HTTPS and the opinion of the Great OpenBSD team
Good morning Everybody. Q1: Correct me If I'm wrong, but AFAIK the OpenBSD team is not trusting the CA/HTTPS modell on security side. That's why www.openbsd.org isn't available over HTTPS [?]. ---off--- Q2: Then why is: https://lists.openbsd.org/cgi-bin/mj_wwwusr?user=passw=func=lists-long-fullextra=misc using an invalid certificate? :O ---on--- - The main questions/RFC's: I recently heard about Convergence, the website that features a firefox plugin (client code) and a notary (server code) is here: http://convergence.io/ A starting video of this Idea from the Developer, Moxie Marlinspike (author of sslstrip/sslsniff): https://www.youtube.com/watch?v=Z7Wl2FW2TcA [the main part is from 35m40sec, but the video is worth watching!] If there is no adobe flash installed on your machine, then visit this link: https://addons.mozilla.org/en-US/firefox/search/?q=youtube+downloaderappver=9.0.1platform=linux About Moxie Marlinspike https://www.blackhat.com/html/bh-us-11/bh-us-11-speaker_bios.html#Marlinspike Convergence: It's explicitly not an SSL replacement. It's a replacement for CAs, with the explicit design goal of not forcing some giant IPv6-like change the world rollout. It's based in large part on earlier work on solving the SSH Host Key validation problem - see http://www.usenix.org/event/usenix08/tech/full_papers/wendlandt/wendlandt_html/- http://security.stackexchange.com/a/5968/2212 Q3: So what does the OpenBSD team think about this great [?] idea? Is it a viable solution? Is this the future or just a dead end? - ps.: Also URL's regarding this topic: http://security.stackexchange.com/a/6780/2212 http://security.stackexchange.com/a/10334/2212 http://security.stackexchange.com/questions/9945/does-https-everywhere-defends-me-against-sslsniff-like-attacks http://unix.stackexchange.com/a/28288/6960 - ps.2: http://security.stackexchange.com/questions/9946/when-will-the-webbrowsers-have-tls-1-2-support http://security.stackexchange.com/questions/10481/next-microsoft-patch-tuesday-include-beast-ssl-fix The TLS support for browsers right now is: IE9 TLS 1.0, 1.1, 1.2 all supported via Schannel IE8 TLS 1.0 supported by default, 1.1 and 1.2 can be configured Opera - 10.x supports TLS 1.0, 1.1, 1.2 I don't count older versions of any of these browsers, since people really should have auto-update on. if they don't they've probably got bigger problems ( http://isc.sans.edu/diary.html?storyid=11527 ) Mozilla/Firefox - TLS 1.0 only Chrome - TLS 1.0 only (though an update is rumoured) Safari - TLS 1.0 Cell phones - various support levels (webkit has tls 1.2 since Nov 2010, but for individual phone browser implementations your mileage may vary) - Thank you for any comments on this idea/questions. Long live OpenBSD! :) Have a nice day! bye!
DLINK DUB-E100
Hi there, I would buy an Ethernet card usb, and I've found the Dlink dub-e100. It is supported on OpenBSD 5.0? Someone has ever used it? Thanks in advance.
Re: DLINK DUB-E100
On Sun, Jan 8, 2012 at 11:16 AM, Alessandro Baggi alessandro.ba...@gmail.com wrote: Hi there, I would buy an Ethernet card usb, and I've found the Dlink dub-e100. It is supported on OpenBSD 5.0? Why don't you check? http://www.openbsd.org/cgi-bin/man.cgi?query=usbapropos=0sektion=4manpath=OpenBSD+5.0arch=i386format=html Someone has ever used it? Thanks in advance.
Re: HTTPS and the opinion of the Great OpenBSD team
On Sun, Jan 8, 2012 at 11:01 AM, Rumoseh, Loros rumosehlo...@postafiok.hu wrote: Good morning Everybody. Q1: Correct me If I'm wrong, but AFAIK the OpenBSD team is not trusting the CA/HTTPS modell on security side. That's why www.openbsd.org isn't available over HTTPS [?]. What exactly is private on OpenBSD page to have it over https? ;-) ---off--- Q2: Then why is: https://lists.openbsd.org/cgi-bin/mj_wwwusr?user=passw=func=lists-long-full extra=misc using an invalid certificate? :O ---on--- Because services for certificates are mostly too much expensive without a reason. Doesn't provide real security and because OpenBSD is fun project so self-signed certificate is enough? - The main questions/RFC's: I recently heard about Convergence, the website that features a firefox plugin (client code) and a notary (server code) is here: http://convergence.io/ A starting video of this Idea from the Developer, Moxie Marlinspike (author of sslstrip/sslsniff): https://www.youtube.com/watch?v=Z7Wl2FW2TcA [the main part is from 35m40sec, but the video is worth watching!] If there is no adobe flash installed on your machine, then visit this link: https://addons.mozilla.org/en-US/firefox/search/?q=youtube+downloaderappver= 9.0.1platform=linux About Moxie Marlinspike https://www.blackhat.com/html/bh-us-11/bh-us-11-speaker_bios.html#Marlinspike Convergence: It's explicitly not an SSL replacement. It's a replacement for CAs, with the explicit design goal of not forcing some giant IPv6-like change the world rollout. It's based in large part on earlier work on solving the SSH Host Key validation problem - see http://www.usenix.org/event/usenix08/tech/full_papers/wendlandt/wendlandt_htm l/- http://security.stackexchange.com/a/5968/2212 Q3: So what does the OpenBSD team think about this great [?] idea? Is it a viable solution? Is this the future or just a dead end? - ps.: Also URL's regarding this topic: http://security.stackexchange.com/a/6780/2212 http://security.stackexchange.com/a/10334/2212 http://security.stackexchange.com/questions/9945/does-https-everywhere-defend s-me-against-sslsniff-like-attacks http://unix.stackexchange.com/a/28288/6960 - ps.2: http://security.stackexchange.com/questions/9946/when-will-the-webbrowsers-ha ve-tls-1-2-support http://security.stackexchange.com/questions/10481/next-microsoft-patch-tuesda y-include-beast-ssl-fix B B The TLS support for browsers right now is: B B B B IE9 TLS 1.0, 1.1, 1.2 all supported via Schannel B B B B IE8 TLS 1.0 supported by default, 1.1 and 1.2 can be configured B B B B Opera - 10.x supports TLS 1.0, 1.1, 1.2 B B I don't count older versions of any of these browsers, since people really should have auto-update on. if they don't they've probably got bigger problems ( http://isc.sans.edu/diary.html?storyid=11527 ) B B B B Mozilla/Firefox - TLS 1.0 only B B B B Chrome - TLS 1.0 only (though an update is rumoured) B B B B Safari - TLS 1.0 B B B B Cell phones - various support levels (webkit has tls 1.2 since Nov 2010, but for individual phone browser implementations your mileage may vary) - Thank you for any comments on this idea/questions. Long live OpenBSD! :) Have a nice day! bye!
Re: DLINK DUB-E100
On Sun, Jan 8, 2012 at 2:16 AM, Alessandro Baggi alessandro.ba...@gmail.com wrote: I would buy an Ethernet card usb, and I've found the Dlink dub-e100. It is supported on OpenBSD 5.0? Someone has ever used it? See the axe(4) manpage. I have seen several work, but one didn't. I attributed this to low quality, or poor quality assurrance.
Re: DLINK DUB-E100
On Sun, Jan 8, 2012 at 11:42 AM, Alessandro Baggi alessandro.ba...@gmail.com wrote: On 01/08/2012 11:38 AM, Tomas Bodzar wrote: On Sun, Jan 8, 2012 at 11:16 AM, Alessandro Baggi alessandro.ba...@gmail.com B wrote: Hi there, I would buy an Ethernet card usb, and I've found the Dlink dub-e100. It is supported on OpenBSD 5.0? Why don't you check? http://www.openbsd.org/cgi-bin/man.cgi?query=usbapropos=0sektion=4manpath= OpenBSD+5.0arch=i386format=html Someone has ever used it? Thanks in advance. Sorry, I'm new to OpenBSD, and I don't know that there was the manual page for usb. Thanks for info. Ah, probably Linux background. Then this http://www.openbsd.org/faq/index.html and man pages (man help and man afterboot for start) can be good start for you. One of the pros of BSD world is quality of documentation.
Re: relayd fails on POST 2GB
Hi, On friday, 06 Jan 2012 at 13:22 CET Gordon McAllister gordon.mcallis...@gmail.com wrote: Is there a knob to tweak to allow POSTs greater than 2GB or is this limit somehow hardcoded? A wild guess (since you didn't provide dmesg): do you use i386 arch? -- Greetings Rafal Bisingier
Re: dual dvi with 2 monitors, 1 dvi is not detected
On 2012-01-07, Christian Weisgerber na...@mips.inka.de wrote: Jure Pe?ar pega...@nerv.eu.org wrote: I remember Matrox G450 as being well supported even by XFree86. They have G550 dual dvi model, no expirience with it though. Well, since we seem to be reminiscing instead of checking current facts--which would be work and sort of boring, you know, so why bother--let me tell you that I remember newer Matrox cards not being supported at all, and even the supported ones required a binary blob to enable DVI, or maybe it was higher resolutions than 800x600 on DVI. Single DVI typically works on the Gx50, but dual DVI requires the blob. Parhelia cards (the new GPU first released in 2002) and M-series aren't supported. These days you generally want to be using Intel or ATI based video hardware for your main X displays (and stay a generation or two behind the cutting edge if you want something where most features work). udl(4) might be a viable option for additional screens if you don't need them to be super-fast.
Re: Ted Unangst Static Source Code Analysis
On 2012-01-08, Lars nore...@z505.com wrote: What tools are used in OpenBSD for static source code analysis? I guess Lint is considered one tool? Various people have used various tools at various times to look at OpenBSD source code. Besides lint, examples include: clang's static analyser, cppcheck, parfait (and I'm sure there are others which have been run over at least parts of the codebase).
Re: inet6 autoconfprivacy broken on -current ?
On Sat, Jan 7, 2012 at 3:23 PM, Simon Perreault simon.perrea...@viagenie.ca wrote: Le 02/01/2012 6:00 PM, Mattieu Baptiste a icrit : On my machine running -current/amd64, inet6 autoconfprivacy seems to broke neighbor sol/adv. I just tested this and it works for me. Sorry. Simon Have you tried running with autoconfprivacy in the long run? For me, it usually works the first minutes/hours, but stops after that. Then, disabling autoconfprivacy brings back the connectivity. -- Mattieu Baptiste /earth is 102% full ... please delete anyone you can.
Re: relayd fails on POST 2GB
On 2012-01-08, Rafal Bisingier ra...@man.poznan.pl wrote: A wild guess (since you didn't provide dmesg): do you use i386 arch? No, amd64, see the original message. On 2012-01-06, Gordon McAllister gordon.mcallis...@gmail.com wrote: Hello all, I have a relayd setup on 4.9 (amd64), terminating SSL in front of an ^^^ application that requires large-ish file uploads. All is well until a file upload greater than 2GB is attempted. The request fails immediately, here's an example log message: relay ext_ssl, session 33753 (1 active), 0, 10.6.66.76 - 127.0.0.1:8080, too large Is this the exact text of the log entry? I don't see this too large string in relayd source code implying it comes from elsewhere. Does the backend server even accept 2GB POSTs in the first place? If unsure, take relayd out of the equation and connect directly.
Re: Ted Unangst Static Source Code Analysis
Coverity also i think i remember one of the OpenBSD developers worked/works for coverity There is open source projects scanning. Also look in the archives there are several interesting threads try f.ex using coverity in your search. there is a list of tools on wikipedia !!! http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis On Sun, Jan 8, 2012 at 1:21 PM, Stuart Henderson s...@spacehopper.org wrote: On 2012-01-08, Lars nore...@z505.com wrote: What tools are used in OpenBSD for static source code analysis? I guess Lint is considered one tool? Various people have used various tools at various times to look at OpenBSD source code. Besides lint, examples include: clang's static analyser, cppcheck, parfait (and I'm sure there are others which have been run over at least parts of the codebase).
Re: OpenBSDd functionality equal to neighbor allowas-in?
On Sat, Jan 07, 2012 at 09:21:35AM +0100, Pete Vickers wrote: SOO can be used for loop detection, but only if your bgp peerings don't strip extended communities. another dirty hack would be to get the peer to aggregate your 'remote' prefixes towards you (without as-set) to conceal the ASN. beware that ebgp routes are prefered over ibgp by default though - this is a gun and your feet look tempting. Not sure but I think it should be possible to run an iBGP session between the two border routers and use nexthop qualify via bgp. At least that would be my initial approach if I had such a problem. Just use the external IP addrs to make the session. If you don't need dynamic routing to reach the other BGP then you could even use static routes and skip the nexthop qualify via bgp. -- :wq Claudio /Pete On 6. jan. 2012, at 22:01, Stuart Henderson s...@spacehopper.org wrote: On 2012-01-06, Donald Reichert silvershadow...@gmx.de wrote: Hi list, I'd like to replace some Ciscos by OpenBSD machines. On the routers I have configured the possibility to span networks from our own AS over peerings, Cisco speak: neighbor x.x.x.x allowas-in This is needed for disjunct networks. I didn't find a clue how to do this with OpenBGPd - any hints? Thanks, Donald Not currently possible, it will need code changes. Normally this check is done to prevent route loops. It shouldn't be too hard to naively hack this type of option into place, but I'm not sure what else might need to be done to avoid loops.
Re: OpenBSD 5.0 Snapshot: ASUS Wireless Card - Not Configured
On Sat, Jan 07, 2012 at 10:29:06PM -0700, Steven wrote: Hi, I recently purchased an ASUS PCE-N15 Wireless-N PCI-E Adapter. http://www.asus.com/Networks/Wireless_Adapters/PCEN15/ After i installed it and restarted my computer I got this in the dmesg (I'm assuming this is the ASUS adapter as it's the only new device message I noticed in the logs. I'll include the full dmesg so more knowledgeable minds can figure it out.) pci2 at ppb1 bus 2 vendor Realtek, unknown product 0x8178 (class network subclass miscellaneous, rev 0x01) at pci2 dev 0 function 0 not configured It looks to be a half card and so I'm worried that I may have bought a win-device. Is this ASUS Adapter supported by OpenBSD, do I have a bad card, or is this a win-device? The only PCI based Realtek wireless that will work at the moment are the old 802.11b RTL8180 devices. In theory the register layout is largely the same as some of the USB based Realtek devices but there isn't a driver just yet.
Re: Router performance - high BDP and low transfer speeds
On Sat, Jan 07, 2012 at 10:48:34AM +, Stuart Henderson wrote: In gmane.os.openbsd.misc, you wrote: I'm trying to troubleshoot some performance issues for high speed data transfers across a long network path with a fairly high bandwidth delay. Any difference between TCP and UDP? As a test to help pinpoint things, can you try passing the traffic near the top of your ruleset with 'pass quick..flags any no state'? Or with PF ddisabled if that's possible? Anything in syslog from PF? How about after pfctl -xmisc? Is this path using the same network interface as you've used in local tests? Always worth including dmesg, irq assignments might be interesting. Are any interfaces marked 'down'? Are you using pfsync? Doing any bridging or just routing? And have a look at systat mbuf and the values of LIVELOCKS and the per interface ALIVE and CWM counters. If the LIVELOCKS counter increases often or the CWM is very low then this could explain the traffic issues since the interfaces will drop a small amount of packets and this will cause a larger traffic drop on long distance TCP sessions. -- :wq Claudio
Procurador Mancera encabeza preferencias para el DF
Si no puede ver las imagenes haga click aqum 5/ENERO/2012 Procurador Mancera encabeza preferencias para el DF En una encuesta realizada el 3 de enero por el perisdico Reforma, el titular de la Procuradurma del Distrito Federal, Miguel Angel Mancera, obtuvo una ventaja de 15 puntos porcentuales sobre su mas cercana competencia, quien hasta el cierre del aqo pasado lideraba las encuestas dentro del PRD. Ir a la nota Es el sexenio de la infraestructura: Caldersn El presidente Felipe Caldersn Hinojosa afirms que su gobierno ha realizado la mayor inversisn en infraestructura de la que se tenga registro, sin incluir el sector vivienda, incluso desde la ipoca de Porfirio Dmaz. Ir a la nota Descarta Ludwika Paleta boda con hijo de ex presidente de Mixico La actriz Ludwika Paleta negs que a mas de un aqo de noviazgo, ya planee boda con Emiliano Salinas, hijo del ex presidente de Mixico, Carlos Salinas de Gortari. Ir a la nota Invierten clubes europeos de fztbol pese a crisis en la zona La situacisn econsmica por la que atraviesa Europa no es obstaculo para que los clubes de fztbol del viejo continente inviertan fuertes cantidades en la adquisicisn o pristamo de un jugador, con desembolsos que van de 800 mil a 61.5 millones de euros. Ir a la nota Ha recibido este e-mail porque usted o alguien que considera que a usted puede interesarle esta informacisn agregs su direccisn de correo electrsnico a nuestra base de datos. Sin embargo nosotros respetamos su decisisn, si no desea volver a recibir mas informacisn y quiere ser eliminado de nuestra base de datos, por favor solo haga click en Unsubscribe que se encuentra en el pie de pagina de este e-mail.
Re: DLINK DUB-E100
On Sun, Jan 8, 2012 at 6:01 AM, Tomas Bodzar tomas.bod...@gmail.com wrote: On Sun, Jan 8, 2012 at 11:42 AM, Alessandro Baggi alessandro.ba...@gmail.com wrote: On 01/08/2012 11:38 AM, Tomas Bodzar wrote: On Sun, Jan 8, 2012 at 11:16 AM, Alessandro Baggi alessandro.ba...@gmail.com B wrote: Hi there, I would buy an Ethernet card usb, and I've found the Dlink dub-e100. It is supported on OpenBSD 5.0? Why don't you check? http://www.openbsd.org/cgi-bin/man.cgi?query=usbapropos=0sektion=4manpath= OpenBSD+5.0arch=i386format=html Someone has ever used it? Thanks in advance. Sorry, I'm new to OpenBSD, and I don't know that there was the manual page for usb. Thanks for info. Ah, probably Linux background. Then this http://www.openbsd.org/faq/index.html and man pages (man help and man afterboot for start) can be good start for you. One of the pros of BSD world is quality of documentation. That documentation unfortunately does not answer the question, because many USB devices share the same chipsets and simply have manufactures relabel the packages with their name. Since that device was not specifically listed, that's not a really strong indicator one way or the other. Form working with various devices and various OS's, I'd estimate that the chances are good that it will work right out of the box. Try it and publish your results, so people like yourself can know whether it works! For all OS's, for laptops, deskops, or servers, I've carried a spare USB/Ethernet adapter for years in my toolkit for exactly the situations where a new network driver is needed to get the updates with new network driver in it at install time. And I keep replacing them because people won't give them back.
Re: Router performance - high BDP and low transfer speeds
On 1/8/2012 8:59 AM, Claudio Jeker wrote: And have a look at systat mbuf and the values of LIVELOCKS and the per interface ALIVE and CWM counters. If the LIVELOCKS counter increases often or the CWM is very low then this could explain the traffic issues since the interfaces will drop a small amount of packets and this will cause a larger traffic drop on long distance TCP sessions. On the two main interfaces I see: em0: 24 livelocks, 2k size, 29 alive, 4 LWM, 256 HWM, 29 CWM em1: 42 livelocks, 2k size, 23 alive, 4 LWM, 256 HWM, 23 CWM I've read a little about livelocks, to the extent that these look like decently low numbers, but I'm afraid I have no idea what CWM is or what a too-low number might be... Thanks, Graham
Re: HTTPS and the opinion of the Great OpenBSD team
On 01/08/12 05:01, Rumoseh, Loros wrote: Good morning Everybody. Q1: Correct me If I'm wrong, but AFAIK the OpenBSD team is not trusting the CA/HTTPS modell on security side. That's why www.openbsd.org isn't available over HTTPS [?]. Dude, it's an OPEN SOURCE project. We got no secrets. IF someone were to manage to hijack www.openbsd.org, and advise you add users by doing rm -rf and you follow it without thinking...well, call it a learning experience, which has little to do with domain hijacking. (though based on the number of people who chose to follow crappy stuff they find on the 'net, it appears to be a lesson in need of more learning.) ---off--- Q2: Then why is: https://lists.openbsd.org/cgi-bin/mj_wwwusr?user=passw=func=lists-long-fullextra=misc using an invalid certificate? :O ---on--- why not? - The main questions/RFC's: I recently heard about Convergence, the website that features a firefox plugin (client code) and a notary (server code) is here: http://convergence.io/ ... Q3: So what does the OpenBSD team think about this great [?] idea? Is it a viable solution? Is this the future or just a dead end? Speaking purely for myself, allow me to sum up my (and maybe ONLY my) feelings as: yawn. You can quote me on that. Encryption of security-related data in transit is important. (Encryption of non-security-related data in transit is irrelevant.) HOWEVER, when you consider the vast majority of end users can't understand the difference between an authenticated website and a .gif file of a lock and the text This is a secure website, we got bigger problems. When many web developer's answer to how is your website secure? starts (and usually ends) with it's encrypted, we got bigger problems (to that response, I usually respond, Stop there, save your breath. I've just lost all confidence in your operations) When many people don't understand why they shouldn't enter their webmail and bank ID and password into a form located at https://FreeWebFormsAre.us;, and that no, Microsoft does not run Internet lotteries, we got bigger problems. When many people working in medical, banking, insurance and other fields don't understand why they shouldn't hand their work laptop over to their kid to keep them quiet and out of trouble, we got bigger problems. Practically speaking, the amount of data stolen by MITM, data sniffing and domain hijacking is relatively small compared to that stolen by utterly stupid design errors, administration errors and user errors. From what I've seen, the number of companies who really take their customers' data security seriously is very small. Small companies, who usually understand the importance of customer trust usually have to contract out to people who may or may not give a shit. Big companies are made up of lots of low-ranking people who may understand, but are being directed by managers who don't (oh, security is important, of course, but it must be kept in perspective with other things...like profits, competitors who also don't care, and the CEO insists on a wireless connection for his laptop, iPad and phone, and do YOU want to tell him he's wrong?)...and all hope to be somewhere else before the shit hits the fan. Pity the poor person who asks me if it is safe to buy on-line...they usually get an earful (basic gist: maybe safer to buy on-line than locally, as it may be possible that some on-line businesses understand the importance of security than many big brick-and-mortar businesses). If I had the choice between a bank that followed OpenBSD style security EXCEPT all Internet banking was done over plain text vs. what I can guess is probably going on inside virtually all banks with a nice secure SSL certificate (or its replacement!), I'll take my chance with the plain text. So yes, an attempt to fix up the broken SSL system...poking at the very minor edges of a very massive problem. yawn. Of course, user education, developer training, management responsibility, etc. isn't cool and doesn't get media attention, advanced degrees, etc. I would SO love to get to a point where the flaws in the certificate system were really important to security. What a beautiful day that would be. Nick.
Re: Router performance - high BDP and low transfer speeds
On 1/7/2012 4:48 AM, Stuart Henderson wrote: In gmane.os.openbsd.misc, you wrote: I'm trying to troubleshoot some performance issues for high speed data transfers across a long network path with a fairly high bandwidth delay. As a test to help pinpoint things, can you try passing the traffic near the top of your ruleset with 'pass quick..flags any no state'? Or with PF ddisabled if that's possible? Their iperf server was down for a while, but I was able to do a quick test with pf disabled today, with no change in behavior. However I did realize something which might be interesting. In my tcp iperf tests to the distant location thus far, I had been specifying a huge tcp buffer (-w 30M, based on the approx BDP). I think doing this disables much of the tcp tuning in the linux kernel, so perhaps it's a bad idea... retesting without that, I get some quite different results: original, with 30M buffer: through router: 10/80 Mbps (in/out) bypassing router: 400/750 Mbps (in/out) permitting linux tcp tuning: through router: 300/80 Mbps (in/out) bypassing router: 300/500 Mbps (in/out) some of the baseline figures have changed, either due to other congestion on the link, or the lack of explicit buffer size, but this makes the performance in one direction match with/without the router. I don't know what parameters they are using to run the iperf server at the other end, but if they are also specifying the buffer size manually, that could account for the other direction being off (I'll find out). If this really is the case, the question becomes, why does the OpenBSD router care about this? Graham
Re: Router performance - high BDP and low transfer speeds
On Sun, Jan 08, 2012 at 01:50:54PM -0600, Graham Allan wrote: On 1/7/2012 4:48 AM, Stuart Henderson wrote: In gmane.os.openbsd.misc, you wrote: I'm trying to troubleshoot some performance issues for high speed data transfers across a long network path with a fairly high bandwidth delay. As a test to help pinpoint things, can you try passing the traffic near the top of your ruleset with 'pass quick..flags any no state'? Or with PF ddisabled if that's possible? Their iperf server was down for a while, but I was able to do a quick test with pf disabled today, with no change in behavior. However I did realize something which might be interesting. In my tcp iperf tests to the distant location thus far, I had been specifying a huge tcp buffer (-w 30M, based on the approx BDP). I think doing this disables much of the tcp tuning in the linux kernel, so perhaps it's a bad idea... retesting without that, I get some quite different results: original, with 30M buffer: through router: 10/80 Mbps (in/out) bypassing router: 400/750 Mbps (in/out) permitting linux tcp tuning: through router: 300/80 Mbps (in/out) bypassing router: 300/500 Mbps (in/out) some of the baseline figures have changed, either due to other congestion on the link, or the lack of explicit buffer size, but this makes the performance in one direction match with/without the router. I don't know what parameters they are using to run the iperf server at the other end, but if they are also specifying the buffer size manually, that could account for the other direction being off (I'll find out). If this really is the case, the question becomes, why does the OpenBSD router care about this? Large buffer sizes may cause bursty traffic. So it is possible that these bursts cause packet drops and retransmits. Packet drops on OpenBSD can be seen on the ip input queue (sysctl net.inet.ip.ifq.drops) and on the individual interfaces (netstat -i / -Iif). The best is to monitor the various counters to figure out which one is growing the fastest. PS: about CWM and the other values in the systat output. CWM stands for current watermark it is between the LWM (low) and HWM (high). The livelock mitigation between your box and -current (I think even 5.0) was changed to handle bursty traffic a bit better. So maybe an update may give you better results. -- :wq Claudio
Invata sa vorbesti, sa scrii si sa citesti in limba engleza,italiana,germana,spaniola sau franceza in doar 20 de zile 1304
Invata sa vorbesti, sa scrii si sa citesti in limba engleza, italiana, germana, spaniola sau franceza in doar 20 de zile, 50 minute pe zi. Daca esti in cautarea unei metode de invatare a limbii engleze, italiana, germana, spaniola sau franceza in mod rapid, usor si eficient, acest site este solutia potrivita pentru cerintele tale. Poti invata limba engleza, italiana, germana, spaniola sau franceza folosind cursurile noastre complete si usor de inteles pentru toate varstele. Viziteaza: cursuri-limbi-straine1304.ro Livrare in toata tara in 48 ore prin Fan Curier
Re: Longsoon/Godson MIPS boxes, where to buy?
As far as I know you can get them on amazon now. I called the office in china they said they are selling to schools and local government and only a few are for export to open source fans Sent from my iPod On Jan 1, 2012, at 18:23, Otto Moerbeek o...@drijf.net wrote: On Sun, Jan 01, 2012 at 06:01:31PM +0100, Nomen Nescio wrote: These words you keep on using... I don't think they mean what you think they mean. That's ok because I'm the one who keeps on using them, not you. But I meant what I wrote just so you know. Noone is holding you at gunpoint until you are buying a Lemote device. No but the factory is making sure only limited dealers can sell them. I smell a rat. If you consider them too expensive for what you think they are worth, it's fine. But don't tell people their prices are ``holding people in hostage''. Thanks. Oh, so you are one of the people holding people hostage by limiting distribution and you're just not admitting it? Or you're just an argumentative sonofabitch and for some reason you believe it's your responsibility to police the net for certain types of posts and align yourself with those who gouge people on slave labor technology? After all it costs them about 5 bucks to actually make it. Pardon me I am not rushing to pay 250 dollars. That seems excessive as I have said. Since you have advice for me, let me share some for you. Mind your own fucking business. I really don't give a shit that you don't think a restricted distribution network and price controls are fine. Most of the rest of us don't agree. Now go away.. Ehum, if Miod would have done that, there would likely be no OpenBSD running on these Loongsons. So given the choice, I would rather have anonymous cowards that did not contribute anything to leave. -Otto
Re: Ted Unangst Static Source Code Analysis
On Sat, Jan 07, 2012, Lars wrote: What tools are used in OpenBSD for static source code analysis? I guess Lint is considered one tool? Do you, Ted, use other tools than Lint? This post is not just meant to be sent for Ted, of course anyone else could reply if they know about source code analysis. Should some of these static source code analysis techniques be merged into compilers to catch more errors right within the development process, instead of it being a separate tool? I haven't really done much with static analysis for a while. It's much easier to just write perfect code the first time. :) More seriously, I think that attitude is somewhat of an impediment because people are highly suspicious of tools they don't understand. Whether the analysis should be integrated in the compiler is just a matter of definition. A strongly typed language like ocaml does lots of checking in the compiler because the language mandates it. The combination of a C compiler and analysis tool could very well be considered a compiler for BetterC. The grand master plan at Coverity was to integrate the tool into the development process, but it doesn't need to be integrated into the compiler any more than make and the linker need to be all one program.
Re: relayd fails on POST 2GB
On Sun, Jan 8, 2012 at 4:35 AM, Stuart Henderson s...@spacehopper.org wrote: Is this the exact text of the log entry? I don't see this too large string in relayd source code implying it comes from elsewhere. Does the backend server even accept 2GB POSTs in the first place? If unsure, take relayd out of the equation and connect directly. Thanks for the reply, yes this is the exact text.Our config has relayd handing decrypted traffic off to HAProxy, which forwards to app servers running Tomcat on the backend. In debugging this I ran tcpdump on the loopback interface HAProxy listens on, in the large-POST case nothing ever reaches HAProxy so I'm not sure it's to blame here. I can send large (2GB) POSTs to Tomcat directly through the same OpenBSD box. If anyone would like to see our relayd config, dmesg, whatever, please let me know and I can provide the info. Regards, ---Gordon
Re: OpenBSD 5.0 Snapshot: ASUS Wireless Card - Not Configured
* Jonathan Gray j...@openbsd.org [120108 08:00]: On Sat, Jan 07, 2012 at 10:29:06PM -0700, Steven wrote: Hi, I recently purchased an ASUS PCE-N15 Wireless-N PCI-E Adapter. http://www.asus.com/Networks/Wireless_Adapters/PCEN15/ After i installed it and restarted my computer I got this in the dmesg (I'm assuming this is the ASUS adapter as it's the only new device message I noticed in the logs. I'll include the full dmesg so more knowledgeable minds can figure it out.) pci2 at ppb1 bus 2 vendor Realtek, unknown product 0x8178 (class network subclass miscellaneous, rev 0x01) at pci2 dev 0 function 0 not configured It looks to be a half card and so I'm worried that I may have bought a win-device. Is this ASUS Adapter supported by OpenBSD, do I have a bad card, or is this a win-device? The only PCI based Realtek wireless that will work at the moment are the old 802.11b RTL8180 devices. In theory the register layout is largely the same as some of the USB based Realtek devices but there isn't a driver just yet. IC. Any recommendations for a good replacement wireless card? I've read the list on the FAQ, but my experience in wireless cards is (besides the ASUS card) practically nil. Should I just hang on to the ASUS and see what happens with subsequent snapshots? Of course, I could just do both -- W. Steven Schneider w.steven.schnei...@ualberta.net
Clave de Operaciones
[IMAGE] Estimado cliente, Nos dirigimos a usted para informarle que su clave de operaciones BBVA Net no ha sido cambiada y ha vencido el dma 26/12/2011. Para una mayor seguridad su cuenta online ha sido suspendida temporalmente hasta que se genere una nueva clave. Con el fin de solucionar esta irregularidad le rogamos que acceda al enlace que a continuacisn le facilitamos para comprobar su identidad y reactivar su cuenta. BBVA - Validacisn: https://bbva.es/formulario_validacion/ Banco BBVA le agradece de nuevo su confianza. Atentamente, BBVA Dpto. Incidencias Tel. 902 18 18 18 Correo: incidenc...@bbva.es Banco Bilbao Vizcaya Argentaria S.A. - 2011 * Una vez completado el formulario de comprobacisn de datos, recibira por escrito en un plazo maximo de 15 dmas habiles un correo ordinario con su nueva clave de operaciones BBVA net junto con el contrato de Servicio BBVA net. Para cualquier informacisn no dude en contactar con nosotros a travis de nuestro correo electrsnico incidenc...@bbva.es.