A New Way to look at Networking is the name of an interesting talk given by Van Jacoson Van Jacobson is a Research Fellow at PARC. Prior to that he was Chief Scientist and co-founder of Packet Design. Prior to that he was Chief Scientist at Cisco. Prior to that he was head of the Network Research group at Lawrence Berkeley National Laboratory. He’s been studying networking since 1969. He still hopes that someday something will start to make sense.

He gives an interesting critique of TCP/IP today and suggests how it is broken and can be fixed.

Link here

Only loosers become system administrators through on the job training. Here’s what I learnt from 5 hours of “24” when sitting on the train back from Berlin. But first a minor rant:

Why does the film and TV industry keep shooting themselves in the foot? I was watching a legally acquired 8 DVD set but was unable to view one of the episodes due to them using the ARccOS copy protection system which makes some sectors look bad. But this was a paid for DVD set. Also, I have never understood why it’s necessary to advertise (and further piss off) the evils of piracy to people who have legally acquired your product. Why stick a 2 minute ad at the start of a film in the cinema? The 24 DVD was accompanied by a long, and un-fastforward-able advert about the evils of piracy. Seems a little patronising when the customer has just spent 50 Euro on your product and you have screwed up the disk enough that he cannot even watch one of the episodes.

But I digress. Here are my tips for working in the CTU (Counter Terrorism Unit for those not addicted to the show) as a sysadmin.

• Wake up early. The first attack happens before 8am. This is no job for your normal sys-admin – you need to be in the office before lunch.
• Engineering gets its own subnet. This came up in two episodes. I’m pleased they use a segmented network and have prescribed similar topologies on previous gigs. Alas, they always seem to be able to skip from one subnet to another so they should probably examine ACLs on on their (no doubt Cisco – see following point) routers more carefully.
• CTU uses a VOIP infrastructure from Cisco. I was pleased to see multiple Cisco 7960G VOIP handsets deployed around the CTU office. Would love the have the firmware hack for the nice logo they have managed to get them to display. The real question is whether they have the SCCP or the SIP firmware loaded?
• Pinging phones via GPRS. This was neat, and if I ran a CTU infrastructure, I would probably set my infrastructure up to run Smokeping against all my field agents phones. Lets hope they have a carrier that gives them real IP addresses when they open that GPRS channel. Fear the latency. I do.
• CTU uses FVWM. I still do too, but could never work with that bitchface of a boss.
• CTU didn’t pay their lighting bill. That or they are all haxors. I have never seen such a dark office environment.
• Terrorists should switch from quadrule ROT13 and use PGP. No, really.
• Mobile phones have very good batteries. Jack manages to run around all day with the same phone glued to his ear. I want a hydrogen cell batter that can last that long too.
• The daughter of the secretary of defence runs a tcpdump window on her screen. I would date her in a second and help her with some of her libpcap syntax. What a babe.
• Microsoft managed to get at least someone to buy their tablet computing solution. Even if it was just a government department that can’t afford to pay their electricity bill.
• Data still makes a noise when being written to a screen. Are they using accoustic couplers or something. Why is it that in the “we can’t afford to pay our lighting bill” bunker, all data when being written to a screen still makes a high pitched noise for each character written.
• Deleting files does not work. Even a DOS junkie will tell you this.
• Using “more” or “less” is so old school. Hexdump is common. Alas didn’t see the Secretary of Defence’s daughter using it
• Jack thinks that he cannot access files when their ownership is rwxr-xr-x. ‘nuff said.

It was not nice.

AuthType Basic
AuthName "Imaginator username and password"
AuthBasicProvider ldap
AuthzLDAPAuthoritative On
AuthLDAPURL ldaps://ldap.imaginator.com/dc=imaginator,dc=com?uid?sub
AuthLDAPBindDN "cn=nss,ou=auth,dc=imaginator,dc=com"
AuthLDAPBindPassword "**********"
AuthLDAPGroupAttribute memberUid
require ldap-group cn=buddycloud-corp,ou=groups,dc=imaginator,dc=com

So it sort of works. But what I would really like is for a way to authenticate on POSIX groups which have a memberUid which is something like:

memberUID: simon

Update:

AuthLDAPGroupAttributeIsDN off is the magic bit! This forces a filter on the uid rather than the full DN. LDAP as always Rocks!
rather than doing a

memberUid: cn=Simon Tennant,ou=People,dc=imaginator,dc=com

Sigh.

…and it was a relatively easy upgrade. I had an old and crufty Apache 1.3 that has now been migrated to a nice 2.0 configuration. Multiple SSL virtual hosts is a nice addition (although until OpenSSL is changed to include some sort of host sending outside of the ssl tunnel there will still be the problem of SSL certs not matching.

Please let me know if you find something not working correctly.