Subnetting.  A simple thing that fills many with dread.  The swirl of numbers flying about when discussing subnetted networks can make your head respond in kind.  If subnetting wasn’t challenging enough we have long dealt with this thing, this ’subnet-zero’ thing.  Discussion on the topic (this post included) lingers for some unknown reason.  It vexes me.  I even read a recent post (written about a month ago) that suggested NOT using it was still a viable concept.  At the risk of taunting the author I shall refrain from links to that post.  I can’t tell you how much I disagree with such a statement.  Well, scratch that.  I actually can tell you how much I disagree.  Please enjoy:

First, a review:  What is ‘ip subnet-zero’?

It’s a command you enter into a Cisco router (or L3 switch), actually.  From global configuration mode you have two choices:  ip subnet-zero or no ip subnet-zero.  If you want to use this thing we call subnet zero you enter the former.  If you don’t want to use it, enter the latter.  And I don’t understand you if you don’t want to use it.  Cisco doesn’t either.  They have been telling you for a long time that you should be using it.  The command has been enabled by default since IOS 12.0 which has been out for the better part of a decade.  To stop using it you would have to intentionally go into the router and disable it (e.g. no ip subnet-zero).  And who are you to disable a Cisco default?  Hmmph.  I thought so.

So it’s a command.  Cool.  But what does it actually do?  In simple terms the command controls whether or not the all zeroes and all ones subnets are valid.  Easy enough to say but it’s a little more involved to understand.  Let me explain by way of example.  Here is an example of a simple subnetting problem that uses subnet zero (and yes, I’m assuming you already have a little bit of subnetting skill):

In this example we take the 192.168.44.0/24 network and subnet it by 4 bits,  dividing it into 16 networks.  If we look at the newly created networks a little more closely we will see something interesting.  Using the image below, notice that the first network has all of the subnet bits set to zero.  Also notice that the last network has all of the subnets bits set to one.  We call the network with the subnet bits set to zero the “all zeroes subnet”.  We call the network with the subnet bits set to one the “all one’s subnet”.  Pretty clever names, I know.  Collectively we refer to both of them as subnet-zero.  Yeah, that makes sense?  Deal with the weirdness.

Subnetting with IP Subnet-Zero

Two things you need to notice:

First:  To the user, the all zeroes subnet looks alamringly like the original network.  The original network was 192.168.44.0/24.  The all zeroes subnet is 192.168.44.0/28.  Does that creep you out?

Second:  The all one’s subnet has a decimal value equal to the subnet mask value in the last octet AND the broadcast address of the all zero’s subnet is 192.168.44.255 which is identical to the broadcast address of the original network (192.168.44.0/24).   How about that?  Feeling spiders crawling up your legs?

What’s my point?

First:  People got confused by the striking similarity between 192.168.44.0/24 and 192.168.44.0/28.  Let me restate that in case you didn’t catch it.  People got confused by… (never mind the rest, it doesn’t matter).  The important word, in case you missed the italics, is PEOPLE.  Computers, routers and other network devices were NEVER confused by the apparent similarity.  To the computer, a device which thinks only in binary, 192.168.44.0/24 is just as similar to 192.168.44.0/28 as 11.12.0.0/14 is.  The difference is plain to see for the computer.  The same can’t be said for the fragile mental stability of the network administrator.  Because people were confused the decision was made long ago to simply throw out the all zeroes subnet.  Just don’t use it.  Problem solved!  Outta’ sight, outta’ mind!  The word lame comes to mind.  How, in this world of IP address space exhaustion, can you even begin to condone throwing away a perfectly good network for the sole purpose of preventing confusion with the network administrators?  Uh, you can’t.  Your network people need to get over it.  Suck it up, use the addresses.  “Waste is a thief!” (my token Fight Club reference)

But wait!  There’s more!

Second:  We didn’t just throw out the all zeroes subnet.  We threw out the all one’s subnet along with it.  The confusion surrounding the decimal value of the last network value being equal to the subnet mask and the hosts having a decimal value greater than the subnet mask combined with the whole, “Hey the broadcast address of the last network is the same as the broadcast address of the original network”, thing caused “they” (whoever they are) to toss out the all one’s subnet, too.  What was that word again?  Oh yeah!  Lame.

The all zeroes subnet and the all ones’ subnet are both perfectly valid networks.  They should be used and are used in environments that are movitvated to squeeze all of the usefulness possible out of the IPv4 address space.  So, if you haven’t been using it you need to get busy doing so.  Have I mentioned that NOT using subnet-zero in IPv6 isn’t going to be an option?  When your ISP gives you a prefix of 2001:ABCD:1234::/48 guess what your first usable network is going to be …2001:ABCD:1234::/64.  How do you like them apples?  Ha!

Colin Weaver

Some time in early 2008 Nick introduced me to Twitter.  I tried to to see the potential but I have to admit that for the first several weeks I kept thinking, “This is the dumbest thing to come along in a while.”  I seriously thought it sucked.  But it doesn’t.  What sucked at first was me.  I hadn’t fully embraced what was going on.  I wasn’t really following anybody and not many people were following me.  With so few people looking at what I was doing I never really felt compelled to tweet.  But now I have three different twitter accounts that represent three different facets of who I am.  I follow multiple different people and most of them follow me in return.  Now I tweet multiple times per day and check to see what others are doing on a regular basis.  I’m kind of addicted to it.  It’s another in a long line of time suckers but I love to search such things out and attach them like little leeches to my body.  Twitter, not that I’ve got my mojo working, is right up my alley.

Twitter is still fairly new so a client with which to tweet is not built into Fedora 10 (or I don’t know where it is).  That will change over time I suppose.  The Firefox add-on called TwitterFox is probably the easises way to get tweeting because Firefox is already installed and add-in installation is usually simple.  But for tonight I want either Twhirl or Spaz.  Both clients require AdobeAIR and I got that installed a little earlier this evening.  You can read about installing AdobeAIR by clicking here.  You can download twhirl here and you can download Spaz here.  When you download them using Firefox you will see a window like this:

Downloading Twhirl for Linux

Because AdobeAIR is installed you might think you can just open the download with AdobeAIR and start the install.  And you’d be right if you wanted the install to fail.  The AdobeAIR installer doesn’t seem to work unless it is running as root.  I haven’t done any research on why but it’s the solution I found multiple times on other sites.  I do know that I tried repeatedly to install using my user account and failed each time.

To successfully get twhirl (or spaz) installed, follow these steps:

Step 1 -Save the installation file to your computer.  I saved it to /home/colin/Download
Step 2 - Open a terminal window and su to root.
Step 3 - From the terminal window type “/usr/bin/Adobe AIR Application Installer” (with the quotes).  The GUI app will open.
Step 4 - Navigate using the tree-view to the directory where your installation file is located (the one you downloaded).
Step 5 - Select the installation package, click OK and the follow the install steps in the interface.

Opening AdobeAIR Installer as root

The twhirl install should place an icon under Applications > Accessories.  The spaz install should place a shortcut link directly under Applications.  You should now be good to go!  Send me a tweet to let me know how it goes.

AdobeAIR Installer

Downloaded and installed Fedora 10 (64-bit).  Immediately set about setting up a Twitter client.  Chose one called Spaz at first.  In the end I found that I don’t like it as much as Twhirl, which is what I often use with Vista.  Both Spaz and Twhirl require Adobe AIR so I didn’t mess with either in the 64-bit version.  I ran into a brick wall with the whole 64-bit thing.  Installing AdobeAIR proved to be more trouble than it was worth.  AdobeAIR is only recently supported on Linux and 64-bit support is lacking.  Several workarounds are suggested on several different sites but I don’t want to play that game fresh out of the gate.  I run into the same crap with 64-bit versions of Windows, too.  RAW image thumbnail support in Vista comes to mind…  Anyway, I decided to bag 64-bit Fedora for now.  And so began install #2 of Fedora, 32-bit this time.  Doing a basic install of Fedora is just as mindless as installing Windows.  It might actually be easier.  Not needing anything particularly fancy I chose most of the default options along the way.  I’ll save customized installs for another time.

My second install of the day is now complete and my installation of AdobeAIR went exactly as it was supposed to this time.  No more 64-bit hangups.  The install process for AdobeAIR is simple but not because of anything Adobe does for you.  Getting it installed is kind of a speakeasy thing.  I had to do a few google searches to figure out exactly what to do.  And here are the steps for you:

Step 1 - Go to www.adobe.com and download AdobeAIR for Linux.  The file you will download is called AdobeAIRInstaller.bin.  It is an executable binary image but the permissions are not correct immediately after download.  That’s what steps 2 & 3 are for.
Step 2 - Open a terminal and su to root.  Navigate to the download directory for the user you are logged in as.  For me it was /home/colin/Download
Step 3 - From the terminal windows type chmod u+x AdobeAIRInstaller.bin.  Press enter.
Step 4 - From the terminal window (still as root) type ./AdobeAIRInstaller.bin.  The installation process should begin.  In the installer window, follow the steps.

AdobeAIR Install for Linux (Fedora 10)

That’s it for getting AdobeAIR installed.  Next up:  Installing Spaz and/or Twhirl.

After an inexcusable hiatus I am going back on my Windows hunger strike.  As I type I am downloading the Fedora 10 ISO and making preparations for my switch.

With a little luck I won’t get sidetracked like I did last time.  I believe the fundamental flaw I made last time was that I was using two computers.  I installed Fedora on one laptop and continued to run Vista on another (yes, I know I could have dual booted).  This time I am going to try something even more difficult; I am going to run Fedora in a virtual machine using VMWare and Vista as the host OS.  This is going to be difficult because I am going to have to fight the urge to simply minimize Fedora and do things in Windows.  I shall resist!!!  I am going to run Fedora in full-screen mode and attempt to forget what lies underneath.

Wish me success.  I gave up cigarettes more than ten years ago and have never looked back.  Can I do the same with Windows?  Can I really use Fedora as my day-to-day desktop OS?  Is it possible?  Do I want to?  Is it worth it?  Will I still be productive (if what I do most days can even be called that)?  I don’t know the answers to these questions but I am going to find out.  I’m not new to Linux, not by a long shot.  I have been using it for years but only for random purposes here and there.  Every time I have tried to use it as a desktop OS I have failed and scurried back to the comfort of Windows.  In the words of Mr. Mercury:  I want to break free!

Here goes…

For several years now I have been using access points at my house that were purchased at Best Buy (or Newegg).  I haved used Linksys, Netgear and Buffalo.  I constantly switch them around for one reason or another.  The one thing that has been consistent in all that time is that each of those APs has actually run the same custom code:  DD-WRT.

There was a long period of time when I would only use Cisco APs at work and at home.  Cisco’s wireless gear is a little pricey but is consistent and feature rich.  Having Cisco at home is a little more that most people want to spend so most have been stuck using off-the-shelf stuff from vendors like Linksys (owned by Cisco), Netgear, Buffalo, D-Link, etc.  What makes DD-WRT so cool is that it allows you to take the inexpensive APs you buy at Best Buy and replace the pre-installed vendor code.  Doing so unlocks a whole new world of features that weren’t there before.

The other thing that DD-WRT brings with it is stability.  Many of you out there have to regularly power cycle your APs.  They just stop working and won’t respond to anything except a pronounced lack of electricity.  Placing DD-WRT on your AP all but eliminates this.  In this regard DD-WRT is very Cisco-like (e.g. plug it in and forget about it for months or years at a time).

This exceptional coolness comes only with a little effort.  DD-WRT is not supported on every device out there (but the list is pretty big) and there is a possibility that you can brick (ruin) your access point.  That has never happened to me (and I have installed DD-WRT multiple dozens of times) but it is a risk to consider.  The risk is worth the reward.  If you aren’t using DD-WRT today you should visit the DD-WRT site and see if your AP is supported.  If it is, give some thought to making the switch.  The DD-WRT web site has detailed instructions on how to upgrade. Follow them precisely and you’ll be a happier person.

Colin Weaver

About a year and a half ago I was working on writing a book that forced me to learn that about 16-17% of the Earth’s population had Internet access.  This is a stunningly low percentage of people.  I laugh at myself whenever I get grumpy for not having connectivity every single place I go.  My sense of entitlement to net access is pretty …American?  Regardless, I expect it.  I have to force myself to feel privileged for being in the incredibly small percentage that does have connectivity pretty much everywhere (thank you, mobile phone).

This morning I decided to see how the planet was coming along.  Wow.  What a bump.  According to http://www.internetworldstats.com/stats.htm a little under 22% of the population is now connected.  That shakes out to about 1.46 billion people.  The number of connected people seems to be growing at about 4% per year.  That’s impressive by itself but even more impressive when you consider the fact that the earth’s population is increasing at an insane rate at the same time.

IPv6 was designed with the year 2050 in mind; a time when we expect there to be somewhere around 10 billion people puttering around.  Even with 100% penetration (e.g. everybody on Earth has Internet connectivity) there are still more than enough IP addresses to go around.  And around.  And around.  In fact, with a population of 10 billion thera are 2 billion /48 networks per person.  Each /48 network has 65,536 possible subnets.  Each subnet has 18.4 quintillion possible addresses.  So that’s (2,000,000,000*65,536)*18.4 quintillion addresses per person.  We should be good.

I had an epiphany tonight.  An epiphany both good and sad.  It is good because I had it, sad because it has taken so long to come to it.

Like so many others out there I was born and bred on Microsoft.  When you start out with a certain set of values and teachings you believe them to be fundamentally true.  Whoever you are and wherever you are it is likely that you believe that your country is the best, your value systems the most accurate and your religion (or lack thereof) the most holy.  We don’t usually try to believe things we know to be false.  But the things we believe are seldom tested for their truth.  To do so (and discover our own self-deception) is too much for many of us to bear.  While it won’t be the case for all of you it is likely that you believe the things you do because they are the original things you learned in life.  Few of us ever question these things once they become part of our psyche.  An affinity for one all encompassing software vendor should be included in this list of things accepted blindly.  Think of it as the technology equivalent of ethnocentrism.  Unix old-timers from the 60’s and 70’s are likely to believe that Unix is the way.  Mac lovers from the 80’s have remained steadfast for a quarter of a century.  And Microsoft devotees from the mid-90’s have held the line for theirs.  I have long believed in Microsoft’s superiority.  Having said that, I have long known that their superiority was 2 parts marketing prowess, one part business acumen and 1 part software code.  I don’t think they were ever the best.  But none of  the others were the best either.  There was (is) no “best”.

My trailer is no longer hitched to Microsoft.  I no longer have a clear vision on who to follow.  I have long since abandoned Internet Explorer for Firefox but the Microsoft Office suite (Excel, PowerPoint, Word, etc.) is still light years beyond any competitor.  But even my beloved Office suite isn’t necessary for 95% of the stuff that I do.  Google Docs (docs.google.com) or something similar eliminates the need for most of the population to have Office at all.

I tend to use a computer that runs Windows Vista but I’m not emotional about it.  The OS is little more to me than a way to get to the web apps that now run the world.  Twitter, YouTube, Flickr, Facebook, and Wordpress are the apps that I find myself using.  Whether I’m running Windows, Fedora, or OS X doesn’t really matter anymore.    Fully 90% of my time on a computer is spent putting content into the Internet.  I spend almost as much time using my iPhone to work as I do a PC or notebook.  And here’s a kicker.  I have long been a devout Apple hater but I love my iPhone.  Not just a little bit, either.  I friggin’ love the thing.  I resisted the iPhone for quite a while.  I kept putting it off until I got a chance to see how the whole Google Android thing panned out.  A few years from now I suspect it will be the shizznat but it’s not for me today.  Once I had the iPhone for a while I found myself asking questions that I have never asked before.  If I like the iPhone so much then could OS X really be that bad?  Could it be as cool as this phone?  If I had caught myself asking questions like that two or three years ago I would have burned myself with cigarettes as punishment.  But now I give regular thought to buying a Mac.  I’m not ready for it to be my day to day computer but I’m willing to put it in the rotation (I use several different computers during the course of my day).

I have also long tried to wean myself over to Linux as my day-to-day OS.  I try and falter on a regular basis.  It’s not becasue Linux isn’t good, though.  It’s usually because I need to get some work done and I know how to do everything very well when using Windows.  I know Linux pretty well but I still regularly have to learn something in order to get something else done.  I’m a busy guy and don’t always have time for that.  It has been easier to pop back over to Windows, bang it out and move on.  But more and more these days I only need to do that when I want to use Photoshop (I’m not lovin’ the Gimp) or some other app that I’ve been using forever on the Windows platform.

None of this is new to a lot of people, myself included.  But even as I have watched the technology change drastically over the past few years I have continued to bring it all in and wrap it around Microsoft at its (my) core.

…but not anymore.

If anyone from Apple happens to read this:  send me a MacBook (MacBook Pro would be nice) and I’ll switch cold turkey and post my every epiphany for the world to read.

I love about 90% of what Google does.  Microsoft, despite all of its efforts to win me over to their search engines has about a zero percent chance of being successful.  If Google is not your home page I seriously think something is wrong with you.  I think they have medications for such problems.  Having said that Google is not welcome on my desktop (Google Desktop is within the 10% of things that are Colin no-no’s).

On Saturday morning Google-the-mighty had some trouble:  http://www.networkworld.com/news/2009/013109-human-error-caused-google-search.html?fsrc=rss-security

It was brief, a mere blip on the radar.  I was on the web all morning on Saturday and I missed it.  Bummer.  I would like to be part of such moments in time.  Seeing Google have a misstep like that would be a memorable event.  But what I thought was fun was how quickly Google got to the business of blaming a human for the snafu.  As technology becomes more and more automated we, as the consumers of the convenience it brings, need to have a lot of faith in its abililty to not make mistakes that do bad things.  Google is hip to this.  Was the problem really caused by a person?  I guess so.  But even if it wasn’t I suspect that Google would massage the truth to make it look like it was.

I guess we will need to worry when we type a query in that ever-so-simple interface we all know and love and it comes back saying, “I’m sorry, Colin.  I’m afraid I can’t do that.”

NAT - A Black Mark on IPv4's Name

NAT-free Network - Global Unicast Addresses for Everybody!!! Bye-Bye NAT!

What happens where there is no longer any pressure on the IP address space?  Imagine there are more addressess available than we conceive uses for (famous last words, I know).  If there is no pressure on the IP address space why do you need a device to translate the private to the public (and back again)?  Uh, you don’t.  So, no pressure on address space means no NAT necessary.  We still need the firewall function, of course.  The need to protect the inside from the outside will remain forever.  And there is it, the future:  IP version 6.  IPv6 virtually eliminates the pressure on the IP address space.  Everybody on this planet will have enough IP addresses available to them that they will never again have to worry about whether or not there are enough IP addresses.  Well good.  That’s one less thing to worry about, right?  All that remains is the need to firewall.  And that is all that needs to stand between your so-called private network and the Internet.  And that’s the way it should be.  For some of us that will be a new paradigm.  Without that false sense of security we get from NAT there are many who will feel exposed with their internal nodes having public IP addresses and only a firewall (or two or three or four) to protect them from the nasties.  Trust me, it’s going to be OK.

IPv6!!!!

Last summer Dan Kaminsky got everybody all a-tingle over an ever-so-simple vulnerability in DNS.  Mad props to him for figuring it out, of course.  But a big kabong in the head for the rest of us for not seeing it earlier.  DNS is over 25 years old and is core to the functioning of the Internet.  The fact that something so obvious made it so long without getting discovered is a lesson for us all.  You can read about the Kaminsky vulnerability here (http://www.wired.com/techbiz/people/magazine/16-12/ff_kaminsky).  Wired magazine, despite being way more liberal than I can usually stomach, does a good job on articles like this.  Good back story, etc.  Anyway, it’s worth the read.

If you want to know more detail about the vulnerability I suggest you give a serious 20 minutes to Steve Friedl’s description of the Kaminsky DNS vulnerability.  Steve does a really good job of breaking things down so I’m not going to repeat what he already said so well. Go check out his schtick.  Seriously.  Go.  Read it.

The current solution to the problem is termed by most to be temporary.  It take the chances of successfully executing the attack from 1 in 65,535 to a much larger 1 in 161 million.  I’m calculating this number by multiplying the number of possible source ports (65,535-1,025) by the number of random ports chosen by a patched Microsoft DNS server (2,500).  64,510*2,500=161,275,000.  This means that there is a 1 in 161 million chance that someone will be able to poision the cache using Kaminsky’s technique.  The real problem is not yet fixed.  The solution was to up the odds on someone being able to acutally succeed.

And I almost agree.  A 1 in 161 million chance is a big-time long shot.  But the odds of winning the Mega Millions Jackpot is 1 in 175 million.  That means you have a slightly better chance at winning the Kaminsky DNS poisoning lottery before you get to retire after picking all five numbers plus the powerball.  What gets me is this:  Someone wins the lottery every week or so (sometimes a bit longer).    The fact that someone has to win means that people still play.  Motivated attackers know this.  If they play long enough they still have a chance to win.  And play, I suspect, they will.  After all, it’s not costing them a buck a pop to do so.  And, oh my, what a payday!

While the solution is simple and reasonably effective it seems that it has no capacity to be a long-term solution (Which has already be admitted over and over.  DNSSEC anyone?).  It also seems that we need to limit the number of times someone gets to play.  Enter Intrusion Prevention Systems and shunning.

My lasting impression from this little lesson in security is that there is always something lurking under the covers.  And it’s often hidden inside things we think we know and understand very well.  How cool is this line of work?  I love it.

Colin Weaver