the privilege of working with the Estonian CERT during the attacks, they where far from panicking. While I don't understand Estonian so my capability of following local news was limited, I think I dare to say that there where no panic among the Estonian population in general either. What I could follow though, and that I dare to say is that there where far more panic in the International press-reports than anywhere else. And here is a real problem with reporting and handling incidents like these. I blogged about this when the DNS root-servers allegedly where attacked. The problem is that while you DO want to inform the public on what is going on, you are at the same time for operational reasons hindered to say all that you know. And the way the press will present the events is likely to more help the attacker achieve their purpose than to help inform the public. This is really worrisome as we for example have very little insight into how banks are handling on-line extortion etc and they are also afraid of reporting similar events to the police.

There is plenty more I could say about the article, but I do not want to disclose facts that could damage operations that the people on the ground are working on. Again, this is the sad fact working with incidents like this, you just can't correct misconceptions in real-time, no matter how much you would like.

Last, personally I am not so much worried about this being the first attack or the attack happening. We knew that all along, Estonian friends made an effort to point out that as far as they where concerned this was nothing more than cyber riots, i.e Internet events mirroring the physical events (I think there have been a fair bit of politicising and word in mouth putting going on, but that I just my personal perception) - the two things that DO worry me is that

1) A point on which I agree with the article. How hard it is to actually bring about arrests in these cases. Even when the criminals are known, and the locations and whereabouts can be tracked, we can't get them behind bars as legislation and international agreements are lacking. If the IGF is serious with fighting cybercrime and making a difference, this is where it will have to start

2) That not more governments are trying to draw their own conclusions and work on contingency plans.

But that is just me...

One of my staff members pointed me to an article by Mikko Hyppönen in Foreign Policy. In this article Mikko argues that a new top level domain (TLD) like .bank for some reason would prevent on-line fraud, at least partially. Mikko seems to be arguing that with a dedicated TLD registry for financial institutions and a fee high enough to act as an entry barrier you would have a trustworthy bank domains that would be immune against today's phising attempts.

I don't believe in this for a second. If we decide to ignore the fact that creating a rule-set that would identify all the worlds known financial institutions would be really hard, and the fact that a barrier entry fee would most likely keep developing countries out - a fact that goes counter to all current Internet policy related development - it still can't be made to work.

First of all, Mikko suggest that $50,000 somehow would deter criminals. I don't think it will, it just raises the price for production of phising sites.

Second of all, with the suggested system, a "compromised" domain that managed to get registered under this TLD would be invaluable to the criminals as it would come with automatic trust to the end-users.

Third, without a wider look at security, route monitoring, signed web-sites (why are only the part of the bank's web-sites where I do my transactions signed?), DNSSEC etc, any form of validation at the point of registration is more or less meaningless.

No, I think the proposal is trying to reach higher end-user confidence levels through security obfuscation. This will work until the registry gets compromised (and it will), and then the effects are much worse and far reaching.

I finally managed to get the formatting to work somewhat in the RSS feed index of the blog. If anyone have any more problems, please let me know...

CNN this morning (morning in Boston, MA. I am here for the IAB annual retreat) reports that one of the worlds top 10 spammers, Robert Soloway , has been arrested and now risks 65 years in prison. While I certainly applaud the arrest, CNN also went on to say that this might mean less spam in your inbox.

I don't believe that. I think the only thing the arrest will do is give the 9 remaining top 10 spammers more margin and customers. And this highlights the problem with international crime prevention on the Internet. It's non-existent. The governments of the world really need to act and work here as my friend Patrik Fälström notes. I will note the sillyness of us linking to each-others posts on roughly the same topic - but there is an observation to make. Patrik is actually a member of the IGF advisory group. If he can influence his colleagues or bring more of these issues to the table, I think we might have success.

And I do agree with Patrik that the these are much more real and pressing issues than who administers the DNS root-zone - as that actually works. Today we most of the time know how are behind DDoS attacks, spams etc. That is the beauty of the Internet, you leave loads of traces after you. The problems is to bring these criminals to court and to jail.

I was pointed to the following presentation by Ofer Maor at Hacktics. The presentation outlines the history of DoS attacks, the background and driving forces for them, and the current state. It goes on to talk about a "relatively" new DoS threat in the form of application layer attacks. I.e using poorly designed or maintained application set-ups to attack the victim.

The last part of the slide deck is an overview of a real study of a web-site and how little resources is actually needed on the attackers end. The findings are pretty impressive. That said, I would argue that these types of attacks are actually somewhat harder to execute than traditional ones, like Botnets. If for no other reason they take some more studying of the victim site (although in their example a night was enough). What scares me somewhat though, is that the fixes to these types of attacks that are listed, take together is nothing more than good coding practice and good system administration practices.

As is noted in the presentation on their trial, this was not a company that was ignoring security, on the contrary, but they where still vulnerable. I have no knowledge of the company or the test performed, but I do observe a few things. In large companies the group running the system is normally separate from the group developing the on-line tools (if that is not outsourced or simply a bought product) that in turns might be separate from the group that handles security. In a world of application layer attack threats, we need to have these groups work much more integrated and we need to make sure that web-devlopment using the current languages and tools is brought up to speed on good programming methodology. I worry that as more and more web-applications are written in "easy to use" tools and languages like Flash, Flex etc we are loosing the tools for building in checks and balances of the applications. But maybe I am just old :-)

In a recent ZDnet article we read that Jay Daley of Nominet, the .UK registry, is concerned with the current allocation policies of IPv6 addresses in the RIPE region.

While I know Jay, I haven't actually asked him how accurate the reporting is. What I will note on the general article of the text is that the policies in the RIPE region is set by the RIPE membership. And that is not the membership of the RIPE NCC as is oten thought. It's you, and me. And you don't even have to attend the RIPE meetings, just subscribe to the mailing-list and post your proposals. Which is actually what has happened, even several times.

The article incorrectly and misleadingly reports that a proposal for provider independent addresses was only submitted to the RIPE policy process on May the 22. In fact the first proposal was submitted over a year ago and has only received luke-warm support so far. What is happening is that the current requirement for an LIR to show roll-out of 200 customers in 2 years is likely to get removed.

This change in policy keeps the only entry-barrier for an IPv6 address-block at becoming an LIR. I.e the block is monetary. Fair or not, I am in favor of entry barriers. Why? Well, first of all, I believe that we can all agree that one of the promises of IPv6 is that we have enough addresses to give each end-node and with this we have the potential to simplify the Internet architecture as we don't need to worry about NATs. That said, I think we also know how to handle an Internet architecture with NATs, and we might still have to do so, it's just that we would be better off not having too. The role of NATs is important to understand when trying to understand the development of address policies for IPv6. NATs in IPv4 play the important role of hiding renumbering events from the network administrator. Typically networks connect to the Internet through a firewall that also acts as a NAT device. This means that as the network for example changes provider and therefor will get allocated new addresses out of the new providers PA block, the only thing that changes is the out-side addresses of the firewall.

In the above ZDnet article it is argued that the lack of PI address policies are a hindering factor for IPv6 deployment. In other conversations Tim Chown said that this is just a report of what is being given as reasons. I am sure this is true, but this is in stark contrast to the miniscule amount of allocated IPv4 PI blocks compared to IPv4 PA blocks. Unfortunately the RIPE NCC stats file doesn't provide an easy way to calculate the number of addresses in each category, so you will have to trust my experience in this. Now, I am sure that if there was NAT for IPv6 - no-one would complain about the current allocation policies, short of the few that have IPv4 PI space (and most of them do for historical reasons and wouldn't qualify today). So personally I believe the real reason for complaints is the combination of lack of an IPv6 PI policy or the lack of NAT for IPv6.

Either of PI policy or NAT for IPv6 comes with a problem. With NAT we know that things as referrals become much more troublesome. With PI space for everyone we know that we will have a rapidly growing routing table. What is seldom realized outside the people that have worked with this and studied it is that these are very tightly linked. If we don't get NATs there will be more entries as people decide to multihome. To some extend this boils down to renumbering problems, but I will group these into NAT mechanisms (simply as noone has come up with a renumbering technology that beats NAT).

Now, we are basically faced three choices.The first option is status quo waiting for new technology as shim6, HIP or any other locator-id split like solution. The second option is to relax the allocation policies, hope that there is some sort of natural upper bound that will kick in and cap the growth of routes (these could be financial for example). This also includes some level of wishful thinking that we either at some point in the future when new technology becomes available can do loc-id splits, or that new technology becomes available that will make the size of the routing-table a non-issue. Neither seems likely at the moment. The third and last option is to deploy NAT as we have for IPv4 with all it's know short falls. With this we hope that we in the future can sole the above problems and that end-to-end communication without NATs is such an advantage over NATs (and that that can be explained) that sites will migrate away from NATs to 'native' IPv6 addresses.

I certainly don't like any of the above options. Sadly the last option with NAT's might be the only real one left for us the time until the scarcity of IPv4 addresses becomes too painful. I don't have the answer, I have just tried to outline te options on the table and the cost of each of them. I believe that anyone arguing for one solution of the other - including changing the address allocation policies, should argue what that is a better option that the other two. I also believe that a heavy burden fall on the various IPv6 lobby groups that with government money behind them have ignored real operational issues for so long and just pushed their own agenda. They should stand up and explain how they believe deployment should be done and why one option is better than the other. They can no-longer eat the cake and still have it.

Updated 2007-07-09: Changed IPv5->IPv6 as Patrik pointed out. Thanks!

I have been playing around a bit with Microsofts Photosynth, based on Seadragon. I found them through a TED presentation Maybe I am getting old, but to be honest applications like these are what I believe will drive future network growth and development. If this is Web2.0 maybe I am finally starting to understand all the hype. It is pretty cool....

Last night the following security vulnerability was disclosed on Bugtraq (at least that is where I saw it) :

   Advisory ID: SYMSA-2007-005
Advisory Title: Vista Windows Firewall Incorrectly Applies
                Filtering to Teredo Interface
        Author: Jim Hoagland / Ollie Whitehouse
  Release Date: 10-07-2007
   Application: Windows Firewall (Vista version)
      Platform: Windows Vista (RTM and RC2 builds known affected;
                XP, 2003 would not be affected)
      Severity: Unintended remote exposure to services
 Vendor status: Resolved in MS07-038
    CVE Number: CVE-2007-3038
     Reference: http://www.securityfocus.com/bid/24779

Overview:

  Windows Firewall for Windows Vista is the Microsoft provided

  firewall solution.  It is installed and enabled out-of-the-box,

  with most ports filtered.

  Due to an implementation issue, the Windows Firewall does not

  apply firewall rules correctly on the Teredo Interface.  This

  allows a level of remote access to TCP and UDP ports and services

  that exceeds what Microsoft expected and what an administrator

  would expect.

This is a very important issue. We have already seen attacks and large scale open systems due to lack of planning around security when deploying IPv6. It can't be stressed enough that when IPv6 is deployed and implemented, security policies needs to ported and adopted to IPv6. There have been plenty of examples when this has not been done at all - but there are also examples of when this has been done extremely poorly. For example the trend among firewall vendors to ship firewalls pre-configured to only allow known extension headers. While this might seem as a good thing to do, the inertia in system admins adopting their systems to up-to-date standards basically render new extension headers useless. This has been seen for example in the deployment of EDNS0 for DNS or the well deployed firewall that dropped all DNS packets larger then 512 bytes...

I read on TechCrunch that the National Legal and Policy Center in the US have released a study on how Google is helping facilitate violations of copyright law. This is allegedly done with videos uploaded on YouTube.

The TechCrunch article goes on to point out that Google doesn't always actually host the content, but it helps users find it. This is an interesting observation in the light of recent events in Sweden. We all remember that Swedish police a year ago raided The Pirate Bay, a so called BitTorrent tracker. The tracker does not actually store any of the torrents, it only provides a way to register and search them. At first this looks just like what Google does.

So as TPB got raided, shouldn't the Swedish police also raid Google? In way Google have been raided, or at least sued by Viacom for copyright infringement. But that lawsuit is over the fact that Google actually hosts content - not the indexing part.

Now to the interesting observations, during the last weekend blogs and news in Sweden have been filled with the fiasco by the Swedish policy trying to list TPB on the child-pornogrpahy-site list that they had over to Swedish ISPs. Access to sites on this lists get's blocked by the ISPs. The police alleged that child-porn had been reported and found on torrents by TPB (but AFAIK they have yet to actually share what torrents to TPB operators so they could be removed...). On Monday the police apparently had changed its mind and issued a press-release that due to co-operation by the TPB operators they would not get listed. This silliness have brought a lot of harm to some of the serious work on trying to mitigate child-pornography, but it has also brought some long over-due legal review of the entire system. A review that does not put either the police or the system if favorable light. However in all these discussions a much more interesting point has been brought up. By precedence of the policy, the torrent trackers that are merely indexing content can be held liable, but how come this does not apply to all? It was pointed out in a few forums that you through Google as well can find child-pornography. Actually, not only by searching - but it's actually hosted by Google.

Google provides a cache copy of a lot of the links that it indexes. Links that leads to pages with child-pornographic material is therefor also cached - and therefor hosted - by Google. Possessing or hosting these images is a crime in Sweden. This crime have been reported to the Swedish police by several individuals. Based on previous actions by Swedish police I look forward to reading about the raid or the request for assistance by US police in this case.

That Google a long time ago abandoned the 'Do no harm' policy of it's slogan is well known, the fact that pure market-cap seems to make a difference in serious cases as child-pornogprahy is just disgusting. I seriously hope that the amateurishness shown by the police was a one off event and that they now focus on real crimes like child-pornography and that they go for the real content rather than indexes and that Google starts living up to it's self acclaimed policy goal.

In a private discussion I scribbled some points on the upcoming exhaustion of IPv4 address space. Geoff Huston as always have insightful comments on the modeling of IPv4 address consumption in his latest ISP Column.

My personal views are that

1) Yes we will eventually run into scarcity of v4 addresses. 'run-out' might be a bit loaded and perhaps mis-leading as I believe we will start seeing problems before this.

2) Looking on who is best catered at handling this, the IETF, the RIRs etc, I think the IETF is somewhat fooling itself here - at least maybe. The people who will first start feeling the pain of v4 exhaustion are from parts of the world that are poorly represented in the IETF, while the general IETF participants probably won't start seeing real pain for years to come. This is not an attempt at picking at the IETF - it's merely an attempt at trying to high-light a cultural issue. The discussion on what to do when we run out of IPv4 addresses have been the loudest on the ARIN public policy mailinglist - the RIR region with the least IPv6 uptake and the most IPv4 addresses.

3) The IETF has pointed to IPv6 as it's solution to the address scarcity. As 'just more bit's' doesn't seem to have been enough to sell the technology in initial deployment stages - it was oversold and hyped by some forces/players. This has potentially done more harm than good to the actual usage of IPv6. I think the IETF needs to stick to the story - this is the solution to the address scarcity problem - and no, it doesn't address all other known problems with the Internet architecture. [Yes, I realize if I said this in public I would get bashed to pieces by the people from the 'IPng wars', still looking at it as late comer, it's hard to see more in this]

4) IPv6 in being IPv4 with more addresses, does have the inherit problems of IPv4. We know that, we have worked on potential solutions and continue to address the problem. While far from ideal we can deploy IPv6 'as-is' with known faults. There could be a potential to discuss if there are action that can be taken to mitigate these problems. Allocation policies etc.

5) The IETF does not do allocation policies - that is left to the RIRs. IPv4 and IPv6. What happens when we run out of v4 is a problem to be dealt with by the RIRs. However, if the RIRs needs technology from the IETF to support them in this (SIDR for example) the IETF should work on the protocols and technology.

6) We should certainly look at what opportunities arise from having more addresses, and what other work is being done - like mobile IPv6 and see if there is additional work that could be done in this space.

Now, all we need to do is get to work...

Through the ITU Strategy and Policy blog I read about an article that indicates that the number of IXes in Africa is on the rise and currently 11 sub-saharan countries have their own IX. The article goes on to quote a number of $100M USD a year as the potential saving, just for Nigeria in increased peering.

The above is an important development if true. I little insight into these IXes, their structure, pricing and governance models, but if they are truly neutral non-for-profit IXes, it is indeed good news. The problem in many Asian and African countries have otherwise been just that, their model. In many of the countries that would benefit most from an active IX, there are also often strong PTTs. These PTTs are either still monopolies or with strong ties to the government. These PTTs also tend to have either direct or de facto monopoly on international transport capacity. So it's not in the PTTs (and therefor often not in the governments) interest to cut the amount of traffic exchanged.

This situation leads to several problems, the most obvious being that it will drive up costs for the end-users. A less obvious one might be the hampering of development of local services. It's worth keeping in mind that ICT development just by itself in a country is worth noting. It must be accompanied b services needed by the local population in a way and from they can use. An on-line book-store is worth little in a country with a high-illetracy rate. Access to the vastly english speaking Web is useless if the local knowledge of english is not high. So local content is key to a useful and sustainable ICT development process. But in order for this to succeed the services most be 1) affordable to use 2) affordable to produce. I.e the services needs to be produced by locals for locals. This is where the artificially high access prices hampers development.

So, if the data in the ITU story is indeed true, and not just a twist on a new billing model for the local PTTs, this indeed looks promising for the African continent. Then we just need the entrepreneurs to produce the local content!

In the recent IEPG meeting there was an interesting presentation about open resolvers on the Internet. Unfortunately I missed it as I had to be in the IAB meeting then. However reading the last slides about how these resolvers are embedded in the firmware of SOHO routers makes me worry a bit. These boxes are being brought up more and more often as problems due to features (or lack thereof) in their firmware. It 'started' with the hardcoded NTP-servers as documented in RFC4085. Recently these boxes have been highlighted as a potential problem area in the deployment of dual-stack (or any transition mechanism) for IPv6.

While I certainly appreciate that these boxes must be made dead simple to use, I am starting to worry even more about their lack of what appears to be easy upgrading facilities. Imagine someone finding a security issue with one of these that can be exploited as an amplification attack (actually, that is what the presentation above alludes to). How are we going to fix this? I believe that the Cisco's, Linksys, Netgears, and Zyxles of today are the Microsofts of yesterday. These systems need a simple, authenticated, trustable semi-automatic upgrade function. So that new features and security patches can be pushed out. Actually not only the home xDSL etc routers, but all the more intelligent devices such as 'Wlan-routers' (I just love that term) etc as well. This is as true as for the home PCs as most of these boxes are owned by their users and are therefor 'unmanaged' (i.e the provider have no control). Come to think of it, this might be a use area for a protocol like NEA, much more so than for work-stations.

I came across this article on IPv6 deployment in Malaysia. Let me first start out by saying that I am not against government initiatives towards stimulating deployment of IPv6. For example acting as a stimulating customer and demanding all their suppliers to be IPv6 capable, or by making all their own services reachable over IPv6 (eat your own dog-food. Take the employers of the IPv6TF boards web-sites and try to reach them over IPv6...). I would even think that raising customer awareness and consumer protection by certifying IPv6 capabilities (or IPv4 for that matter...) would most likely be a good thing. What I do not think is a good thing is a government mandated transition to IPv6, as is the case in Malaysia. It forces investments with no immediate return. These investments could have gone towards infrastructure rather than to a protocol with to content and no benefit for the end-users.

The article above also has some memorable high-lights that illustrates what I have previously described as "IPv6 hyperbole". Let's take

The other advantages of IPv6 are that it saves power consumption and provides multimedia content with greater efficiency, its proponents say.

To the best of my understanding IPv6 increases power-consumption for forwarding and routing of packets due the larger addresses. Unless the HW vendors I talk to are mistaken. That aside I think it's a remarkable comment made with no backing facts or analysis.

Following my last post, I couldn't resist the temptation to go and check. Check IPv6 connectivity of the IPv6 Task-Forces that is.

Europe

Let's start with the European IPv6 Task Force then...we find them here. At least they have IPv6

laptop3:~$ dig +short www.ipv6tf.org aaaa 2a01:48:1::2e0:81ff:fe05:4658

On that page we can read

"Our objective is to ensure that Europe's competitiveness in wireless technology is not jeopardised by the lack of a clear road map towards IPv6," European Enterprise Commissioner Erkki Liikanen said in his opening speech to the IPv6 Task Force.

laptop3:~$ dig +short www.eu.int aaaa laptop3:~$

Oops.

I can't seem to find out who more is supporting the European Task Force though. The web-site(s) does leave a lot to wish for....

North America

Here we are more out of luck

laptop3:~$ dig +short www.nav6tf.org aaaa laptop3:~$

Oops again...

The NAv6TF at least have a list of their steering group and other advisors. Let's look at how well their employers and organizations support IPv6.

Jim Bound - Chair
(IPv6 Forum CTO / Senior Fellow, Hewlett Packard)

laptop3:~$ dig +short www.hp.com aaaa www.hpgtm.nsatc.net.

Hmm, CNAME, so...

laptop3:~$ dig +short www.hpgtm.nsatc.net aaaa
laptop3:~$

Latif Ladid - Vice Chair and Marketing Director
(IPv6 Forum President / Internet Society Board Trustee / Chair EU IPv6 Task Force)

See above.

Geof Lambert - Vice Chair and Projects Director
(Chair California IPv6 Task Force, Maxon Search Group)

laptop3:~$ dig +short www.maxsonsearch.com aaaa laptop3:~$

Yanick Pouffary - Technology Director
(IPv6 Technical Directorate / HP Distinguished Technologist)

See above

Tony Hain - Technology Director
(IPv6 Forum Technical Directorate / Cisco IPv6 Technical Leader)

laptop3:~$ dig +short www.cisco.com aaaa laptop3:~$

David Green - Technology Director
(IPv6 Forum ExCom/ Director, Command Information)

laptop3:~$ dig +short www.commandinformation.com aaaa 2610:f8:c38:22::30:223

Renee Esposito - Network Information Assurance Advisor
(Booz Allen Hamilton)

laptop3:~$ dig +short www.boozallen.com aaaa www.boozallen.com.att-idns.net. laptop3:~$ dig +short www.boozallen.com.att-idns.net aaaa laptop3:~$

Erica Johnson - Network Deployment Advisor
(University of New Hampshire Interoperability Lab Managing Engineer)

laptop3:~$ dig +short www.unh.edu aaaa laptop3:~$

John Loughney - Network Mobility Advisor
(IPv6 Technical Directorate / Principle Researcher, Nokia)

laptop3:~$ dig +short www.nokia.com aaaa laptop3:~$

John Brzozowski - Network Systems Integration Advisor
(Chair,Mid-Atlantic IPv6 Task Force/ IPv6 Architect, Comcast)

laptop3:~$ dig +short www.comcast.com aaaa laptop3:~$

Yves Poppe - Network Telecommunications/Provider Advisor
(Director, IP Strategy, Teleglobe Canada)

laptop3:~$ dig +short www.teleglobe.ca aaaa www-ca.teleglobe.com. webredirect.teleglobe.com. laptop3:~$ dig +short www.teleglobe.ca aaaa www-ca.teleglobe.com. webredirect.teleglobe.com. laptop3:~$ dig +short www-ca.teleglobe.com aaaa webredirect.teleglobe.com. laptop3:~$ dig +short webredirect.teleglobe.com aaaa laptop3:~$

Tim Chown - Network Application Advisor
(Co-chair IPv6 Forum's Education and Awareness WG, Professor at University of South Hampton)

laptop3:~$ dig +short www.soton.ac.uk aaaa virtualweb.sucs.soton.ac.uk. laptop3:~$ dig +short virtualweb.sucs.soton.ac.uk aaaa laptop3:~$

Larry Levine - Network Emergency Response Advisor
(Program Director, Combat Systems Communications, CECOM, FT Monmouth, U.S. Army)

laptop3:~$ dig +short www.monmouth.army.mil aaaa laptop3:~$

Joya Subudhi - Public Relations Advisor
(President, Subudhi Consulting Group)

laptop3:~$ dig +short www.subudhi.com aaaa laptop3:~$

Ozzie Diaz - Wireless Network Advisor
(Consultant and Wireless Network SME)

See HP above...

Brett Thorson - Network Integration & Security Advisor
(Network Scientist - RavenWing Inc.)

laptop3:~$ dig +short www.ravenwing.com aaaa ravenwing.com. laptop3:~$ dig +short ravenwing.com aaaa laptop3:~$

Advisory Council
Vint Cerf - Advisory Council
(Honorary Chairman IPv6 Forum / Chief Internet Evangelist, Google)

laptop3:~$ dig +short www.gogole.com aaaa www.google.com. www.l.google.com. laptop3:~$ dig +short www.l.google.com aaaa laptop3:~$

Jessica Little - Advisory Council
Rick Summerhill - Advisory Council
(Associate Director, Internet2)

laptop3:~$ dig +short www.internet2.edu aaaa laptop3:~$

Marc Blanchet - Advisory Council
(IPv6 Forum Technical Directorate / President, Viagenie)

laptop3:~$ dig +short www.viagenie.qc.ca aaaa jazz.viagenie.qc.ca. laptop3:~$ dig +short jazz.viagenie.qc.ca aaaa laptop3:~$

Frank Cuccias - Advisory Council
(Program Manager, SI/SE&IS, Lockheed Martin)

laptop3:~$ dig +short www.lockheedmartin.com aaaa laptop3:~$

Kim Hemphill - Advisory Council
(Senior Project Manager, Raytheon)

laptop3:~$ dig +short www.raytheon.com aaaa laptop3:~$

Terry Davis - Advisory Council
(CIO, Connexion by Boeing)

laptop3:~$ dig +short www.boeing.com aaaa www.lb.boeing.com. laptop3:~$ dig +short www.lb.boeing.com aaaa laptop3:~$

Yurie Rich - Advisory Council
(Director of IPv6 Operations, Command Information)

See Above

Asia Pacific

laptop3:~$ dig +short www.ap-ipv6tf.org aaaa laptop3:~$

Oops.

We find their Advisory board and do the same test

Mr. Dong Liu, CEO & President of BII Group and Beijing Internet Institute

laptop3:~$ dig +short www.biigroup.com aaaa laptop3:~$

Jun Murai, Professor, Keio University

laptop3:~$ dig +short www.keio.ac.jp aaaa laptop3:~$

Dr. Hyeong-Ho Lee, President of IPv6 Forum Korea

laptop3:~$ dig +short www.ipv6.or.kr aaaa ipv6.or.kr. laptop3:~$ dig +short ipv6.or.kr aaaa laptop3:~$

Dr. Mohamed Awang Lah, CEO, Jaring, Malaysia

laptop3:~$ dig +short www.jaring.my aaaa laptop3:~$

Dr. Feipei Lai, President of TWNIC

laptop3:~$ dig +short www.twnic.net.tw aaaa laptop3:~$

And for their Steering Committee

Mr. Zhenzhou Lei, Senior Specialist of MII, Former Chief Engineer of China Academy of Telecommunications Research of MII, Former Director of Telecom S&T Information Research Institute of MII, Deputy Director of Policy and Resource Committee of Internet Society of China

laptop3:~$ dig +short www.mii.gov.cn aaaa laptop3:~$

laptop3:~$ dig +short www.isc.org.cn aaaa
laptop3:~$

Mr. Xing Li, Professor of Tsinghua University, Deputy Director of China Education and Research Network (CERNET)

laptop3:~$ dig +short www.tsinghua.edu.cn aaaa www.d.tsinghua.edu.cn. 2001:da8:200:200::4:100

laptop3:~$ dig +short www.edu.cn aaaa
laptop3:~$

Mr. Le Ricky Lu, irector of Strategic Co-operation Group of 6TNet (IPv6 Telecom Trial Network) of MII, Global Strategy Executive Director of BII Group

See above

Mr. Hemanth Dattatreya, President, IPv6 Forum India

laptop3:~$ dig +short ipv6forum.in aaaa laptop3:~$ dig +short www.ipv6forum.in aaaa laptop3:~$

Gopi Garge, Vice-President, IPv6 Forum India

See above

Takashi Arano, CTO, Intec NetCore, Inc.

laptop3:~$ dig +short www.inetcore.com aaaa Pandora.inetcore.com. 2001:200:562:3::6

Kosuke Ito, Canon Inc

laptop3:~$ dig +short www.canon.com aaaa laptop3:~$

Tomohiro Fujisaki, NTT

laptop3:~$ dig +short www.ntt.co.jp aaaa laptop3:~$ dig +short www.ntt.com aaaa laptop3:~$

HyoungJun Kim, Director of IPv6 Forum Korea, Leader of NGI Standards Team in ETRI

laptop3:~$ dig +short www.etri.re.kr aaaa laptop3:~$

Dr.YuJung Kim, Chair of Application WG in IPv6 Forum Korea, Leader of NGI Team in NCA

laptop3:~$ dig +short www.nca.co.kr aaaa
laptop3:~$

Winston Seah, Lead Scientist and Manager, Networking Department, Institute for Infocomm Research (I2R), Associate, Singapore Advanced Research and Education Network (SingAREN)

laptop3:~$ dig +short www.i2r.a-star.edu.sg aaaa garnet.i2r.a-star.edu.sg. laptop3:~$ dig +short garnet.i2r.a-star.edu.sg aaaa laptop3:~$

laptop3:~$ dig +short www.singaren.net.sg aaaa
hakkar.singaren.net.sg.
laptop3:~$ dig +short hakkar.singaren.net.sg aaaa
laptop3:~$

James Seng, Assistant Director, Enabler Technologies, Technology Group, Infocomm Development Authority (IDA)

laptop3:~$ dig +short www.ida.gov.sg aaaa laptop3:~$

Dr. Peter Fu-Ching Wang, Vice-President, IPv6 Forum Taiwan, Deputy General Director, CCL/ITRI

laptop3:~$ dig +short www.ipv6.org.tw aaaa
2001:c50:ffff:1:2e0:18ff:fe95:b229

laptop3:~$ dig +short www.itri.org.tw aaaa
laptop3:~$

Dr. Vincent WS Chen, Project Co-Chair, National IPv6 Deployment and Development Program, Chair, Promotion Area, IPv6 Forum Taiwan

laptop3:~$ dig +short www.proj.ipv6.org.tw aaaa 2001:c50:ffff:1:2e0:18ff:fe95:b229

Dr. Han-Chieh Chao, Deputy Director, NICI IPv6 R&D division, Co-chair, Technical Area, IPv6 Forum Taiwan

laptop3:~$ dig +short www.nici.nat.gov.tw aaaa laptop3:~$

I could have done more of the task-forces, the national ones etc, but I think this is enough to hint at a trend. Out of 60 hosts tested 6 had IPv6 addresses, which admittedly was more than I expected.

Now, I didn't mean this as a bashing of the IPv6 Task-Forces or their devotees. I do realize that these individuals have little or no influence over their respective organizations IT departments and the operators of their web-servers. Some of these corporations might even not be able to deploy IPv6 based on for example non-existing support in load-balancers etc.

I also realize that this is a far from scientific or fair study. But it does show something. These individuals spends what I assume is their employers time and money on this work. Hopefully with either consent of encouragement from these same employers. Some of these employers might do this based on some altruistic goal I am sure (or we can at least pretend so in order to try and be fair), but I doubt all of them. If that is the case these companies allow their employees to do this based on some hope of increased or future revenues. I.e they participate in the marketing and push for deployment of IPv6 as they believe that IPv6 will give them new or increased sales opportunities. Traditionally sales of goods and services have been done under the assumption that the goods will bring added value to the buyer. If not we usually call the items snake-oil, hoaxes, etc.

So what about IPv6? We have a pretty interesting list of corporate proponents who have their employees work for organizations that have declared 'IPv6 ready for prime time' and production deployment. So....why aren't them using it themselves? Why do they believe they can achieve increased revenues by selling this added value t their customers, but the same technology won't bring them added value? Or at least they can't convince their own IT departments there is enough added value?

Guys, it's time to open wide, take a big bite for daddy of that spoon with the dog-food, and perhaps one for mummy too while your at it...

To my large surprise I found the following test report in TechWorld. First of all, the testing of office applications with IPv6 is a really valuable report. The thing I miss is a quantification of how common IPv6 support is among the common office applications.

What surprised me though is the latter part of the article that says that they where testing Shim6 support. I wasn't even aware there where implementations you could get your hands on! I know there is work being done on four implementations, but not that these where released!

Anyway, it was nice to see some positive feedback on this.

I wasn't going to comment on the Wired article about the events in Estonia, but I have gotten enough emails and comments so I guess I have to...

No, I don't like staying up at night. I even told Wired to correct this. I like to sleep at night. Also, I don't think I have done serious programming for years...

I also believe that I have never owned a trench-coat. I do own a half-long beige jacket though...:-)

All the joking aside, I don't really know why he article chose to focus on my. The CERT-EE team would have handled the incident fine without any of us helping them. I do think the article does a good job at highlighting what a DDoS attack can do and how they operate. It also sheds some light on how work is done to mitigate them, without giving to much operational detail. It does dramatize these particular events a bit too much though but I guess that is the job of the journalist.

I was honored to deliver the SANOG10/APNIC24 keynote here in New Delhi on Wednesday. This was especially fun as I was also the keynote for SANOG1 in Katmandu. The slides are available here.

SANOG as always has been interesting and eye-opening. The scaling properties of some of the countries in the region are truly staggering and the way in which the community have embraced ICT is encouraging. But its mostly inspiring to see how the Internet is often used to overcome problems that have been around for ages, and how people set out to work the issues with on fear.

Returning from Asia I was full of expectations regarding the iPhone as I am heading to London for the weekend. My first disappointment was ofcourse that it won't actually be available for a few more weeks. Having overcome this, as I read news on the plane back from Delhi I started to get more and more disillusioned with Apple's mobile strategy.

The first thing I reacted to was the fact that Apple has released a phone that does not handle 3G, only Edge. While this is most likely sufficient in the North American market, it feels like an enormous step backwards in the European market (not to mention what it would have felt like in the Asian market). I can't see any other reason to why Apple felt forced to release the phone without 3G except that they want to leverage the hype so badly that they expect that the poor customers that buy the phone now will come back in 6 months and buy a 3G enabled version. This seems to be inline with Apple's iPod strategy. I have serious doubts about this in the European market.

Further, Apple and O2 in the UK says that the lack of actually Edge enabled coverage will be made up by free access at the Clouds hot-spots, all bundled with the subscription that you must have. The fact that the two revenue sharing partners have to go and buy services from an independent source to try and patch up the offering to the potential customers expectations gives an indication that this was probably a decision forced through in a rush. The phone does not give basic functionality that users in the European market have grown accustomed to - 3G. The iPhone is clearly targeted towards advanced and business users, with all the features it's shipping with. This market segment already have 3G phones and are using similar features on their current phones. Believing they would pay a high price (because the phone is not subsidized - another thing European customers are used to) in order to get the same services at a slower speed seems naive at best. I think that Apple's success with the iPod have gone to their heads. The iPod was an innovation in that it advanced the entire product segment of MP3 players. What Apple doesn't seem to realize is that in the case with the iPhone, they are entering an existing, highly competitive and innovative market. They will have to fight and they will have to play catchup. Much have been said about the volumes of sold iPhones in the US, but it's still nothing compared to the existing mobile phone manufacturers volumes.

Last, this entire thing with SIM card locking. AFAIK it's fairly common in the US market, and while not unheard of in Europe it seems to me to be less and less common. Apple have a long tradition of a walled garden approach to their product lines. Their operating systems will only work with their own hardware and third party devices are almost non-existing. The reasoning for this has long been claimed to be because Apple is a "hardware company". Ever since I became an Apple user in 2002, I have always admired their software and their ability innovate with features and new software products. At the same time I have always been appalled by their hardware. Everything from the non-existing support in Europe to the simple fact that their QA testing must be non-existing as well. Now, Apple is taking this lock-in model to the iPhone. Again, I am not sure you can take the model from their computer product line and apply this to the cell-phone market. The cell phone subscription market in Europe is highly competitive, and manufacturers work closely with the operators to bundle new phone-models with new price schemas, and therefor both are pushing that particular model. Alliances change almost monthly. In the light of this, I can't see the operators that are now signing up to have exclusive rights to the iPhone looking at this in any other way than 'this months campaign'. Next month they are pushing another tariff with another phone. While this will work for the operators, I do wonder what Apple will do mitigate this. Either they will need to speed up their model launch rate to match that of SonyEricsson and Nokia, or innovate their software at the same rate and use the phones as the platform. Given that Nokia claims to go from idea to a phone in the shop in 9 months, that will put enormous strains on Apple's resources.

However, there is another side to the SIM locking. Apple is more and more teaming up with Google in a strategic alliance. Google have so far taken up the role of leader in the fight for 'net-neutrality' and the right for consumers and end-users to freely pick their providers of a particular service. At the same time their new strategic partner is now pushing the opposite agenda. Customer lock-in and removal of free selection of service providers. I assume that as long as Apple keeps providing Google services inside their walled-garden Google will not protest. You are never more activist than you have to. I guess it's just more of the Google hypocrisy.

I do like the idea of increased competition in the high-end cell-phone market, and I do like the appearance of the iPhone so I hope I am wrong in my conclusions above, but I do have my doubts about the success of the iPhone, and Apple will certainly have to provide me with some added value before I by one...

While in Nepal I spent a day meeting with old friends and visiting some of the local ISPs. It's always interesting to see how countries that perhaps in other ways are less developed often find use of the Internet in new ways. It's also interesting to follow closely the drivers for building out the network as it develops.

In one of these discussions we started talking about the bandwidth and user growth. I was pleased to hear that plenty of local content was available and that it had helped drive user growth. This has proven to be invaluable in the past, as lack of knowledge of the english language otherwise makes the Internet infrastructure useless from a user perspective. What did surprise me a bit though was that the current limiting factor of traffic growth wasn't lack of internal infrastructure in Nepal. It was the capacity out of Nepal. It turns out that most of this local content is actually not located in Nepal, it's located outside Nepal. Reasons for this vary, from the risk of the content becoming unaccessible to the outside world if located behind the current satellite links, or simply lack of hosting facilities in Nepal.

Luckily this is now changing. The ISPs I talked to where looking into lighting up fibers into India in order to speed up access, and projects are underway to provide hosting facilities for the content inside Nepal. This will help the local users as access times goes down, and reliability up. Hopefully it will also help stimulate a market of locally produced on-line content. Having content local, is also important from a national point of view. I have talked about this at great length in relation to the attacks on Estonia and in other related presentations. But in a case like Nepal, with it's inbound capacity limited by the satellite links, this is probably even more important. Especially in the light of how political events are unfolding in the run-up to the election for the constituent assembly. So work being done here should be supported and prioritized. It's in everybody's interest to bring the content closer to the users.

In the light of all this, I found an article in the Economist fairly telling. It describes how a lot of the successful web-sites such as YouTube, LinkedIn and Facebook are being 'copied' into Chinese web-sites produced with local language and adopted to the local culture. The fact that something like YouTube with all the resources of Google behind it, have failed to adopt to the largest population in the world, says something about how ignored localization of content is. The good news is that this is opening up the market to new entrants and innovation. The article goes on to highlight issues that are rising from this. Lack of data center capacity, bandwidth and poor interconnection between the two largest providers seems very familiar. It's interesting to see though, that the worlds fastest growing economy is struggling with the same on-line content issues as one of the worlds poorest economies.

The important conclusions to draw is that the reliable and speedy availability of local content will help develop the local infrastructure and provide revenues for the players on the net. But also that we have a long way to go with localized content. Unfortunately this also means that a lot of the technologies we work on today will have to give way for Internet protocols and standards that will work with ore universal character sets and languages. And a lot of the content needs to be adopted to local culture. A lot of research have gone into the "next generation networks" on a very low, basic and technical level. I think the revolution for the next generation Internet will come from the localization of the network and adopting content. It might be carried over pigeons for all I know.

I guess this is getting somewhat old news by now, but my trekking came in between :-(

Joshua Keating of Foreign Policy made a blog post commenting on the Wired article about the on-line attacks against web-sites in Estonia.

Before this was posted I was contacted by Blake Hounshell of FP that asked if the term "the Vetted" used in the Wired article referred to the Internet Architecture Board that I am member of. Unfortunately this reached me while I was on vacation in the Alps and they published the original post stating that as far as they can tell 'the Vetted' referred to the IAB. Once I was back I did reply to Mr Hounshell's email and my reply is also quoted in an update to the blog post as

UPDATE: In an e-mail exchange with Blake, Passport's editor, Lindqvist writes:

Actually, exactly what [the Vetted] refers to I suggest you ask Wired about, I have never attributed this term to anyone - and I am not exactly sure myself. Second guessing the author of the Wired article, I would assume this does not refer to the IAB as the IAB has no operational role at all. It has an oversight function inside the IETF, that sets the technical standards for the Internet. It's members are appointed by a well defined process inside the IETF.

No word yet from the folks at Wired, however.

So far so good. But there is something in the original post that I would like to address. Mr Keating quotes a post on my blog

No, I don't like staying up at night. I even told Wired to correct this. I like to sleep at night. Also, I don't think I have done serious programming for years...

I also believe that I have never owned a trench-coat. I do own a half-long beige jacket though...:-)

and goes on to comment with

I'm still not sure I trust a guy who uses emoticons to protect us from Russian cyber terrorists.

Mr Keating is actually right, he should not trust me. And this highlight something that is partly addressed in the Wired article. Me and Mr Keating have never met, so trusting me would seem somewhat naive. Mr Keating can only form an opinion based on what he can either have read or been told about me. The sources of all this information will carry different weights for him. Perhaps he trusts his collages over at Wired to have done a more thorough back-ground check and is therefor more trustworthy than what he can read about me on my web-site. Perhaps he calls some friends in the Industry that have met me. Etc. It could be that all these sources carry enough trust with him that he could decide to trust me based on what others convey to him. In cryptography this is loosely similar to what is called Web of Trust. Now this is illustrates a problem with operationally trying to deal with the types of attacks that Estonian web-sites saw. These attacks are very much real-time, and can come and go within seconds, as their controllers choose. For law-enforcement agencies as well as the operational staff of the victims, tracking the sources, finding that needle in a haystack that might lead to the attacker, is all highly time critical. Unfortunately, the legal systems and law-enforcement co-operations that have existed so far are not really tailored to these types of live events. Instead the operational side very much becomes a "call someone I know". This "someone" is then faced with the same trust problem as Mr Keating. Either he will stop the attack traffic, and hopefully do something good. Or in worst case, he is making it worse based on a false claim. So he must use his judgement and value the trust in the contact. This is not unique to tracing attacks on the Internet. Law enforcement agencies and government watchdogs acting on financial and stock-market frauds have found the same issues, with the difference that they normally actually have all the raw data even after the event. But once that is analyzed the perpetrator might since long be gone.

Now, Mr Keating takes my use of emoticons in the blog post as the reason not to trust me. These emoticons are merely a form of expression, and does not really alter the actual content of the message. Personally I make my judgments based on content rather than form. Perhaps this is a luxury I can afford as this is not my native language and I am accustomed to irregularities in the presentation. I don't know. But this evaluation of trust based on actions and content leads to a wider network. A netowrk of people I trust to deal with operationally. People I know since years, and people I have worked with enough to trust. In similar fashion, the law enforcement agencies are building up new contact networks between them. Using trust established within current co-operation agreements they can form new and faster ways for information to flow. Hopefully all of this will allow us to see faster and more efficient actions against cyber crime. Unfortunately this will take more time as the web-of trust that needs to be weaven will have to be much larger than before. Law enforcement agents find themselves working with colleagues in countries from where crimes have never been reported before. All an effect of the borderless network.

Eventually they will trust each-other based on some criteria or the other. Perhaps even based on the other ends use of emoticons.

I was sent (Thanks Hillar!) the following link that references the Estonian president's speech to the UN. general assembly. I agree with what he says. Or at least my interpretation of what he says. The best contribution that governments could do to fight cyber crime would be common, thorough legislation (not to mention making it illegal at all).

Through all the WSIS and IGF processes there have been no lack of eagerness from governments to 'want to help', but most of it seems to be somewhat misdirected in the form of asking the ITU to look at technological standards, while what is really needed is legislation and cross-border frame-works that allow law enforcement to act once perpetrators are identified. Unfortunately it's much harder and would actually require the governments to actually do something about the problem. So let's hope this appeal by the Estonian president at least leaves some impression...

Swedish radio P1 this morning had an analysis on the attacks on Estonia as well cyberwar in general. The program is focused on foreign policy, and based on this I guess it's pretty good.

Me and Paf are both interviewed about the attacks.

The program in Swedish is here.

On Thursday night I gave a presentation to the Swedish Network User Society, SNUS on what I believe are current and future trends on the Internet. It's a mix of thoughts from technological, political and content. I also translated it into english.

I am sitting in the session on the future of routing at the 2007 Internetdagarna conference. This will also be my first presentation out of the four I managed to commit myself too.

In this session Dave Oran, a fellow IAB member will talk about scaling problems for the future Internet and associated inter-domain routing. My presentation will be an overview of the current activities in the Routing Area of the IETF.

I have a lot of personal views on this problem space and potential solutions. I used to be co-chair of the multi6 working-group and more recently co-chair of the shim6 working-group. The shim6 technology tries to address the growth of the routing table by the use if the so call id/loc separation.

The shim6 technology, when presented, has met a lot of resistance from various camps, mostly large multi-national providers and content providers. Most of the criticism has come from people how have not read the spec, or followed the development discussions that led to the design decisions. Now, following a lot of the discussions recently, a lot of this is rehashing earlier multi6 discussions, by parties that where not active at the time. That said, there are a few observations I would like to offer. First of all, content providers worry about the state created in their servers. This is certainly cause for concern, but shim6 also points out that only long-lived sessions are "worth" protecting. Also, as shim6 is a negotiated capability, service providers that worry about state could just "say no".

For the large multi-national providers, they worry about moving control of the traffic flows into end-systems and the lack of new TE capabilities for them. I have all the respect in the world for this, but basically this will always come down to the providers having to deliver what they actually sold the end-users.

Not wanting to write to long so I will leave a lot of details out, but I do believe that we will need more support in the end-systems for mobility - actually I believe that any id/loc solution will need to be able to talk to either router line-cards or hosts. Transparently.

Last, there have been other proposals that are based on the id/loc rewrite happening in the router line card. However, something I have yet to come to grips with is why router manufacturers believe that state for rewriting for every session is so much easier to handle than state for routing tables...

Today a report written by the agency responsible for crisis management as well as the SE registry released a report on how the various government agencies handled their Internet access. This points to sever deficiencies.

Some of the reporting by various government and .SE peoples statements

http://www.sr.se/cgi-bin/ekot/artikel.asp?Artikel=1698452

http://www.expressen.se/nyheter/1.912623/myndigheter-sarbara-for-it-angrepp

I find this somewhat sad. A year ago I reported the same things. Several meetings with this agency later they apparently decided to contract a DNS registry to evaluate the state. So now they have a report that DNS and the web-site security is broken, but still no plan and nothing is more secure. They could have used the money somewhat better....

But, I have a full session at Internetdagarna 2007 to talk about this tomorrow...

My second presentation at Internetdagarna 2007 is about traffic statistics for the Internet growth in Sweden. You saw it here first!

I am just about to give an updated presentation on what society or the government needs to do in terms of crisis. And what infrastructure is critical and how do we handle this.

More news later...

Swedish morning paper, SvD has an article this evening about work done by the people behind The Pirate Bay. They point to BitTorrent having been taken over by new owners, and that works is now done on a replacement protocol that is being called Secure P2P. The main goal seems to be to protect the actual data being exchanged. I supposed this is so that you from teh outside can't trace or track the peer-to-peer network traffic, and therefor not manipulate it or, or modify the network capacity given to it.

I discussed this somewhat with some friends earlier today. First of all, I don't understand the desire among some network operators to try and limit the bandwidth that is used by filesharing. ISPs should just forward packets, and not make value judgements on the content of them. This has been a long running defence among ISPs against all forms of regulation trying to force content inspection and responsibilities onto the ISPs. Here we have ISPs that are actively trying to take this responsibility onto themselves. Most commonly ISPs claims that this is so that end-users can get better performance for applications that are more important to them. In a confused presentation by Cisco this morning at Internetdagarna, Cisco claimed that customers even wanted this! Personally I think that customers want to send the traffic they sent, and receive the replies. Even if that is peer-to-peer. More so - I think the main driver among ISPs is that they have sold a resource they really didn't have. Now, developments like Secure P2P risks this model. I was however assured that manufacturers of equipment for (down-)prioritisation are already looking at statistical models that will allow them to separate out even encrypted peer to peer traffic.

These types of statistical models are becoming more and more interesting for a number of reasons. A reader commented earlier today on my "Attack on Sweden" presentation, that we already today can do fairly good detection of attack traffic without actually looking at the packets. These models could potentially also in the future be used for detecting and separating out pre-attack testing for example, and in that create early warning systems. So while the TPB folks with Secure P2P probably only have the desire to protect the content of the shared files, I believe this will also help drive other developments. So I am all for it - but for other reasons...

Last, in the above mentioned press report, there is also talk about a future file-sharing technology that would allow file sharing parties to remain anonymous. In the article, one of Sweden's leading cyber-crime police officers is quoted as saying he has doubts about the merits of any such technology. From a computer network point of view and from a computer sciences point of view I would like to give him right. However, given that the problem faced by file-sharers (at least in Sweden) is that if discovered they might be fined (well, depends on the extent of the file-sharing) and the extent of intrusive data the police is allowed to search for is in relation to the crime - a half-baked anonymity might just be good enough. Not good enough that you couldn't find serious criminals, but good enough that the police can ask for enough information to triangulate you for downloading the latest Desperate Housewife episode (I keep using that as an example although I have never seen it. Perhaps I should force myself to watch a few minutes...). THAT could be an interesting development...

Today the study group that have worked on proposed legislation for the implementation of the EU data retention directive in Sweden, delivered their report (in Swedish only). I have been a member of this group as a technical expert. The group has consisted of people with a pretty wide background, but with an emphasis on people with legal training (which by the way is natural and makes a lot of sense). They have represented more or less all interests from the operators, law enforcement to privacy advocates. My friend Patrik Fältström who was also a member of the group gives a fairly good background to the problems faced and the result.

This was picked up by a lot of media, of which most had fairly good reporting on the content. Aftonbladet/E24 had the worst headline with "The police will intercept all your communication" [Note:my vague translation and they seems to have changed the heading later]. This directive have been very controversial from the start, and many have seen this as exactly what E24 reported in the headline. However the intention (at least as I read it) of the directive is a lot less alarming, with fairly strict regulation on when the police can actually get access to the data. In reality the part of the directive and the proposed legislation does only require that the operators will keep data they already have - but for a longer period. If they don't have the data, there is nothing to be kept. And I think one must stress that it's only the fact that the communication took place that is logged, and not the content.

The pieces of the report that does worry me, is that as the EU directive is poorly written with regard to technology, the proposed Swedish implementation is also fairly confused when it comes to how the technology will be impacted.

The second issue that worries me is the financing of the system. The proposal calls for what has been referred to as a "shared model" where the providers will take the investments and when called upon will get compensation. This is in contrast to a model where the government would have paid the providers for the implementation. The system will be costly to build and costly to operate. These costs will now have to be born by the subscribers, hidden in their service charges. The effectiveness of the system will never have to me measured and cost vs. benefit is more or less impossible to calculate. This worries me and from the initial press-reports also several of the providers.

The 11th Euro-IX Forum has just started in Vienna. We have seen spectacular venues for forums in the past, but the Grosserfestsahl at the University of Vienna beats everything so far! I hope I can get some pictures up here later.

The forum is a great venue for discussions with other IXes and to analyse the trends that various IXes are seeing, what new ideas they have etc.

From discussions at the small social event last night at the Donauturm it seems like we are all seeing upgrades to 10GE ports growing fast. Cheaper customer connections seems to be a new trend and this seems to mostly go in the direction of various WDM systems. This is a very interesting model also for us.

Previous forums have seen a focus on "commercial operations", customer value creation and marketing. This meeting seems to have a slight shift in focus back to technology on how to handle the tremendous growth that we are seeing in this industry. I hope I will be able to provide more reporting as we go on.

Often when talking with policymakers and other advocates of a fast transition to IPv6 at any cost (because we are falling behind region X), they often don't seem to understand that IPv4 only hosts can't talk to IPv6 only hosts. Therefor they also fail to understand one of the fundamental problems associated with the migration (ignoring a lack of market drive for it). My friend Paf gave an excellent presentation illustrating this at the IGF in Rio.

Yesterday I wanted to check in for my return flight from the Euro-IX Forum on the SAS web-site, as I usually does during travels in Europe. The SAS web-sit returned the error that it couldn't find my booking. I got a bit upset and went looking for the phone-number for SAS Internet support. On the contact page I found a link to a chat for support. Very sceptical I clicked it and within a minute I had a chat going with one of the SAS staffers. It was efficient, I could paste what I saw and booking references. I was impressed! Unfortunately it's not 24x7. I wish I could manage bookings the same way.

As for the error? Hmph. It turns out that Vienna airport does work with the SAS on-line check-in. Something that was clearly stated on the check-in page....

In today's Aftonbladet there is an article about how a private citizen found USB memory stick in a public computer at a library. The USB stick contained several classified and classified secret documents. Now, we can speculate why someone would take these with one to a public computer in a public library, but if we for a while ignore this, the most shocking in the news report is that - it's actually allowed.

I.e it's allowed to keep classified documents, in presumably raw form, on USB sticks. The article points out that the regulation however requires that the stick is to be under close guard or kept in a safe. Great.

I am not so much worried over the fact that documents in raw format on a USB stick can replicated and emailed with little or no traces. The same is more or less true for paper compies. What worries me is that a USB stick can be dropped, forgotten (apparently), deliberately left etc a lot more easily than a stash of documents. Actually, it's more like the micro filmed versions of documents from the cold war spies.

Now if we for while stop to wonder - why would anyone at the Swedish defence force use a computer at a public library for reading his classified documents? Or was the USB stick left in the computer just the "letter box"? Or was he trying to hide the traces of who actually mailed the documents somewhere? Can that be traced? Intriguing questions...

So, could this information leak have been prevented if the documents where not allowed to be stored on the USB stick? Probably not. Could the distribution and propagation of the information have been slowed down? Probably. Either scanning hard copies or distributing the hard copies does take more time, and more resources. But it doesn't stop it.

The English language Swedish Radio has published an interview with me regarding cybersecurity.

In a press-report I read that a Danish court has ordered ISPs to filter out the site The Pirate Bay. I am not defending illegal actions, but a court that is side stepping the legal tradition of trying a crime at a time and gives individual business interests the rights to filter content scares me.

As Paf notes in his blog we since noon yesterday EST have AAAA glue in the root-zone. I believe this was way overdue, but I am happy that we are making progress.

Now we just need the 'powers that are' to realise that signing the root-zone is a purely technical issue, and one that will bring a lot of benefit to the Internet community at large as well.

People who know me and that have been following this blog for a long time know that I have previously and continuously argued that Apple is primarily a software company and that there is where their strength is. Their hardware has never been particularly impressive if we ignore the design and their support have been horrific.

So when Leopard was released I was looking forward to another leap in operating system features and convenience. Instead I have found myself with a mail client (Mail.app) that crashes repeatedly, a broken DNS resolver that require cache flushing when I move, and the worst - the need to reboot two to three times a week. The reboots are mostly due to the fact that it can't recover from sleep mode. A few minutes ago it was due to the fact that it just froze. Before freezing the IP stack had stopped sending packets on the Wlan interface. After reboot all works again. Just as on an AS400 pre OS/400 version 4...

Apple have long argued that they will only support their own hardware platforms as that will mean the software is more stable as they need to support less devices and drivers. Now that they have released Intel based hardware and therefor have support for it in their OS, and this point is starting to get moot. And with the release of Leopard it seems as if they are heading down the path of selling an operating system that is mediocre and that will only run on even more mediocre hardware. No design in the world will help them mitigate that in the long run.

I really hope I am wrong.

Today is the "Safer Internet Day". I have long been a sceptic for these kind of events, but I am slowly changing my mind. People in general are naive and when it comes to technology and risk assessment they are even worse.

Parents worry about what their kinds will do on the Internet, but will happily click any attachment sent to them. We need education and increased risk awareness.

So today I opened a web-page with Safari under Leopard. It contained flash animations. It hang. Not Safari, Leopard. As I noted before, Apple stressed this release. And something I will never understand is why Quicktime is integrated with the kernel. Beats me. I thought that was something that desperate Microsoft programmers did in the early '90s.

At the small network where I spend my day job, we have been gearing up to provide services over IPv4 and IPv6, and make our services truly agnostic to the network protocol in use. This has had some interesting side effects. Especially since we decided to couple the upgrade to a production environment with the change of router vendor platform. Yes, yes, I know. To much in one go. But, hey! Network engineers seldom learn from their mistakes (how many times have you locked yourself our from your router with an ACL - eh?).

So, I could write a lot about how obvious *I* would think it would be, if I was a product manager at a large vendor, that you make sure that once features are implemented they work for IPv4 AND IPv6. Not to mention how obvious I would think it would be to test them...anyway. What I am trying to get at is that too much of the IPv6 features, if implemented at all - have yet to be put to production, and real heavy testing. This will find bugs. Loads of bugs. That need to be cleared and fixed. For way to long vendors have waved them off as "low priority items" - as noone uses them. What I think the vendors are failing to understand is - there will only be more IPv6 bugs found. Faster. With higher demand to have them fixed as providers are actually trying to put this into production.

I have been a large customer, among the largest to some, of all the major router and switching vendors in the world. I have been in the IETF since 2000 and during these years I have seen odd, unexplainable, and sometimes funny interpretations and implementations of bugs. Most of the highlighting my thesis about the lack of testing , and foremost - testing that matches operational reality. Today however, I hit a new highlight. We have so far had IPv6 transit over a IPv6inIPv4 tunnel to one of the providers in Sweden. This has worked quite well for us. However migrating to The New Vendor, we discovered that they did not support that, but they did support GRE. So it shouldn't be a problem - really. GRE is *GENERIC* Routing Encapsulation. So off we went. No success. It turns out that while they support GRE, they only support IPv4 packet as payload. Duh. Double-Duh. I'll leave you to ponder on that.

While you can make fun of that - what worries ME is the following. The vendor has really good IPv6 support otherwise. No, seriously, all we tried have worked really well. So....how did they test this? I mean, a lab with ping - fine, but traffic? How did they connect their lab to the outside world? Or didn't they? Or did they use some else's router for that? Native connectivity? Makes you wonder, right?

I every now and then get's mails from readers of this blog. I mostly reply to them in private, but I recently got one question where I thought my reply might be of general interest. I took the liberty of editing the question somewhat, but in essence it was

If you have any insight you can share with my class on cyber warfare and security, I would be delighted on hearing it.

My reply was as follows

In general, I think that it's an obvious conclusion that both offensive and defensive actions with regard to national telecommunications infrastructure is becoming an integral part of a nations security assessments. Note that I am not really scopeing this to only what is known as "cyberwarfare". There are other options that will have as their secondary effect to harm a nations telecommunications, for example targeted attacks on power supplies in combination with attacks on diesel storage etc. To a lesser degree I believe nations have spent time assessing their vulnerabilities and threat models. If we for the sake of argument use the term "cyber warfare" to include all kinds of harm done to a nations ability to use electronic communications there are a few definitions we need to agree on.

1. When is significant harm done? On line banking is down? Government web-sites down? When the government looses it's failure to communicate with it's citizens over electronic communication means (as opposed to analog means such as radio and TV). There is no one given answer to this. Significant harm will vary from country to country and over time, as citizens become more used to communicating, receiving news over the Internet, and trusting the information given.

2. The threat is asymmetrical. The threat in cyber warfare is as asymmetrical as terrorism, perhaps even more so. Some, or even a lot, of the threat is posed from organised crime that uses high-profile targets as "advertisements" to be used in future extortions. This threat is easier to organise and hide behind than a lot of other forms of asymmetrical threats. It's also something that can be repeated - in the same form. I.e an attack plan does not become invalid just because it's been used once or discovered. With asymmetry here I mean the fact that a small group of attackers, even one, can cause large scale harm and is hard to detect. Part of the problem is also that contrary to smuggling nuclear material or blowing up targets, cyber attacks are not criminal offences in many countries or cause for an extradition. Not to mention that in many of the countries where attacks are executed from, the local police lacks the knowledge to follow the crimes up.

3. The threats are fairly mingled up with crime. It's really hard to make the distinction between crime and cyber warfare. The first is ongoing 24x7 and the only *technical* distinction is the perpetrator behind it to turn an action into the second. How to deal with this in an effective way from the point of view of government will be hard. Law enforcement agencies will have the upper hand in that they have more operational experience and likely more operational contacts. Which are keys to handling attacks. While other government agencies are more likely to have control over critical infrastructure and assessments on what needs to be protected. These interests will need to meet in an effect way.

This list can be made long. What I have not touched upon are the offensive means of cyber warfare. These will, in my opinion, vary somewhat depending on the intended target, and on whether this is a retaliatory strike or a strike first action. In principle though, the means are either of target DoS attacks (either DDoS, physical or simply intrusion followed by actions that will cause harm. For example data deletion or modifications), or infiltration (for example targeted spread of trojans/viruses/worms). The first will most likely be based on well known techniques, the latter will most likely require some form of former knowledge of the systems intended to attack in combination of socialising of the intended targets. Neither of which is hard, and again is on going in the world around us.

The last item of interest is of course how to prevent and mitigate attacks. This is hard. Today this is more or less based on co-operation of the large service providers, and it's hard to see either done without their co-operation. Uptodate protective measures such as virus scanners, firewalls etc are a necessity. But in a high security environment I would take this for granted. Still attacks do happen. The threat that shouldn't be underestimated is ofcourse malicious intent by "staff". But that is not new. The same threat exists for manilla folders :-) And preventive measures are the same. In operational regard, I would again point to the text above. Operational experience and contacts are essential.

So to sum up, yes, I believe we will see more and more rough times for electronic communications. I believe we have little or no insight into what constitutes problems and when we believe harm has been done. There is really a lot of work ahead in this arena. A lot of threat models where the arrows are red and come from the east will needs to be updated and replaced. While I am sure the worlds national intelligence agencies are working on asymmetrical threats for terrorism, I am less convinced they understand what threats cyber warfare REALLY constitutes. Keep in mind that the attacks on Estonia, for all we know, where conducted in the open and by disgruntled individuals.

My friend Joe Abley have written a good article that explains anycast for the Usenix ;login: magazine. I recommend it if you are interested in the subject!

As part of me moving to a new apartment I am moving the home line. This should not be an issue, but the provider of the SDH service seems seriously confused about how and when the migration will happen. This might mean that the servers will be off-line for some time during the coming days.

I know, I know. I should have put the servers at a co-lo instead of behind my own home network with routers, links etc. But..:-)

I am currently at the IETF in Philadelphia. And I discovered a long learnt lesson on how not to build networks. I will let the router names speak for themselves...

traceroute6 to mail.autonomica.se (2a01:3f0:1:3::105) from 2001:df8::16:21d:4fff:fefc:b8f3, 30 hops max, 12 byte packets
1 2001:df8:0:16::2 990.233 ms 815.103 ms 898.535 ms
2 isc.ietf.org 931.17 ms 846.805 ms 776.671 ms
3 gig-2-0-0.r1.pao1.isc.org 1185.41 ms 1222.88 ms 1236.13 ms
4 int-0-0-0.r1.sjc3.isc.org 1227.37 ms 1021.49 ms 746.063 ms
5 equinix6-sjc.ip.tiscali.net 757.229 ms 1244.14 ms 1236.22 ms
6 so-2-0-0.chi11.ip6.tiscali.net 1513.49 ms 1216.5 ms 1361.3 ms
7 so-4-1-0.nyc22.ip6.tiscali.net 940.613 ms 882.344 ms 643.837 ms
8 so-7-1-0.ams22.tiscali.net 569.476 ms 351.726 ms 465.332 ms
9 so-1-0-0.stk30.ip6.tiscali.net 573.639 ms 875.133 ms 981.563 ms
10 so-1-0-0.stk20.ip6.tiscali.net 964.281 ms 1230.5 ms 1002.43 ms
11 2001:7f8:d:ff::73 462.263 ms 451.273 ms 279.349 ms
12 * 2001:698:9:42:20a:b7ff:fee9:2a83 349.068 ms 447.874 ms
13 2001:698:9:3c:20c:dbff:fefd:8a2b 1040.1 ms * 312.67 ms
14 2001:698:9:3e:20c:dbff:fefe:4b29 282.536 ms 427.477 ms 475.601 ms
15 ge-8-20.au-gw.autonomica.se 805.472 ms 906.203 ms 515.903 ms
16 mail.autonomica.se 626.694 ms 499.077 ms 309.863 ms

At the last Nanog in San Jose and at the last APRICOT in Taiwan as well as at the upcoming IETF meeting there have been "IPV6 hours". These are simply one hour events when IPv4 connectivity on the conference network has been turned off and only IPv6 connectivity was offered. A small report of the the first reports where found on CircleID.

I believe these sessions are very useful. Not really as a promotion of IPv6, in that regard I suspect they are scaring more people off than they are promoting, but as they give people real experiences with using and debugging IPv6. I have myself if the past weeks, while deploying IPv6 in production, found that a lot of the implementations and some of the standards are not very well tested. The only way to get over that hurdle is simply to have people use the technology. As they do it will become more mature and the understanding of the problems will be better.

Especially I believe that the testing in "production" of the NAT-PT features at Nanog and APRICOT to be highly useful. I think that most operators and a lot of the people working on standardisation of IPv6 and at vendors, are starting to realise that a dual-stack, i.e IPv4 and IPv6 network in co-existence will be very hard to do in large scale deployments. NAT-PT offers translation from an IPv6 world to and IPv4 world. And while that implies, as the CircleID article above also notices, that NAT-PT comes with all the drawbacks of

I am looking forward to the IPv6 hour at the IETF plenary later today!

This has been posted elsewhere, but I still wanted to put up a link here. The entire event is quite interesting and in a way show how vulnerable the routing system is. A deliberate attack would be harder, as you would fist of all need to gain access to something (a router) that would have trust enough so that malicious data would propagate into the global routing system. Now, this might seem hard but according to some reports, this is happening on a weekly basis. However, the data then injected or hijacked is not of a high-profile nature - such as the youtube.com prefix.

Much has been said and written about securing the routing system, and various proposals have been made. None of the proposals have however managed to make it into a standard and even less so into production networks. The IETF SIDR WG have worked on the specification for what could be "back-end" certificates.

However, as the above video shows, it's also much harder these days to attack high-profile targets. People notice. And what's more, the global routing system is actually being monitored by public tools like the RIPE NCC RIS project - but also by specialised firms that actively follow their customers prefixes and track changes down.

Personal opinion - while I do worry about routing security in general and I believe we need to address this for the future, I also believe that sometimes this has been hyped quite a bit. There are other means that would help mitigate this quite a bit, like signed web-sites etc. Problem is ofcourse the underlying lack of a certificate hierarchy and structure, which is hard to implement globally and in a scalable fashion. But I am not convinced either that stating with securing the routing system is the right place to do when it comes to building these certificate hierarchies. Also, in parts of the world, like Europe, ingress filtering seems to be in wider use than other places, probably because the RIPE database is in better shape than a lot of the other data sources. Last, the point was also made at the IEPG meeting on Sunday that deployment and backward compatibility will be a hard problem to solve. Also, if the true sad state is that people can't be bothered to filter with existing tools, what would be the incentive for them to use certificates?

Content has long been pointed to as one of the drawbacks with IPv6. So it's good news that Google has launched an IPv6 version at http://ipv6.google.com

; <<>> DiG 9.4.1-P1 <<>> ipv6.google.com aaaa
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15317
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 7, ADDITIONAL: 7

;; QUESTION SECTION:
;ipv6.google.com. IN AAAA

;; ANSWER SECTION:
ipv6.google.com. 499 IN CNAME ipv6.l.google.com.
ipv6.l.google.com. 5 IN AAAA 2001:4860:0:1001::68
ipv6.l.google.com. 5 IN AAAA 2001:4860:0:2001::68

;; AUTHORITY SECTION:
l.google.com. 22587 IN NS c.l.google.com.
l.google.com. 22587 IN NS d.l.google.com.
l.google.com. 22587 IN NS e.l.google.com.
l.google.com. 22587 IN NS f.l.google.com.
l.google.com. 22587 IN NS g.l.google.com.
l.google.com. 22587 IN NS a.l.google.com.
l.google.com. 22587 IN NS b.l.google.com.

;; ADDITIONAL SECTION:
a.l.google.com. 6875 IN A 209.85.139.9
b.l.google.com. 10718 IN A 64.233.179.9
c.l.google.com. 10718 IN A 64.233.161.9
d.l.google.com. 10720 IN A 66.249.93.9
e.l.google.com. 10720 IN A 209.85.137.9
f.l.google.com. 10720 IN A 72.14.235.9
g.l.google.com. 10720 IN A 64.233.167.9

;; Query time: 10 msec
;; SERVER: 130.129.5.6#53(130.129.5.6)
;; WHEN: Wed Mar 12 15:44:45 2008
;; MSG SIZE rcvd: 334

I am a bit puzzled as to why there are only IPv4 records for the DNS servers though...

So last night the IETF did the "IPv6 hour experiment". Unfortunately I spent a lot of time on the stage. Which was for a good thing - letting the community provide feedback and ask questions on the IASA activities of IETF is important. I was the IAOC chair until last night. Having been involved with IASA since the negotiations with CNRI in setting up the current IETF Trust and taking control of operations under the ISOC umbrella, I believed it was time to step down. Ole Jacobsen was appointed by the IESG to fill my slot on the IAOC, and on Monday the IAOC appointed Jonne Soininen as chair of the IAOC for the next year, and Ed Juskevicius as chair of the IETF Trust.

But back to the IPv6 Experiment. Once down from stage I did discover that,

Mail works. Mail.app happily sent and received email. My IMAP server (Courier-IMAP) and SMTP servers (Postfix) both supported IPv6.

The iTunes store - did not work over IPv6. Not sure what I expected here, but I thought I should try.

The Apple Bugreporter did not work. I noticed this as an application crashed, but the crash was unrelated to the IPv6 Experiment.

Neither of my Jabber or AIM clients worked (Adium, iChat), but here there where also issues on the server side. The server software in use, eJabberd, does have an issue with supporting IPv6. It does handled v6 packets, just not on the same portnumber as for IPv4. Which basically makes the IPv6 supported point useless. If it doesn't support it in the same way as in IPv4 - it will be even harder to adopt. I really hope that this will be fixed.

On the same note, Bon jour worked, but I have to admit that I didn't check if it actually used IPv6 or just the broadcast domain.

On the previously reported good news, ipv6.goole.com worked well. Other Google applications such as Google Maps did not work, but applications that are served out of the same URL, such as ipv6.goole.com/analytics, seemed to almost work. Every now and then you got a page. I guess that the Google team are still working on it.

Skype did not work. Again, not sure what I expected here.

Marratech did not work either. As Marratech as I understand it is just a port 80 application with a Java based client, I assume part of this reason is that the server I tried to connect to is not IPv6 enabled.

All the IETF web-sites worked.

I did notice that www.ripe.net did also work, but others like lirportal.ripe.net and ris.ripe.net did not work. This surprised be a lot.

Other web-sites I found that didn't work

www.euro-ix.net - does not work
www.slashdot.org - does not work
www.apple.com - did not work

So what did we learn? Well, I don't think this exercise was meant as an exercise to learn as much as to make people try. I do think it was interesting to watch the lead up to this event as to other similar events. It appeared as if the operational community just attacked the problem and lived with it - while the standards people that have invented this was fighting in loads of emails against trying this. Go figure. But I think it's very telling about what the IETF has become. We are better at writing papers and text than at trying to figure out if something will actually work...

People are telling me the comments doesn't work. I know. I am drowning in Blog Spam, so I enabled the built in CAPTCHA function. Which didn't work. I need to spend more time on this but not right now. I you have comments - send me mail to kurtis < no spam> kurtis dot se.

For the past week(s) there has been debate about blogs, well a particular blog actually, in Swedish media. The debate was actually about shopping and how this affects your persons, but after a debate in SVT (Swedish public TV) where this was exemplified with the blog, Blondinbella. Now, I have to admit that I haven't read the blog (the fact that it's written to..eh...I guess that a blog about fashion written by a 17 year old girl does not consider me part of their target group...) but I got somewhat curios after having read coverage in more serious news sources such as SvD.

First of all, I think that a young girl that starts her own Internet company that in a relatively short time manage to become the most read site in Sweden deserves all respect. And I think she should get all encouragement possible. As for the shopping and the effect on your girls - I am convinced most people out there will know more about this topic than me. However, there is a subtle point that was just touched upon in the debate. The fact that she has a turnover of millions according to news reports, and that - again according to newsreports - she mostly reviews and recommends sponsored products. To the point that she got paid to do product placement in one of the debate programs. This is done with no reference to these products being sponsored. This is where I get a but troubled. Swedish law actually ban hidden, paid, commercial, written advertising that can be confused for editorial material. Now, this law to the best of my knowledge does not include Internet media. However, it's stellar example of "do not trust what you read on the Internet". At least not without referencing. What is worrying is that sites like this, that targets a public that is vulnerable, will make us all a disfavour. Politicians will have a very hard time to resist the temptation to use this as argument for furthering regulation of the Internet and add more responsibility to sites. In this case, they might have asked for it. What puzzles me is that Google Sweden's ex-CEO, Johan Kinnander, is on the board of Blondibella AB and you would think he knows better than that...

The IABs chair, Olaf Kolkman, asked the members of the IAB to provide a statement paper each on what they believe the current most pressing issues in terms of Internet architecture are. Not sure if these will be made public or not, but I decided to post mine here.

I am now late with my paper, but today decided to write it. I have thought about this for the past few days, and realised that it's hard to come up with overarching issues and even harder to come up with issues, where the IAB actually could make a difference. But I came with up with two issues.

Protocol balkanisation and engineering laziness - Support of the walled gardens

I see tendencies in the IETF that some work targets very specific use cases. This seems to me to often lead to the fact that the developed protocols makes assumptions regarding the deployment environment, effectively leading to protocols that will only work inside a given domain. These domains, more often than not, mirror the networks of the providers. This leads to a "walled garden" of protocol deployment already in the design of the protocols, rather than building on the traditional model of the Internet, where the only assumption allowed by a higher protocol is the characteristics of the IP network lower in the protocol stack. This development is probably due to a number of factors. Mostly this is seen in the cases where traditional telco behaviour is being back-ported to "Internet awareness", or with the buzzword of the day, the Next Generation Networks. Partly I also believe that engineering laziness is to blame. Often, the simpler, limited, use case is easier to engineer for rather than a wider, Internet wide problem.

It's also true that these applications in many cases will only ever exist inside a single domain, but we are also seeing cases where business development forces us to retrofit technology to work across the Internet, often by adding new supporting protocols and complexity, onto something existing and deployed. The risk here is that we are moving towards being the IP Engineering Task Force, rather than the Internet Engineering Task Force. This worries me as we are then on a sliding plane to an IP architecture where walled-gardens and feature lock in have been cemented, rather than the end-user centric, "pick and choose" model that to a large extent was the base for the success of the Internet. People are starting to assume Ethernet as the physical medium, just as we assume HTTP as the transport protocol.

So what can the IAB do? This seems to be much harder question, but I think that first of all we need to stress the layer independentness of TCP/IP and work together with the IESG on identifying problem areas, and perhaps even work with the WGs to help protocols to work across the wide Internet.

The scaling of BGP and IETF protocols

Tons have been written on the imminent collapse of the Internet due to the rush to multihoming with IPv6 (and in some cases - with IPv4). I don't question the fact that the scaling properties of BGP in the global Internet is worrying in the long run, but I also believe that the cost for multihoming today is prohibitive enough that there won't be a land rush. Current trends also seems to support that endusers rather NAT, even in IPv6 - mostly for perceived benefits, and pay less than subscribe to a better service at higher cost. What DO worry me in the short run is the fact that iBGP is being used for a number of other services such as VPNs and endpoint discovery. Looking at data provided by ISPs at a number of recent Internet conferences, the number of internal routes are much higher, and growing much faster than the global Internet. Most, if not all, of the proposals that have been made to help with the global routing scaling issues, does not address the internal route issue. Some of them could probably be retrofitted into dealing with this, others won't do any better. I believe this issues will becoming pressing enough that it might have to be treated as a separate issue. Several large providers as far as I know are already feeling the pain and are therefor building out separate infrastructure to handle these services. While this certainly is good business for the vendors of routing equipment, it will raise deployment costs and again, build barriers between services.

I believe the IAB need to stress these issues and perhaps try and spin of separate work on the scaling of VPNs and end point discovery.

In IDG I read that TeliaSonera have decided to move their email server to Finland to protect the integrity of their finish customers, in accordance with finish law. This is done in anticipation of a law being past later this spring that will authorise the Swedish "NSA equivalent", FRA, to wiretap international traffic. I believe this to be a good thing - for the Fins. However, it will of course also guarantee that all TeliaSoneras Swedish customers will have their emails intercepted by FRA. Something that the press completely seems to have missed. Oh well...

I am (or rather Netnod) together with Loa Andersson of Acreo, hosting an IAB retreat in Stockholm. Before this I posted my architectural issues paper to the IAB here on the blog, and it will now be interesting to see the others present their views.

These meetings are normally pretty intensive, but it will be interesting to see what we agree on as the challenges ahead.

...will be busy. We are hosting the Euro-IX Forum in Stockholm Monday and Tuesday, then on Wednesday we are running an IPv6 workshop for the providers in Sweden, and Friday and Saturday the IAB meets in Stockholm. Hopefully all of this will result in blogpostings - time allowing :-(

Today I am in Dublin, Ireland invited by INEX, the internet exchange in Ireland. This one of these signs of how closely the IXPs in Europe actually co-operate. I am invited to talk about the broadband build out in Sweden and also a bit about the history of Netnod. My slides can be found here, and I will already acknowledge now that not everyone will agree with the conclusions :-)

The INEX meeting yesterday had a very good mix of technical and policy presentations. It's always good to come out and see some of the other IXes, meet their members and see how they are developing.

o Radio spectrum, Kevin Kennedy ComReg

First our was Kevin Kennedy from the Irish regulator ComReg. He spoke about the use fot he radio spectrum in Ireland. Usage of the radio spectrum is hi