Category: networking

Google Fiber will come to Austin in 2014. Eventually, we’ll have speeds like that everywhere, but will you actually be able to take advantage of them once they’re available to you?

Podcast: Play in new window | Download (Duration: 4:14 — 4.0MB)

How to Subscribe to PhoneBoy Speaks: iTunes | RSS feed | SoundCloud

Find PhoneBoy on: Twitter (@phoneboy) | App.Net (@phoneboy) | Facebook (phoneboy) | Google+

Belkin is buying Linksys from Cisco? Yeah, that’s going to improve the quality of their products. Like anyone will notice or care anyway.

Podcast: Play in new window | Download (Duration: 6:17 — 6.0MB)

How to Subscribe to PhoneBoy Speaks: iTunes | RSS feed | SoundCloud

Find PhoneBoy on: Twitter (@phoneboy) | App.Net (@phoneboy) | Facebook (phoneboy) | Google+

We have dueling viewpoints on this topic. First from Networking Nerd:

NAT on IPv6 is pointless and a bad idea.

There is no reason to implement native IPv6-to-IPv6 NAT (NAT66) in reality.  The address space is way too big to require translation in the foreseeable future of my lifetime or even that of my kids.  If you are really concerned about hiding your addresses or disguising your MAC address, you can look into the idea of Temporary Addressing.  In the middle of writing this post, Paul Reganasked me about using NAT to translate when you move from one provider to another.  That might be a good use case, and it happens to be the one that RFC 6296 is lined up to address, but if keeping your IPv6 space is so important when you move, why not sign up for a provider-independent block from your local Regional Internet Registrar (RIR) and run BGP to advertise it yourself?  If you switch ISPs often enough to keep switching IP schemes every few months, maybe you need to worry more about stability and less about chasing the lowest ISP price.  If your ISP keeps forcing you to switch addressing space that often, it might be time to shop around.

And then we have El Reg:

Right about now, an interjection typically begins “but the Cisco…” and I have to stop everyone right there. If your argument includes the words Cisco or Juniper, we’re not talking about the same market.

The budgets available for the IT space I am talking about differ by an order of magnitude. Despite this, we somehow manage to provide uptimes no worse than the big guys and still manage redundancy. At least we do in an IPv4 world.

This leads into the other major issue with IPv6: the inability to do multihoming. In an IPv4 world this is simple and cheap. The IPv6 solution is “get a carrier-independent address assignment and do proper routing”.

And I’d like to be the King of all Londinium and wear a shiny hat.

Meanwhile on planet Earth

These folks obviously know nothing about life on the frugal edge. Consumer-grade ISP connections simply don’t allow for that sort of thing. Even if you have the cash for your ISP’s so-called business-class package, they’ll still give you the stink eye the instant you start talking about such tomfoolery.

From a purely technical perspective, is the suggestion on the table really that three-person companies seeking ISP redundancy start doing BGP? That is the single craziest thing I have ever heard.

By the way, even the large enterprises want NAT66 to ensure, in a multihomed environment, a given traffic flow utilizes the same link up and down. No asymmetric routing. These are businesses that can clearly afford Cisco over Linksys and have the expertise in-house to manage BGP. And yet they want NAT66.

So NAT66 is coming. Whether the standards God want it or not, whether the people against NAT want it or not, the market is demanding it. Either the standards Gods can come up with a solution to the problem or the market will.

Meanwhile, I hope we can at least leave the HIDE/Masquerade bits of NAT behind in the transition to IPv6 with NAT. At least something like Network Prefix Translation gives you the ability to address a host bi-directionally.

I often think about the rather abysmal battery life in my mobile devices. You know, the Smartphones, the Tablets, the laptops, what have you. There are several ways to look at this, but two are useful:

• We need bigger batteries
• We need electronics that consume less power

If you think about it, both statements are absolutely true. Bigger batteries mean more absolute power is available for use. On the other hand, more efficient power use allows you to do more with the same absolute quantity of power.

Look at successive generations of Apple’s iPhone. Each handset does more faster than the previous generation handset did with roughly the same overall battery size (and life). This is accomplished by a combination of greater efficiency and marginally larger battery.

This thought has occurred to me again as I read about T-Mobile USA’s plans to use their anemic spectrum holdings differently, which will allow them to deploy an LTE as good as their competition with only a modest increase in spectrum–spectrum they received from AT&T as a consolation prize for the failed AT&T/T-Mobile merger.

It certainly makes me question AT&T’s statements about mobile bandwidth scarcity. Or Comcast. Or any other ISP or Telco for that matter.

Back in the days of dialup Internet access, I listened to streaming audio thanks to technologies like RealAudio and TrueSpeech. They made excellent use of the very limited bandwidth to allow me to hear audio streamed over my dialup modem. Technology allowed me to make the best of our limited bandwidth, turning my scarcity into abundance.

And then I think about areas outside of North America and Europe where traditional desktop and laptop computers are common. I’m talking about places like Nigeria where most the closest thing many people have to a computer is a mobile phone–a phone through its limited interface and even more limited data networks that many people access the digital world.

Which makes me think we are trying to bridge the digital divide in the USA all wrong. Rather than bringing expensive Internet with expensive, complex computers to the poorer masses, why don’t we bring them capable mobile phones backed by a strong wireless network with compelling mobile services? What do you think?

I’ve been playing with IPv6 a bit on my home network and experimenting with different access methods. While I love the folks at Hurricane Electric and their Tunnel Broker service, it turns out that both Comcast and CenturyLink (I use both of them) are already providing 6to4 Anycast relay service using the 192.88.99.1 address! It’s not native IPv6 yet–Comcast is trialing dual-stack IPv4 and IPv6 in a few areas as well as other access methods per their Comcast IPv6 Information Center–but I feel somewhat better using a service my ISP is using.

The way it works is pretty simple: the IPv6 prefix 2002::/16 is allocated specifically to 6to4 tunneling. If you set up a tunnel to 192.88.99.1 (which is an anycast IP address), you will be able to use 2002:xxxx:xxxx/48 as IP address space (where xxxx is your public IPv4 address in hex). So for example if your public IPv4 IP is 192.0.2.240, you will have 2002:c000:02f0::/48 as publicly routable IP address space!

I found a great site that explains how to configure this kind of 6to4 tunnel on various operating systems. It tells you what your current IP is and tells you how to configure the tunnel based on that IP. You can also specify an IP to use.

Using this, I experimented with both Comcast and CenturyLink and found CenturyLink’s 6to4 relay to have significantly lower latency. I also discovered, from traceroutes, that CenturyLink appears to be using a 6to4 relay at Hurricane Electric!

The nice thing about this is that you don’t have to sign up for account or anything. You just configure it properly and it works. With a /48 all to yourself.

Related articles

• How the End of IPv4 Affects Email and Hosting (circleid.com)
• David Tomaschik: IPv6: On my Linode, and at Home (systemoverlord.com)
• I’m already hating the IPv6 (erratasec.blogspot.com)
• Tech giants to enable IPv6 on “World IPv6 Day” in June (arstechnica.com)
• How To Enable IPv6 On Windows XP (ghacks.net)
• IPv6 Basics I (marienfeldt.wordpress.com)

I’ve been thinking deep thoughts about IPv6 recently. One thought occurred to me recently: what about the concept of private addresses? In IPv4, we have the concept of RFC1918, which defines several blocks of IP addresses for private, non-Internet use. Did they think about this in IPv6?

Turns out they did: RFC4193. The prefix FC00::/7 has been set aside as Unique Local IPv6 Unicast Addresses. This accounts for roughly 0.781% of the total available IPv6 address space, which is still a lot of addresses. In fact, it works out to roughly 2.2 trillion /48 networks, each of which could be used to allocate 65,356 /64 networks (the smallest recommended network size in IPv6), on which each network can have more than 18 quintillion individual addresses (or the square of the entire IPv4 address space)!

That’s a lot of addresses. Not that anyone will come anywhere near putting that many hosts on a single subnet, but it does leave a lot of room to solve a common problem when interconnecting private networks with a VPN–address collisions.

After the first 8 bits of a private IPv6 address, the next 40 bits are designed as a global ID. Even though each site will generate this independently, assuming they generate their global ID randomly, the odds that any two sites who might interconnect will have the same global ID is roughly 1 in 1.81 trillion. Even if 100 sites connect together, the odds of any two sites colliding is roughly 1 in 4.5 billion.

The next 16 bits of the IP are the subnet ID, so within a particular global ID, you have 65,536 subnets. That’s a lot of networks!

Of course, you still have the same challenge in IPv6 that you have with IPv4 when it comes to private addresses: if privately addressed machines need to talk to the Internet, you will still need to employ NAT. I don’t know that NAT is inherently more difficult in IPv6 than IPv4, but it does require more resources–the IP addresses are a lot bigger. However, despite having more than enough addresses for everyone to have a public, Internet routable IP, NAT will never completely go away.

A PR firm representing Cisco asked me if I wanted to review the Cisco Valet, which is a line of “surprisingly simply home wireless” devices that, I have to say, does what it says on the tin. It is by far the easiest setup process I’ve seen.

The first thing I noticed was the packaging. A complete lack of technical jargon or marketing about how this router compares to the others they sell. There most technical things on the box are in small print and are just basically a list of system requirements and a warning that, due to a number of factors, your wireless speeds and range may vary.

When I did the initial setup, I used my Mac–usually a stumbling block for these so-called “easy setup” programs. The Easy Set Up key is little more than a Flash drive that contains some documentation and the Cisco Connect application. Launching the Cisco Connect gives you a screen that tells you to do do three things:

• Plug the router into your Internet connection
• Plug the router into your power
• Click next

In less than the five minutes it tells you it could take, I had a screen that told me my router was set up and I was connected to it. Sweet! You could, of course, do some additional configuration of the router. A very simple interface is presented for doing this (click image for larger view):

The add device option gives you the settings you need to configure a device. Obviously, it’s going to vary by device manufacturer. Once it has detected the device has connected, you can then “name” the device for later. Handy!

I didn’t mess with the parental controls–I almost never find them granular enough for my tastes. However, it appears they do some category-based URL filtering and allow you to blacklist sites. The problem is the restrictions are per-host, meaning you have to select the individual hosts that you wish to restrict. You also can’t whitelist sites or create a default URL filtering policy that applies to all connected hosts. That said, it’s more functionality than I’ve seen in a typical consumer router.

The guest access feature is quite handy as well. Cisco Valet creates a second (open) SSID that your guests can use to access the Internet. It is segmented off from your regular wireless network and presents a captive portal to your guests, whom must enter a password before they are allowed access to the Internet:

Of course, you can disable this feature as well.

When the router is first configured, the SSID is set to a random adjective-noun word combination and the password is set to a 10 character random string. In the Valet Settings, you can change these things to something. You can also save this to the Easy Setup Key (or create a new one using any standard USB thumb drive) that will allow you easily configure other Mac or Windows computers in your house with the correct wireless settings.

And, of course, there’s the Advanced Settings, which fires up a web browser with a typical Linksys-style web interface for configuring the router (though it is entirely Cisco-branded now). This is where the geek settings are, of course, and are, “advanced.” I’m sure given the relatively ease through which computers can be added and the basic settings can be configured, there will rarely be a reason for most people to ever visit the advanced settings.

But Is It Secure?

Most reviews stop here. They are quite happy that someone has finally come up with a wireless router that almost anyone with even rudimentary computer knowledge could configure and use. That is a feat worthy of praise, no doubt.

I am not most people. I wonder, in the back of my mind, does Cisco make this device easy to use, yet actually make it secure? The answer is not surprising–to me at least.

First, it’s probably worth pointing out that I work for a competitor to Cisco: Check Point Software Technologies. We don’t compete in the consumer market, really, but we certainly in the enterprise network security market. That doesn’t affect my opinions here, but I figure I should disclose that since some might consider it a conflict of interest.

Prior to proceeding with the setup wizard, I saw what the router was broadcasting by default–a WPA-protected access point named CiscoXXXXX (where XXXXX corresponded to the last 5 digits of the device serial number). My guess is the router is preconfigured with some default WPA password that the Cisco Connect software then changes to something else, which it then tells you after the setup is complete.

Cisco gets props on a number of things security related:

• Choosing a random network name (SSID)–most manufacturers use a known default
• Configuring WPA as a default
• Choosing a random password that contains numbers, upper and lower case letters, and special symbols

All three of these things are good. By choosing a random SSID and a random password, it makes it harder for someone to brute-force (i.e. guess every possible password) access to the wireless access point.

While these are far better than what I’ve seen from others, it’s, unfortunately, not enough. To be relatively safe from a brute-force attempt, the passphrase needs to be at least 20 characters–random ones at that. Also, it defaults to WPA/WPA2 mixed mode, which allows you to use the TKIP, which may be needed for some legacy hardware, is not the most secure. You can change to WPA2, which only supports AES. It would be nice if you could change the rekey interval, but I don’t see a way to do that from the advanced settings.

There are a couple of other dangerous settings enabled by default:

• Universal Plug and Play is enabled by default (which, when paired with malware, could easily make your computers more vulnerable to attacks)
• WMM Support (in the QoS section) which, when enabled, makes your network a little more susceptible to hacking when WPA (not WPA2) is enabled.

The Nintendo DS Factor

One rather common WiFi-enabled device in any household with children is the Nintendo DS. This device does not support WPA at all. Even the newer DSi, which does support WPA, doesn’t support it for DS games. This means, if you want your kids to be able to use the WiFi features of their DS games, they won’t be able to use them unless you use WEP for your wireless security, which is not recommended.

This is, in my opinion, one big disappointment with the Cisco Valet. There is no way to allow a Nintendo DS to use the Guest wireless without using WEP. They could very easily allow the whitelisting of certain MAC addresses to be allowed to access the Guest wireless (which is open, unencrypted, and will work with the DS) without requiring web-based captive portal authentication.

Other Minor Gripes

The Cisco Connect software allows you to configure items that cannot be configured with the Advanced Settings interface, namely the Guest wireless access. I would like to be able to change the default IP range used for the Guest wireless and, possibly, whitelist certain machines as I described above.

By default, the router administration password the same as the WPA password. This does make it easier for end users, but I think you should be able to set them independently in the Cisco Connect software.

I also do not see a way through the Cisco Connect software to upgrade the firmware for my router. This is a necessary, sometimes daunting task, especially given the number of hardware variations that can exist even with the same model. There’s no reason Cisco couldn’t have made this process as simple as they’ve made everything else–push a button and it takes care of the rest.

And, of, course, my security gripes above. While they went a lot farther than I’ve seen other manufacturers go, they could have gone just a little farther in choosing more secure defaults, possibly with an optional “security settings” page so you don’t have to hunt in the Advanced Settings interface to make the wireless connectivity more secure.

All in all, though, I am very impressed with the product. I could easily see myself recommending this product to my non-technical friends and family as a dirt simple way to share their Internet connection and create their own personal wireless hotspot.

The only people I cannot recommend this product to are Linux users who lack a Windows or Mac machine on which to run the Cisco Connect software. Since the initial setup of this router cannot happen without the Cisco Connect software, which does not run on Linux, your “out of the box” experience will be less than fulfilling. You only need the software the first time, of course, but you might be better off with a Linksys-branded router.

So yes, Cisco did it. They made WiFi easy for normal people to set up. Using the Easy Setup Key, I set up four different Windows computers with my Cisco Valet settings in a matter of minutes. It was drop-dead simple. I wish they spent a little more time on the security side of things, but this is a tough one to do without making things more inconvenient for users. Given what Cisco was aiming for here, I think they nailed it.