Archive for September, 2010

oh the places you will go…

by Angela on Tuesday, September 28th, 2010.

Recently Oliver and I met up with some friends who had exciting news to share. After years of corporate success in their various fields, (one friend is a solicitor, and the other is a software developer) they have decided to pack up their lives in Amsterdam where they are living –  quit their respective jobs, and go travelling around Europe, living in their camper-van for the next 18 months!

To me, that is an ultimate reality.  I have such high respect for them to make such a radical and exciting decision, to take control of their life.

It is also something I would love to be able to do with Kai before he starts school. I am not sure how long I would enjoy  doing it “rough” in a camper van for two years, but I would try for the sake of the adventure. Seeing all of Europe,  spontaneously stopping in one place exploring, and then moving on when you were ready!

You have your essentials -your partner, warmth, shelter, a bed and shower, power and electricity for phones, and most camp sites have WiFi for catching up via the net.

Interesting how perspective works – When I told my gorgeous greek  friend about how I wish I was embarking on such an adventure she replied  –

” Ange, you ARE doing it. You are living in Berlin –   the most exciting and dynamic European city. You have a wonderful partner, and together you are exploring Europe and raising your baby here…because you are here day to day, you do not realise that you are living that way; you cannot have EVERYTHING”

and she is right

–  Oli and I did just  decide one day after much deliberating that we would just pack up and leave Sydney, quitting our jobs, selling all of our belongings and moving to Berlin with just one suitcase each. When we left we had no apartment or jobs waiting for us  to go to, we knew no one in Berlin,  we didnt speak fluent German, and I was pregnant…

Since being here for almost 12 months, I have had lots of time to think about what it will mean for Kai to be raised “German”.

Im slowly but surely coming to terms with the fact that If Oliver and I choose to stay here in Berlin long term,  then we will be sending Kai to school here.  He will be raised without Oli’s or my extended family –  his grandparents, aunties, uncles and cousins. I was raised in a big family and I have founding memories of large Christmas’s, Easter and family gatherings for birthdays, baby showers, Christenings or weddings. There is always way too much yummy food, lush home cooked smells, lots of laughter and squeals of delight from all the children.

Growing up with a strong family around me significantly influenced the woman I am today.

Don’t get me wrong, We have friends great here in Berlin, but it will not be the same as those family gatherings. Blood is always different. You choose your friends, but the family where I come from there is a special bond of support and guidance, there is wisdom. You can ask things of family you cannot of friends. I am often hearing about how my sister can leave my nephew with my mum so she can have a break. That is something I will never have if I stay here.

I wonder if depriving Kai of that is too great a sacrifice.

Then there is all the things Kai stands to gain. I can provide for Kai what I never had, the opportunity to grow up bi-lingial, speaking two or  more languages. The accessibility to all of the rest of Europe only an hour plane flight away. a fantastic education system, elite health-care, fantastic cultural opportunities – the art  and music scene here is amazing. Really Oliver and I have only begun to scratch the surface of what Berlin has to offer us both individually and as a family….

The ease of travelling for us around Europe will mean that Kai will be meeting new people who can teach him things about the world that you cannot get from a book or the internet. Seeing parts of the globe that hold history, and are unique or one of a kind.

Talking to a friend who recently dropped in to Berlin made me realise that the arts in Australia is the same as before I left a year ago. She told me I made the right choice to leave. She is thinking of moving to Berlin herself- even though she is getting a lot of acting work, she is not satisfied. it is mainly commercials. Australia and Sydney is so small,  the arts community is select and funding is still so sparse that it is hard to develop new things. Theater is still so hard to develop, and it is usually the same old things that get produced.

If only I could have an express train to Sydney that would let me go see family and then return to Berlin… but like my friend says,
“You can’t have everything…”

can I???

Tuesday, September 28th, 2010 Germany 1 Comment

Winter’s on its way

by Oliver on Tuesday, September 28th, 2010.

This week has definitely been colder so far than last week, noticeably so. We’re getting down to ranges of something like 8 – 16 degrees Celsius, with gusty winds and rain. Of course, I love this kind of weather but it does necessitate certain precautions. Unfortunately I caught a cold last week from some scoundrel at the office and had to take three days off work, but fortunately I was more or less back in shape today, so it was back to my usual routine of cycling to and from work.

I own possibly the worst bicycle in Berlin that isn’t rusted and chained to a tree, one wheel kicked in and bent while the other is completely missing, seat long gone and handlebars soon to follow. Mine has a bit of rust, up until recently had only half a seat and will transfer buckets of oily grime to you at the slightest touch. With the wintery days approaching the days are growing shorter and darker; the threat of snow imminent on the horizon. It’s probably best if I take care of some of the minor safety issues now before it becomes too late.

Up first is the broken dynamo. It put up a good fight, but only really lasted a couple of weeks after acquiring the bicycle (and even then was only sporadically used, mainly out of curiosity). Off it comes! I didn’t realise this prior to removing it, but the top was completely wonky and broken.

About a month ago I discovered that a local hardware store, Obi, carries most if not all of the things I could possibly want for bike repair (this is after I bought a bunch of stuff off Ebay for probably about the same price they had them). So after having an Ebay seller not deliver the cheap dynamo I bought (I managed to get the money back from Paypal fortunately) I decided to check out their offerings in dynamos.

For the princely sum of €6 I picked up this little 6V 3W gem, and actually managed to fit it to the bike correctly first time, and wired it up ok. The lights work again (front and back) so my safety level has just gone up a few notches (and I do wear a helmet, unlike most locals).

Unfortunately, that’s about where this story ends. The rest of the bike is in pretty shabby condition: it only acquired a front mudguard quite recently, the chain tended to skip quite badly until I adjusted the rear derailleur but I still leave it in one gear most of the time and the brakes, while they do work, leave a bit to be desired.

Check out the tyres! Yes, that’s some quality right there. I was hoping to leave it on until it wore out completely, forcing me to buy a new one but it seems for the sake of safety I might have to change it early for a winter tyre, if such a thing exists for bicycles.

But hey, at least I can see in the dark now.

Tags: , , ,

Tuesday, September 28th, 2010 Germany No Comments

Of sparse files and men

by Oliver on Friday, September 24th, 2010.

One of my favourite interview questions is about sparse files. I’m constantly surprised at how few people know about them, especially in this day when thin-provisioning of storage is so pervasive you can run into it just about anywhere. Most commonly though, candidates will respond back with something to the effect of “a file with holes in it” which is more or less correct. I think out of everyone I have interviewed this year, only one person was able to tell me how to create a sparse file on the command line, and nobody was able to tell me how you can find out the space they actually occupy.

For the record, here are the two commands. Firstly, to create a 2GB sparse file:

$ dd if=/dev/zero of=test2G count=0 bs=1M seek=2048
0+0 records in
0+0 records out
0 bytes (0 B) copied, 6.6628e-05 s, 0.0 kB/s

And secondly, to display how much space the file actually takes up:

$ ls -lahs test2G
0 -rw-r--r-- 1 ohookins ohookins 2.0G 2010-09-21 09:40 test2G

That’s the actual size on disk in the left-most column. I always take slight pleasure in showing “actual terminal output” to candidates where I’ve created a 10TB file on my 128GB hard drive, and watch their faces as they try to figure out what is going on, although this is usually followed by disappointment as I realise it’s another negative point for them on the interview. What can I say, I’m a BOFH interviewer.

A frequently painful item in the lives of MySQL administrators everywhere is the shared InnoDB tablespace. This usually lives at /var/lib/mysql/ibdata1 and can be anywhere from 10MB to many GB in size depending on your dataset and configuration. The sadly default option of keeping ALL InnoDB databases inside this file can make it grow without bound, and that space cannot be claimed back – rows can be deleted and reused for new insertions but the size of the file cannot be shrunk on disk. I was thinking about this the other day and I started wondering whether InnoDB might have enough smarts in it to give some of this disk space back, via file “holes”.

One database server I manage does in fact have innodb_file_per_table enabled by sadly the common tablespace has still grown. We take binary tarballs of the entire MySQL data directory from this machine for a variety of purposes so the tarball is steadily growing. I decided to run ls -ls inside /var/lib/mysql and saw this:

# ls -ls ibdata1
6137716 -rw-rw---- 1 mysql mysql 6278873088 Sep 21 09:04 ibdata1

That first number is how many allocated blocks are on disk from the file. You can quite easily find out the block size:

$ dumpe2fs -h /dev/mapper/localhost-root 2>/dev/null | grep '^Block size'
Block size:               4096

Oh. It really doesn’t seem like ls is using the filesystem block size. It must be using 1024 bytes. Multiplying the block count by 1024 we get 6285021184 bytes, which is actually MORE than it reported the file size to be (by a whole 6148096 bytes… almost 6MB). That’s a WTF.

My somewhat educated guess is that due to the behaviour of InnoDB (periodically reaching a low-threshold of free space in the ibdata1 file, and extending it by the innodb_autoextend_increment, usually 8MB) the data file is increased in size periodically, leaving the last “end” block not completely filled. After we have increased the size many hundreds of times we might end up with quite a few 4K blocks only partially filled. This may explain that the allocated blocks total a significantly greater (i.e. megabytes rather than kilobytes) amount than the actual bytes of data in the file are using.

So much for smart sparse file usage, InnoDB.

Tags: , ,

Friday, September 24th, 2010 Tech 2 Comments

Running on borrowed time

by Oliver on Thursday, September 16th, 2010.

No, I’m not dying, but perhaps my treasured notebook computer is. I’ve been using my trusty Lenovo Z61t for longer than I can accurately remember but I assume it must be about 5 years now. In that time the DVD drive has stopped burning DVDs, the trackpad has completely stopped working, the pointing stick flakes out regularly (prompting me to write a script which restarts the driver when problems arise), the battery has been replaced twice (the last under warranty from the first fortunately), and it has a tendency to overheat and shut down when it is doing too much.

As you can see, it’s in a pretty sorry state, but by and large for my purposes (largely web surfing, email and a bit of programming) it does what I want. I don’t need 3D acceleration since I play no games (hello, it’s Linux) and it is left plugged in most of the time so even if the battery dies completely it wouldn’t be a big deal. I’m not exactly in the camp of that generation who complain if products don’t last a human lifetime like they did supposedly back in some fictitious golden era, but unless a major component fails (CPU, motherboard, screen) I can’t see the point in replacing it. So, I chug along, occasionally frustrating myself to the point of throwing it out the window when it shuts down every 5 minutes while trying to do something as menial as watching a video on Youtube.

Anyhoo, a few days ago as I was eating breakfast while checking my email I noticed a faint ticking noise coming from the hard drive. This may or may not be the norm, but my poor hearing (a result of playing too much loud rock music in earlier years) doesn’t usually pick up the finer nuances of the sultry hard drive song. My first system administrator instinct is naturally to check out what the hard drive says is going on with a little utility called smartctl. Here’s what I saw:

193 Load_Cycle_Count        0x0012   028   028   000    Old_age   Always       -       729498

That load cycle count represents how many times the hard drive heads have loaded and unloaded, which typically means they have parked themselves in a safe area (usually for power saving) and then at some later point emerged from their safe haven to frolick once more in the fields of data. Or so I am told.

So, seven-hundred thousand odd load cycles. Let’s see what the Internets have to say about this…

Unprecedented load/unload durability at 600,000 cycles

Uh oh. My figure of way over seven-hundred thousand cycles just totally turned their value of six-hundred thousand into … precedented. I’m now in super-unprecedented territory. I did manage to find a white paper from Hitachi that suggests that they have tested over one million cycles, and what can I say – I want to get there.

Time to take a backup I think.

Tags: , ,

Thursday, September 16th, 2010 Tech 1 Comment

Dangers of spanning tree interoperation

by Oliver on Sunday, September 12th, 2010.

A couple of months ago we ran into a minor issue at work when running Cisco and HP switches together. Naturally we have redundant links in place for all networking equipment so spanning tree of some sort must be used. In theory, any equipment can work together with spanning tree but the reality is not exactly this utopian:

  • Cisco supports natively their proprietary protocols PVST, PVST+, PVRST and PVRST+. They also support MSTP, and all modes will drop down to compatibility modes of STP after detecting standard STP peers on the line.
  • HP supports MSTP, RSTP and STP. Will drop down to RSTP or STP after detecting peers who use those protocols on the line.

I haven’t written about it, but MSTP is a massive waste of time with current implementations. I actually list experience with MSTP on my CV, and during one interview I was actually asked about it by a potential employer and we both agreed that it was a huge nightmare which confirmed my own experiences. Basically, the administrative overheads outweigh any bandwidth gains you can potentially make, and these overheads scale up quickly. Unless you have absolutely no changes ever in your environment (right down to your list of used VLANs) I can’t recommend it. So that takes MSTP out of the equation.

Cisco will drop down to STP even when configured to use one of their per-VLAN implementations (which I think are actually quite good), but it still conveys per-VLAN information in the extended system ID field of the BPDU. Most switches which aren’t looking for it will pass on this information and consider it to be simply additional path weighting information.

BPDU flow diagram

As you can see from this rough diagram, we end up in a bit of a pickle when our upstream links from the non-Cisco switches have mismatched VLANs (but can talk on all of these VLANs between each other). The HPs blindly send on BPDU information which encapsulates the extended ID in the priority field, and when it reaches the original switch, it finds that the priority is higher (lower value) than the one it had set already by itself as the root. To get an idea of what happens, I’ll describe the path weighting which comes from the above diagram if we are using 1Gbps links (usually attributed a link cost of 4):

  1. Cisco1 is the primary root, which in Cisco terms means a priority of 24576. It sends the BPDU to HP1, adding the extended ID of 100 for the VLAN.
  2. HP1 receives the BPDU over its VLAN100 link. The priority of 24676 and the extended ID of 100 are added, plus the link cost of 4 which results in 24680. HP1 sends a BPDU over to HP2, and at this point since they are speaking either MSTP (presumably as part of the CST) or RSTP/STP, VLANs are immaterial.
  3. HP2 receives the BPDU, adds the link cost of 4 which brings us to the total of 24684. HP2 sends a BPDU out its VLAN200 link back to Cisco1.
  4. Cisco1 receives the BPDU on a port it expects to be only used for VLAN200. The path cost at this point is 24688, but 24576+200 is 24776 and higher than the path cost for the BPDU which originated on the other port. Therefore the BPDU that was originally transmitted for VLAN100 has made it back into VLAN200 and Cisco1 is led to believe that VLAN200 has a better root bridge which comes from this path. It elects this port as a root port, even though the new mystery root bridge on this port is this switch itself!

Fortunately when I discovered this problem, we did not actually suffer from any loss of links or network problems (that I could see, anyhow) but the way the network was set up well and truly put spanning tree’s behaviour into the realm of “undefined”. You should not do this! But even so, it demonstrates that you can quite easily mess up your network when the network equipment can’t even really standardise on a version of spanning tree. As much as the Cisco documentation will tell you they interoperate by dropping down to STP, they still maintain per-VLAN STP spanning trees so the behaviour is still very different.

Tags: , , , , , , , ,

Sunday, September 12th, 2010 Tech No Comments

I/O redirection “optimizations”

by Oliver on Sunday, September 12th, 2010.

Quite a while back, I had to migrate a few terabytes of data from one machine to another. Not that special a task, and certainly a few terabytes is not that much but at the time it was a reasonable amount and even over 1Gbps network it can take some time. Fortunately it was not time critical and I could take the server in question down for a while to facilitate the migration. The data in question was a number of discrete filesystems on a bunch of LVM logical volumes, thus I was able to basically just recreate the LVs on the destination and do a straight bit copy.

That all being said, I still wanted it to complete quickly! After eradicating the usual readahead settings being set too low for sequential reads from the source, the copy occurred more or less as expected, and I kept a watchful eye on iostat. This is where things got a bit strange, as I noticed identical read and write values coming back from the destination LV. The basic formula of the copy was as follows:

# source
for i in /dev/VolumeGroup/*; do
    LE=`lvdisplay $i | grep "Current LE" | awk '{print $NF}'`
    NAME=`basename $i`
    echo "${NAME}:${LE}" | nc newmachine 30001
    sleep 10
    dd if=$i bs=4M | nc newmachine 30000
    sleep 10
echo "DONE:0" | nc newmachine 30001

# destination
while true
    INFO=`nc -l 30001`
    NAME=`echo $INFO | cut -f1 -d:`
    LE=`echo $INFO | cut -f2 -d:`
    if [ $NAME == "DONE" ]
    lvcreate -l $LE -n $NAME /dev/VolumeGroup
    nc -l 30000 > /dev/VolumeGroup/$NAME

Unfortunately I don’t have the actual code around, so the above is only an off-the-top-of-my-head approximation, but you should get the idea:

  • Loop over our logical volumes we want to migrate over to the new machine, determining name and number of logical extents (yes, we have to do some extra work if logical extent size differs between source and destination).
  • Pipe the number of LEs and the name of the LV to the destination over a “control” channel so that the new LV can be created, and wait a few seconds for this to take place.
  • Read out the source LV with a reasonable block size, and pipe it over to the destination where it is piped directly into the new LV. I may have added an intermediate stage of dd to ensure an output block size of 4MB as well, but my memory fails me.

So, as I mentioned, at this point I noticed that not only was data being written to the destination LV (as you would expect) but a corresponding amount was being simultaneously read from it. I was not able to resolve this discrepancy at the time, although I suspected perhaps some intelligence in part of the redirection on the output side was trying to determine which blocks actually needed overwriting.

A couple of months ago I spotted this post in Chris Siebenmann’s blog which may explain it. He has certainly run into a similar confounding case of system “intelligence”.

Tags: , , , , ,

Sunday, September 12th, 2010 Tech No Comments

the women of Berlin….

by Angela on Sunday, September 12th, 2010.

Daily I have German women of all a ages coming up to me or stopping me on the street to comment about Kai. I carry Kai in a sling wherever I go, so he can face out as we explore Berlin. some days I have woman coming up to look at Kai, exclaiming he is “Sehr Suß” (very sweet),  oh, kleines Fuß! ( little foot), or asking questions  – Wie alt? ( how old?), Jungen oder Mädchen? ( girl or boy), is it my first baby etc?

Most of the time I have no problem being approached. Kai seems to love the attention of women gushing over him, and he smiles and laughs in response to their baby talk. I also get to practice my German.

However I have also had quite negative experiences when being approached. I have had women coming up to me and telling me that Kai is too cold, that I have not dressed him warmly enough, that he shouldn’t be in a sling. That I should have him in a Kinder-wagon (buggy/pram), a few weeks back I even had a woman approach me a shopping centre claiming to be a “children’s doctor”. Kai was asleep in the sling and she accused me of being a “cruel and horrible mother” for carrying Kai in a sling –  that I was damaging his spine for life. That he should be seated upright.

I explained that the sling was safe and that he was fine, to which she told me that I “clearly had no idea what I was talking about, and had no idea about being a mother. How could I be so cruel? how could I do this to my baby!?”

I was devastated. not only had she attacked and humiliated me in public, she also woke Kai up, so he was screaming. Everyone in the store who had heard this woman scold me,  was staring with disdainful looks. I could feel my cheeks burning, and I managed to not break down there and then, but I raced home and cried, and cried.

I was in such shock that someone had the audacity to approach me and attack me. I would never try and tell another mother how to carry her child, or tell her she was being a cruel mother. Motherhood is tough enough without having a stranger telling you that you are incompetent.

I regret not telling her to mind her own business, that she had no right to approach me or my child.  I am a capable mother  I am the only one who will make choices about Kai’s well being.

Of course, you think of all the things you wish you had said, AFTER the person has left. I was too dumbfounded to say anything at the time and in hindsight, she probably would not have listened to my retaliation regardless of how articualte my German was.

A close friend of mine here in Berlin  has a theory as to why this happens to me.

It came as a shock for her to hear my stories –  as Berlin is known for its liberties; you can walk down the street dressed however you want, behaving however you want, and you can have an opinion about whatever you want and people do not care.

Her theory is that women in Berlin are not taken seriously if they are attractive. If you are “good-looking”, dress well and take pride in your appearance, then you must not be intelligent. If you have  the time to dress well, shop for nice clothing and apply makeup daily –  then you couldn’t possibly be capable of attending university, you dont have time to be reading War and Peace,  debating climate change, working on your doctorate thesis, or raising a child.

It seems that other people my friend has spoken to confirm her theory – people who have not be taken seriously at university by their professors  until they stopped wearing any makeup,  stopped caring about their hair or clothing. Suddenly their professors noticed them- once they looked like they belonged.

This idea makes me furious. why should It be one or the other?!

I decide to dress well, wash and condition my hair, put some foundation or some lip gloss on and suddenly I am too stupid to raise my own baby?! the logic escapes me. shouldn’t feminism be about women having the freedoms to do what they want?! you can be a feminist whilst wearing a supportive bra underneath a nice top, you dont need to be burning your clothing to be a woman who cares about the rights of women.

I considered that perhaps this idea about beauty vs. intelligence is isolated specifically to Berlin. Perhaps I  am treated this way because dressing well makes me seem like a woman from the West who has money?! ( I live in the Former East Berlin). Could it be cultural divides that I am not sensitive too?!

Cultures seem to have their own ideas about what is beautiful, and even after  having modelled before, I have struggled with what beauty is, as ive discussed in other blogs.

I do not find conventional magazine or runway models beautiful. Of all the models I have worked with, interviewed for shows, or stood next to on the runway, none of them seemed comfortable in their own skin. they seemed unhappy and hungry.

A film shot in Berlin recently dealt with women striving to be thin at any cost. Basic plot line = The lead character wants desperately to the thin, so she orders a tape worm from overseas which she ingests to lose weight. ( this is based on reality – as women do actually do this.)

The film will be released for Berlinale 2011. Funnily enough, I was cast as a model in this film. I am only in a few party scenes in which the lead character is jealous of me, and this drives her to order the worm off the Internet.

It seems this theme comes back to me like a boomerang.  It seems to be a recurring theme, all woman get told that being thin =beauty = fulfillment = happiness.

At a wedding I was at recently in Dublin I overheard the five year old flower girls getting scolded because they wanted to take their shoes off. The mother in charge told them that they had to “suffer for beauty”, that beauty = pain  as she suffers daily wearing high heels to look good. She told these five year olds  it was “their job as woman to be pretty; and so they had to keep their heels on, even though it was painful.”


I had to fight to bite my tongue. Those poor girls! what an impression to leave on them at an age when they are forming their identity.

I felt sick, and the mother in charge, although covered in makeup and wearing a silk gown, looked hideous and ugly to me.

Ironically when I got back to Berlin and was telling another friend about the wedding, her response was, “all those girls will grow up to be models”…

Sunday, September 12th, 2010 Thoughts 2 Comments

MySQL talk @ LCA08

by Oliver on Sunday, September 12th, 2010.

Here are some of the files from my MySQL talk at Linux Conf AU 2008, where I presented material on replicating, high-availability, load-balanced MySQL.


Tags: , , ,

Sunday, September 12th, 2010 Tech No Comments

Exact determination of Linux process memory usage

by Oliver on Sunday, September 12th, 2010.

While I was still working for Anchor Systems, we had a client who was launching a fairly large website and as part of the gradual ramp-up to delivery we needed to perform some capacity tuning of the web/application servers. The application stack was basically Perl via mod_perl on Apache (not threaded) so we had to determine the memory footprint of the application and make a determination of how many client processes we could support on each server (divide your available physical RAM by the size of the process).

Unfortunately for the system administrators in question, this is a little more difficult than expected due to Linux’s memory sharing smarts. There used to be no easy way to determine the split between shared and private RSS (Resident Set Size) of a process, making it virtually impossible to say how much of the memory allocation for a process was really completely unique and therefore important to be included in calculations. A similar issue existed for determining the number of mapped pages. At the time, we chose the safest option – consider the entire allocation to be private – thus using slightly more hardware resources but guaranteeing never to cause performance degradation due to overzealous memory allocation.

Kernel versions >= 2.6.25 provide the /proc/$PID/pagemap interface which allows you to examine the page tables for processes. The format of the data is documented in the Linux Cross Reference, which, if you don’t already have bookmarked, do it now! There is also a writeup of the interface and how it can be used in which is another bookmark-worthy resource with many very technical articles.

It appears someone has also written a userspace tool to pull information out of this interface, at

It is also possible to view directly human-readable information from /proc/$PID/smaps which divides memory allocation up by loaded libraries and the stack. Quite verbose and certainly useful in some situations.

Tags: ,

Sunday, September 12th, 2010 Tech 1 Comment

IPv6 Privacy

by Oliver on Sunday, September 12th, 2010.

I’m a big proponent of getting IPv6 out there, but not everyone shares this opinion. A lot of people are happy to stick with IPv4 and all of the horrid NATing nightmares this introduces despite there being such big wins when using IPv6. Some issues it does introduce though need to be dealt with:

  • The big compatibility issue, which encompasses OS, network stack and application support as well as support by all of the solid-state devices out there already.
  • Direct-connectivity to all endpoints is now possible, so NAT cannot be relied upon to provide security.
  • MAC addresses are directly converted into EUI-64 addresses which, when used with IPv6 autoconfiguration, are directly exposed in the IPv6 address.

These last two seem to cause a bit of argument. NAT does provide an implicit form of security (albeit one that can be bypassed with advanced techniques). Adequate firewalling mitigates the security problem, and doesn’t involve breaking the Internet. The alternative is working with an Internet where NAT is omnipresent and every P2P service requires proxies or connection brokering services. This will be a problem.

The last point of MAC address privacy is easily dealt with. If you (like me) don’t particularly find the idea of exposing your MAC address to the world when you use IPv6, you can configure your system to randomize the address. Setting:

net.ipv6.conf.all.use_tempaddr = 2

will cause your network stack to use the advertised prefix on your segment but generate a random suffix, and use it as the preferred address (any previously configured address from the MAC address will be deprecated and eventually removed).

Tags: , ,

Sunday, September 12th, 2010 Tech No Comments