Category Archives: System

NailGun Released

Posted on by

Martian Software was talking about NailGun way back in January of 2003 when I emailed them asking about it. I received a message today from Marty Lamb:

If you are receiving this, you have expressed an interest at some point
in a notification when NailGun is available.

Well, it's available.

If it's been so long that you don't remember what it is, NailGun is a
client, server, and protocol for running Java programs within a
persistent JVM, eliminating the JVM startup time.  I appreciate your
patience with the project as I have been swamped with other priorities
for some time now.

Although there are no known issues, there is still some work to be
done.  Most importantly, I need to compile Windows and OSX binaries for
the client.  If you can provide any assistance with this I'd be most
grateful.

More information, a quick start manual, javadocs, and downloads are
available from http://www.martiansoftware.com/nailgun.  There's also
information for joining the NailGun mailing list.  The fact that you are
receiving this message does NOT mean you have been added to the list.

This is a one-time mailing.  If it's unwelcome, you have my sincere
apologies.

- Marty

--
Marty Lamb
Martian Software, Inc.
mlamb at martiansoftware dot com

I’m quite excited about NailGun for use in writing trivial command-line Unix scripts in Java. Going to download it and build a Mac OS X binary while I’m at it too.

Update: Runs nicely on my system, now to explore a bit.

Linux 2.6 IPsec VPNs

Posted on by

Update: Howtoforge has a good tutorial about setting up “roadwarrior” VPNs using IPsec & KAME.

Since I was unable to find a clear description of setting up an IPSec-based VPN using the native IPSec stack from USAGI and KAME userland tools that are part of Linux 2.6.x, I thought I would post a short explanation.

Software

Network Topology

I am going to explain a very straightforward topology often found in the field. You have two networks, network A (10.0.0.0/24) and network B (10.0.1.0/24). Each network has router/gateway/firewall system, gateway A (10.0.0.1) and gateway B (10.0.1.1). Each of these gateway systems as an external, public, IP address: 3.3.3.3 & 2.2.2.2.

In this topology, our end goal is to allow a hosts on network A, say 10.0.0.123, to securely contact a host on network B, say 10.0.1.158, via an IPSec tunnel.

Note: In many cases, I will provide only a single example. You must ensure the other gateway is configured similarly, often by reversing the configuration. This is left as an exercise to the reader.

IPSec

Setting up IPSec involves two steps: keying and policy. Normally, you use racoon to provide keying and setkey to establish policy. I will instead use racoon-tool as convenient shortcut. This tool was written by the Debian Maintainer of the racoon package in order to emulate some of the nice configuration syntaxt of the FreeS/WAN, an older IPSec implementation for Linux. It dynamically generates a racoon.conf (/var/lib/racoon/racoon.con) and also sets up the policy based on a single configuration file.

First, we simply state that racoon should use the notify priority when sending messages to syslogd:

global:
        log: notify

It is helpful to create a %default peer and connection in order to avoid duplication of configuration directives:

peer(%default):
        verify_identifier: on
        hash_algorithm[0]: sha1
        encryption_algorithm[0]: aes
connection(%default):
        src_ip: 3.3.3.3

The above src_ip directive simply says that our connections will be using our public IP.

Next, we define our peer, gatewayB, identifying it by address:

peer(2.2.2.2):
        peers_identifier: address

Finally, we define a policy so that packets from networkA to networkB are encrypted via gatewayB:

connection(to-gatewayB):
        dst_ip: 2.2.2.2
        src_range: 10.0.0.0/24
        dst_range: 10.0.1.0/24
        admin_status: enabled

Unfortunately, I have no idea what the admin_status: enabled directive does, or even whether it is required.

You must also add a key to /etc/racoon/psk.txt for the remote gateway:

# Entry for gatewayB
2.2.2.2 0x2eba016ffc2314869ae9f9a3b8901a173242f0c8

A randomly generated key is best, and can be created with the following command:

$ dd if=/dev/random count=20 bs=1 | xxd -ps

(The xxd command is part of the vim package.)

Make sure that you can the racoon package configured to use racoon-tool by either editing /etc/defaults/racoon or reconfiguring the package. Also, you should probably reload the tool by executing /etc/init.d/racoon reload. You can then check that your policy is in effect by running setkey -DP. You should get something like the following, followed by a bunch of default policies:

10.0.1.0/24[any] 10.0.0.0/24[any] any
        in ipsec
        esp/tunnel/2.2.2.2-3.3.3.3/unique#16385
        created: Nov 18 23:01:24 2004  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=1512 seq=9 pid=9800
        refcnt=1
10.0.0.0/24[any] 10.0.1.0/24[any] any
        out ipsec
        esp/tunnel/3.3.3.3-2.2.2.2/unique#16384
        created: Nov 18 23:01:24 2004  lastused: Nov 18 23:05:31 2004
        lifetime: 0(s) validtime: 0(s)
        spid=1505 seq=8 pid=9800
        refcnt=1

Now that the policy is in effect, the kernel will ask the racoon daemon for a security association (SA), when it needs to deal with a packet matching the policy. Racoon will negotiate an SA with the remote gateway on the fly. (This will not happen until after we’ve setup the routing, below, but you can see it by using the setkey -D command.)

Routing

In order for a packet to match the policy we have setup, and also be forwarded to the remove gateway, we must adjust the routing table using the ip command (Provided by the Debian iproute2 package.).

The policy we have setup, says that packets coming from 10.0.0.0/24 and going to 10.0.1.0/24 must be encrypted and authenticated. This is achieved by adding a slightly weird entry to the routing table on gatewayA:

$ ip route add 10.0.1.0/24 via 2.2.2.2 src 10.0.0.1

And on gatewayB:

$ ip route add 10.0.0.0/24 via 3.3.3.3 src 10.0.1.1

Once you have added the new entries to the routing tables on both gateways, we test the tunnel. If you ping 10.0.1.0 from gatewayA, and then execute setkey -D, you will see the new SA that has been automatically created.

This is the routing table you should have on gateway “A”:

root@gatewayA:/tmp# ip route show
3.3.3.0/24 dev eth1  proto kernel  scope link  src 3.3.3.3
10.0.1.0/24 via 3.3.3.1 dev eth1  src 10.0.0.1
10.0.0.0/24 dev eth0  proto kernel  scope link  src 10.0.0.1
default via 3.3.3.3 dev eth1

Followed by the routing table present on gateway “B”:

root@gatewayB:/tmp# ip route show
2.2.2.0/24 dev eth1  proto kernel  scope link  src 2.2.2.2
10.0.1.0/24 dev eth0  proto kernel  scope link  src 10.0.1.1
10.0.0.0/24 via 2.2.2.1 dev eth1  src 10.0.0.1.1
default via 2.2.2.1 dev eth1

In the above examples, 2.2.2.1 & 3.3.3.1 are the default gateways that connect your public networks. (The routers usually provided by your ISP.)

Note: if you have any firewall rules enabled, you are going to have hassles. Notice that the IPSec tunnel doesn’t have it’s own device: the encrypted packets are going through a public interface. This will confuse any firewall rules that expect to be able to categorize packets by interface. I intend to figure out a good solution and post it at a later date.

Update: I now have a fully working IPsec gateway/router/firewall. See this other post.

Update: It seems that when the external addresses of the gateways on are different subnets, which was not the case during my testing, you must add a route like ip route add OTHER_NETWORK via LOCAL_DEFAULT_GW src INTERNAL_IP. Otherwise, you will get an error: RTNETLINK answers: Network is unreachable. Please leave a comment if you can clarify this.

Awesome Quote from Frank Herbert

Posted on by

A fantastic quote from Frank Herbert:

Above all else, the [architect] must be a generalist, not a specialist. Experts and specialists lead you quickly into chaos. They are a source of useless nit-picking, the ferocious quibble over a comma. The [architect] on the other hand, should bring to decision-making a healthy common sense. He must not cut himself off from the broad sweep of what is happening in his [application]. He must remain capable of saying “There’s no real mystery about this at the moment. This is what we want now. It may prove wrong later, but we’ll correct that when we come to it.” The [architect]-generalist must understand that anything which we can identify as our [application] is merely part of a larger phenomena. But the expert looks backward; he looks into the narrow standards of his own specialty. The generalist looks outward; he looks for living principles, knowing full well that such principles change, that they develop. It is to the characteristics of change itself that the [architect]-generalist must look. There can be no permanent catalogue of such change, no handbook or manual. You must look at it with as few preconceptions as possible, asking yourself: “Now what is this thing doing?” – From Children of Dune by Frank Herbert (1976)

I love it. Something to keep thinking about. Thanks Grant.

Scalix Brings Group Calendaring to Linux

Posted on by

eWeek is running an article on groupware for Linux:

Companies looking to migrate from Exchange to a Linux-based messaging system or that want broader groupware functionality will find a good solution in Scalix’s Email and Calendaring Platform. From the user’s perspective, the Outlook experience is very good, although the Web client could use some improvement. Email and Calendaring Platform is priced at $60 per user, $600 for a server with 500 mailboxes and $3,500 for the Enterprise Edition. More information is available at www.scalix.com.

I know that many clients are using Microsoft products only for groupware, so this is important.

Wifi in Montréal

Posted on by

While waiting for the bus in Montreal this weekend, I found a Starbucks with free wireless Internet access, provided by VidéoTron.

Map

It’s a block away, on Saint-Denis, parallel to Barrie.

VoIP and Presence

Posted on by

Corporate and personal communications is undergoing an obvious revolution right before our eyes. I won’t comment on this aspect of VoIP since there are so many doing so, particularly in the large news publications. However, we’re missing something: presence.

Instant messaging has boomed and become an almost integral part of our society, with youth leading this integration. Have we not noticed that this form of communication is almost entirely controlled by a select few corporations? To name a few:

This is all a Bad Thing™! Lets reminisce for a moment about good, old fashioned, email service. This technology is completely decentralized and relies on each entity having their own SMTP system. If I want to send you mail, I simply do a DNS lookup to find your mail server and off I go. This server can either be provided by your ISP, out-sourced to another provider or you may have set it up internally.

Contrast this with IM, where your messages are being routed by a third-party who:

  • Is not receiving money from you
  • Made you accept a disclaimer that basically guarantees less than nothing
  • Doesn’t really want to interface with the other IM providers

To actually start discussing VoIP now, the above prevents good presence for VoIP applications.

Thankfully, the defacto VoIP protocol, SIP, has full support for an SMTP-like distrbuted model using SRV records in DNS. This allows the DNS system to be queries for the correct SIP server for a domain and therefore gives us nice, convenient addresses for voice communications using the familiar “user@domain” form.

Built on top of SIP, there is SIMPLE or the S I M P L E. This upgrades your SIP infrastructure to support full presence and instant messaging capabilities. So far, I know of very few clients that have full SIMPLE support:

Also, I believe that Microsoft‘s Windows Messenger is available in a SIP edition.

A major open instant messaging protocol, Jabber, also has the above mentioned SRV capability. It seems to be under implemented in practice, however, with many people not even bothering. Jabber uses the XMPP protocol and bridges exist to allow SIMPLE to interoperate with it.

I’m rambling here. To get to the point, it seems that integrating SIP hardware devices : Analog Telephone Adapters (ATAs), like those from Sipura, and desk phones like those from Polycom; with presence provided either by SIMPLE or XMPP, is a problem. See, when you are using a great hardware phone for actual calling, you can’t do decent presence. How will my Jabber client know that I’m on the phone in order to set my status to “On the phone”?

My conclusion is that we should really be using softphones. Why not? Don’t we all have laptops and Bluetooth headsets? :-) Well, I intend to get myself fully setup this way. To heck with all the other ways of getting voice service. Also, Jabber isn’t a great candidate unless you use something like the myJabber Instant Messaging Client for XMPP and myJabber AE Soft Phone combination, which is non-standard.

More to come on this topic once I get a copy of eyeBeam for Mac OS X to play with.

SoundPointIP

Posted on by

The Polycom SoundPoint IP are a line of very nice VoIP phones for business use. The current model line-up includes:

I setup five IP500s last week and hooked them up to an Asterisk system. Since Polycom doesn’t offer support to anyone not certified by them, more on that later, I relied on VoIP-Info and #asterisk to figure things out. The IP phones are extremely configurable, allowing you to change everything from the sampled sounds they make to very low-level adjustments to the units handling of RTP packets.

The sound quality of the IP500 units that we have is terrific. The built-in full duplex speakerphone is also very good, though not quite as perfect as the purpose built conference phone, also from Polycom, that is used in the boardroom.

The look and feel of these units is very professional, much more so than many of the other competing products we looked at. Paul thinks that this is an important aspect when selling to business clients. The units are also well-priced.

Something I am disappointed is the lack of LDAP directory support. While the phones have the ability to load an XML formatted directory from their boot server, they will not periodically update from it. It would be far more integrated to simply use an LDAP tree for this purpose as Cisco does, I believe.

More information on these great IP phones is available on the wiki and at PolycomEmergencyDialplan.

Local IPv6

Posted on by

Last week I successfully setup a tunnel from my local network to Freenet6 Hexago I now have a /64 prefix of IPv6 addresses and am advertising them on my network using radvd This works great!

The next step is to get DNS working properly for IPv6 addresses.

Boot from Software RAID5

Posted on by

How to boot from a software RAID5 array?

I just stumbled upon a this post to debian-user

I’ve just had success migrating Debian Sarge to root on LVM on RAID. Here’s an account of what I’ve done. I believe it could be of interest to both the debian-installer people on debian-boot and to the Debian user community on debian-user, hence the cross-posting to both lists; apologies to anyone subscribed to both. I’m not subscribed to either, so any replies please CC me.

Always on the lookout for creative solutions to this issue, I kept reading. The poster suggests using a pair of mirrored (RAID1) /boot partitions on two of the drives in your RAID5 array to boot from and mount everything else from a RAID5. Does this sound like a Good Thing?

Can a Customer take their IP’s with them? (Court says yes!)

Posted on by

Can a Customer take their IP’s with them?

Exerpt:

There has been a Temporary Restraining Order (TRO) issued by state court that customers may take non-portable IP space with them when they leave their provider. Important to realize: THIS TEMPORARY RESTRAINING ORDER HAS BEEN GRANTED, AND IS CURRENTLY IN EFFECT. THIS IS NOT SOMETHING THAT COULD HAPPEN, THIS IS SOMETHING THAT HAS HAPPENED. THERE IS AN ABILITY TO DISSOLVE IT, AND THAT IS WHAT WE ARE TRYING TO DO.

This is a complicated issue and is not as straightforward as the above message seems to insinuate. A colleague comments:

I am following this. It is not as simple as it seems, and in fact two things have not been pointed out yet. a) NAC is being compensated for this. b) As the court affidavit points out, NAC has previous history of blackmailing the client.

Some related information is here

Mesh Networking Links

Posted on by

Some protocols/routing daemons:

These people have a product that is MIPS based and very flexible, might be more interesting for than Soekris:

OLSR:

A Good Combination GSM Phone & PDA

Posted on by

There are many candidates available now, all with something problematic about them it seems. Bit of a PITA.

On my radar are the following:

The P900 sounds great, but for the Memory Stick slot that can only handle up to 128MB cards. The Treo 600 has a terrific form factor, but comes without Bluetooth or a high resolution screen. In addition, Handspring is not confirming that a quality J2ME implementation will be available for it.

Ideally, I’d have a phone that can handle the new North American frequency, 850MHz, in addition to the frequencies used outside NA. Good Java support is also very important to me.