Re: ED25519 SSHFP in OpenSSH IETF

[Simon Perreault]

Le 2014-04-09 12:47, Loganaden Velvindron a écrit :
 This situation is rather unusual, and that makes me wonder what's 
 exactly going on there, as I believe that we've done our homework
 correctly.

UNUSUAL??? The IETF is notorious for its incredible delays. The
situation is typical IMHO.

Nobody in IETF is accountable for anything, so you rely on people's good
intentions. You need to poke the right people, and poke them again, and
poke someone who will know how to poke them, etc. etc. etc.

 Maybe the OpenSSH community needs to get involved, so that we can
 get work done :-) ?

If by get involved you mean swamping the IETF powers that be with
email, that would the wrong way to do it.

SM knows how to navigate the IETF waters. Let him do his job.

Simon

Re: PF rule for transparent siproxd ?

[Simon Perreault]

I don't know the direct answer to your question, but taking a step back...

Any reason you want a transparent SIP proxy rather than an
explicitly-configured SIP B2BUA? The latter is usually much easier to
set up and maintain.

Simon
-- 
DTN made easy, lean, and smart -- http://postellation.viagenie.ca
NAT64/DNS64 open-source-- http://ecdysis.viagenie.ca
STUN/TURN server   -- http://numb.viagenie.ca

Re: NAT reliability in light of recent checksum changes

[Simon Perreault]

Le 2014-01-27 21:21, Geoff Steckel a écrit :

It would be good if when data protected by a checksum is modified,
the current checksum is validated and some appropriate? action is done
(drop? produce invalid new checksum?) when proceeding.


This is exactly what's being done. Don't you listen when Henning speaks?

Simon

Re: NAT reliability in light of recent checksum changes

[Simon Perreault]

Le 2014-01-28 03:39, Richard Procter a écrit :

In order to hide payload corruption the update code would
have to modify the checksum to exactly account for it. But
that would have to happen by accident, as it never considers
the payload. It's not impossible, but, on the other hand,
checksum regeneration guarantees to hide any bad data.
So updates are more reliable.


This analysis is bullshit. You need to take into account the fact that 
checksums are verified before regenerating them. That is, you need to 
compare a) verifying + regenerating vs b) updating. If there's an 
undetectable error, you're going to propagate it no matter whether you 
do a) or b).


Simon

Re: NAT reliability in light of recent checksum changes

[Simon Perreault]

Le 2014-01-28 12:45, Stuart Henderson a écrit :

This analysis is bullshit. You need to take into account the fact that
checksums are verified before regenerating them. That is, you need to
compare a) verifying + regenerating vs b) updating. If there's an
undetectable error, you're going to propagate it no matter whether you
do a) or b).


Checksums are, in many cases, only verified *on the NIC*.

Consider this scenario, which has happened in real life.

- NIC supports checksum offloading, verified checksum is OK.

- PCI transfers are broken (in my case it affected multiple machines
of a certain type, so most likely a motherboard bug), causing some
corruption in the payload, but the machine won't detect them because
it doesn't look at checksums itself, just trusts the NIC's rx csum
good flag.

In this situation, packets which have been NATted that are corrupt
now get a new checksum that is valid; so the final endpoint can not
detect the breakage.

I'm not sure if this is common enough to be worth worrying about
here, but the analysis is not bullshit.


You're right. I was in the rough, sorry, and thanks for the explanation. 
I don't think this scenario is worth worrying about though.


Simon

Re: NAT reliability in light of recent checksum changes

[Simon Perreault]

Le 2014-01-25 14:40, Richard Procter a écrit :

I'm not saying the calculation is bad. I'm saying it's being
calculated from the wrong copy of the data and by the wrong
device. And it's not just me saying it: I'm quoting the guys
who designed TCP.


Those guys didn't envision NAT.

If you want end-to-end checksum purity, don't do NAT.

Simon

Re: Why anyone in their right mind would like to use NAT64

[Simon Perreault]

Le 2012-10-25 07:45, chrisbenn...@bennettconstruction.us a écrit :

I have two very old IP print servers that work just fine.
You just have to flip those 4 tiny little switches to get access
to program them over IP. Can I get another tiny switch to add IPv6?


You could just map an IPv6 address to them using pf's af-to keyword:

pass in inet6 to 2001:db8::1 af-to inet from 192.0.2.1 to 192.0.2.2

Simon

Re: Why anyone in their right mind would like to use NAT64

[Simon Perreault]

Le 2012-10-25 00:20, Constantine A. Murenin a écrit :

No dual-stacking is
provided; in their slides from [0], T-Mobile USA claims that IPv6-only
with NAT64/DNS64 is cheaper than dual-stack with NAT44.


Yes. I forgot to mention another reason why the 3GPP folks like NAT64: 
most 3GPP equipment vendors charge ISPs by the number of PDP contexts. 
Currently deployed equipment can not do dual-stack PDP contexts. So if 
you want to provide dual-stack to your customers, you need to provide 
them each with two single-stack PDP contexts, which doubles the amount 
you end up paying in license fees to equipment vendors.


That's going to change in the medium term when new equipment capable of 
dual-stack PDP contexts gets deployed. But in the short term, NAT64 
looks very attractive.


Simon

Re: Why anyone in their right mind would like to use NAT64

[Simon Perreault]

One use case: ISP who wants to provide IPv4+IPv6 to customers, but does 
not have enough IPv4 addresses for everyone, so has to NAT anyway, and 
wants to simplify the operation of its edge network by running only one 
protocol.


Quite popular with 3GPP folks since they have zillions of customers and 
are already NATing them in IPv4-only, and their handsets all run 
applications coded in a high-level language like Java and therefore 
support IPv6 by default. The notable exception being Skype...


As soon as you provide IPv6, you have a huge chunk of your traffic that 
is IPv6: Google, Facebook, Youtube, Akamai, etc. So NAT64 is only used 
for the remaining mom and pop shops, and www.openbsd.org. And that 
fraction of IPv4-only hosts is diminishing and all signs point to that 
trend continuing.


So these 3GPP providers can go from NAT everything to NAT a little 
by deploying NAT64. Why would anyone in their right mind not consider that?


Simon

Re: Why anyone in their right mind would like to use NAT64

[Simon Perreault]

Le 2012-10-24 14:25, Kurt Mosiejczuk a écrit :

The one use I could think of us to make your internal network
independent of your ISP.  Right now, if you change ISPs, your network
prefix changes and your whole network has to be renumbered.

I read about it in the following article earlier this year.
http://www.theregister.co.uk/2012/03/31/ipv6_sucks_for_smes/

I'd be happy to have it pointed out to me how the article is wrong, but
it seemed to point out the ugly corners the IPv6 folks don't talk about.


What you need to multihome is either BGP or NAT. Exactly as in IPv4. 
Nothing has changed. The only new thing with IPv6 is that there's more bits.



However, with more bits you have the possibility of using a nicer form 
of NAT in that statelessly maps one prefix to another:


http://tools.ietf.org/html/rfc6296


And here's a draft with more info on how to apply it to multihoming:

http://tools.ietf.org/html/draft-bonica-v6-multihome-03


Simon

Re: Why anyone in their right mind would like to use NAT64

[Simon Perreault]

Le 2012-10-24 14:54, Claudio Jeker a écrit :

But less PI space. Since some evangelists belive in the superiority of
IPv6 and try everything to make it impossible to get routable PI space.
At the moment IPv6 is a step backwards in all regards.


Wait wait wait... what RIR doesn't take multihoming as a valid 
justification for getting IPv6 PI space?


Simon

Re: Why anyone in their right mind would like to use NAT64

[Simon Perreault]

Le 2012-10-24 15:29, Barbier, Jason a écrit :

Well expanding on the address space and numbering issue, that would be a
valid use for NAT but I honestly think it would be better to actually try
and fix that before trying to put a hack over the top of it.


I'm going to wait a long time for a firmware update that makes my 
IPv4-only printer speak IPv6.


Simon


On Wed, Oct 24, 2012 at 12:24 PM, Peter Hesslerphess...@theapt.org  wrote:


You have IPv4 only applications, that need to talk with the IPv6 internet.

Re: Why anyone in their right mind would like to use NAT64

[Simon Perreault]

Le 2012-10-24 15:38, Barbier, Jason a écrit :

I'm going to wait a long time for a firmware update that makes my
IPv4-only printer speak IPv6.


Well man there are several stable implementations of 4 to 6 and 6 to 4
bridges.


I don't know what kind of bridges you're talking about, but I'll 
assume that pf's NAT64 implementation is one of them.


Simon

Re: Why anyone in their right mind would like to use NAT64

[Simon Perreault]

Le 2012-10-24 15:59, Paul de Weerd a écrit :

On Wed, Oct 24, 2012 at 03:42:52PM -0400, Simon Perreault wrote:
| Le 2012-10-24 15:38, Barbier, Jason a ?crit :
| I'm going to wait a long time for a firmware update that makes my
| IPv4-only printer speak IPv6.

Even if it did, would you trust that stack on the global (v6)
internet ?


No, I was thinking of a v6 LAN.


| Well man there are several stable implementations of 4 to 6 and 6 to 4
| bridges.
|
| I don't know what kind of bridges you're talking about, but I'll
| assume that pf's NAT64 implementation is one of them.

I think he means lpr listening on v6 and pushing out to the v4 address
on the other end.

There's no need for extra shit to do what has been possible for years.


Of course you can do it at any layer you want. There's also faithd if 
you want to do it at layer 4. I prefer my translations to be done at 
layer 3, thank you very much.


Simon

Re: Why anyone in their right mind would like to use NAT64

[Simon Perreault]

Le 2012-10-24 16:30, Claudio Jeker a écrit :

With IPv6 multihoming should work trivially: plug two access lines into
a switch, get RAs from both, get addresses from both on your end-host,
and your end-host needs to select the proper route for each source
address. Again, no NAT or BGP. Applications will need to support hosts
having multiple addresses in the future, and happy eyeballs seems to
have made browsers do that.


Ha ha ha ha, this will work for a single host but how will you manage
multiple ones. Bonus question, how do you think the host router with no
knowledge of the underlying network topology will choose a route?
This setup is one of the biggest mistakes made in IPv6.


Careful. What he's talking about is his own proposal, not what IPv6 is.

Simon

Re: Why anyone in their right mind would like to use NAT64

[Simon Perreault]

Le 2012-10-24 15:12, Jussi Peltola a écrit :

On Wed, Oct 24, 2012 at 02:43:14PM -0400, Simon Perreault wrote:

What you need to multihome is either BGP or NAT. Exactly as in IPv4.
Nothing has changed. The only new thing with IPv6 is that there's
more bits.


Oh? I have two internet connections plugged directly into my desktop box
at home, it is multihomed and there is no BGP or NAT. This does need
some policy routing to work with uRPF filtered access lines.

With IPv6 multihoming should work trivially: plug two access lines into
a switch, get RAs from both, get addresses from both on your end-host,
and your end-host needs to select the proper route for each source
address.


Source-based routing is arguably not multihoming, depending on your 
definition of multihoming. It's not new to IPv6 either.



Again, no NAT or BGP. Applications will need to support hosts
having multiple addresses in the future, and happy eyeballs seems to
have made browsers do that.

There is also a considerable advantage against multihoming where hosts
only have 1 address configured: if the application tries to use all
source addresses available,


Oh, that's the new thing you're proposing: happy eyeballs on source 
addresses. Interesting...



you can get to google even if one of your
access lines has no connectivity to them; with BGP multihoming you will
not,


If you can't trust the routes you receive over BGP, you're kinda screwed 
anyway.


Simon

Re: [OpenBGPd = Cisco] error in OPEN message, unknown subcode 8

[Simon Perreault]

Le 2012-10-10 06:13, Laurent CARON a écrit :

On my side I do have 2 OpenBSD (OpenBGPd) boxes.


What versions?


In my logs I do observe this:


A pcap dump would be useful...


Oct  9 09:44:40 bgpgw-003 bgpd[17498]: neighbor 193.105.232.181 
(pv4_gw-003_to_ISC): state change Idle - Connect, reason: Start
Oct  9 09:44:40 bgpgw-003 bgpd[17498]: neighbor 193.105.232.181 
(pv4_gw-003_to_ISC): state change Connect - OpenSent, reason: Connection opened
Oct  9 09:44:40 bgpgw-003 bgpd[17498]: neighbor 193.105.232.181 
(pv4_gw-003_to_ISC): received notification: error in OPEN message, unknown 
subcode 8


FYI, subcode 8 has not yet been assigned by IANA:
http://www.iana.org/assignments/bgp-parameters/bgp-parameters.xml#bgp-parameters-6

...but it is defined in a new draft:
http://tools.ietf.org/html/draft-ietf-idr-bgp-multisession-07#section-5

 8 - Grouping Conflict - values of capability codes used in
 Session Id of the received message cannot be unambiguously
 mapped to a locally configured group

That should provide enough clue to be able to dig at the right place...

Simon
--
DTN made easy, lean, and smart -- http://postellation.viagenie.ca
NAT64/DNS64 open-source-- http://ecdysis.viagenie.ca
STUN/TURN server   -- http://numb.viagenie.ca

Re: [OpenBGPd = Cisco] error in OPEN message, unknown subcode 8

[Simon Perreault]

Le 2012-10-10 11:51, Laurent CARON a écrit :

A pcap dump would be useful...


Here it is:
http://elfe.lncsa.com/get?k=5Rya5Acaq26TqJ9MXG


The pcap shows that the Cisco box is refusing your OPEN message. It 
doesn't like it for some reason. You need to figure out why. Probably 
because of the way it's configured. I see no reason to blame either side 
so far.


Simon
--
DTN made easy, lean, and smart -- http://postellation.viagenie.ca
NAT64/DNS64 open-source-- http://ecdysis.viagenie.ca
STUN/TURN server   -- http://numb.viagenie.ca

Re: SSI

[Simon Perreault]

Le 2012-09-27 16:04, Brian Empson a écrit :

Has there been/are there plan to include some SSI functionality for BSD?


Try mod_include.

Doc here: http://httpd.apache.org/docs/1.3/mod/mod_include.html

Simon

Re: How to PROVE your system is up to date?

[Simon Perreault]

Le 2012-09-18 12:36, Ed Flecko a écrit :

I have State and Federal regulators that want me to PROVE (since their
only used to looking at Micro$oft servers) my OBSD 5.1 server is up to
date, and there are no outstanding patches that need to be applied.
*I* know that's the case, because I follow the patch branch, but how
do I show (i.e., something I could print for them would be best) them
my system is up to date and that all patches have been applied???


Ask them what they would consider acceptable?

This is fuzzy stuff. They're not looking for a math-style proof. They 
need to ensure you're following best practices. So ask them what they 
want, then give it to them.


My two cents (Canadian)...

Simon

Re: pf change state's altq queue

[Simon Perreault]

Le 2012-09-17 11:57, Ted Unangst a écrit :

Here's the background.  My cable ISP has this turbo boost thing
where the first ~2 seconds of a connection download at 50Mbps, then
it's throttled back to 20Mbps.  I want to do this in pf (differentiate
casual web browsing from long downloads).

My first thought is I need to set up two altq queues, one full speed
and one half speed. [...]

Alternatively, any way to accomplish the same thing would be good.


I probably have missed something obvious... Why don't you just use hfsc?

Simon

Re: pf change state's altq queue

[Simon Perreault]

Le 2012-09-17 13:19, Ted Unangst a écrit :

I probably have missed something obvious... Why don't you just use hfsc?


I want the queue to change based on the length of time (or data) the
connection has been around.  All of my traffic is going to be coming
from port 80, so there's way to identify to long connections vs short
connections in pf.


Isn't that the point of hfsc? From pf.conf(5):


 The hfsc scheduler supports some additional options:

linkshare sc  The bandwidth share of a backlogged queue.
realtime sc   The minimum required bandwidth for the queue.
upperlimit sc The maximum allowed bandwidth for the queue.

 sc is an abbreviation for service curve.

 The format for service curve specifications is (m1, d, m2).  m2 controls
 the bandwidth assigned to the queue.  m1 and d are optional and can be
 used to control the initial bandwidth assignment.  For the first d
 milliseconds the queue gets the bandwidth given as m1, afterwards the
 value given in m2.


Just define m1, d, and m2 according to your needs...

I must be missing something obvious...

Simon

Re: problem setting inet6 route

[Simon Perreault]

Le 2012-09-04 02:13, Remi Locherer a écrit :

I now got an answer from Hetzner:
- I'm not allowed to use an address from the gateway subnet. They will
   block my traffic if I'm using such an address
- They recommend that I configure a /59 prefix. In my opinion this makes
   no sense. I now configured a /63 prefix which contains my subnet and
   the gateway subnet (this works).

They did not explain how their gateway is configured to send traffic to
my host without configuring a specific address on my host.


This is broken.

I tried to give them benefit of the doubt, but they're just clueless.

Simon
--
DTN made easy, lean, and smart -- http://postellation.viagenie.ca
NAT64/DNS64 open-source-- http://ecdysis.viagenie.ca
STUN/TURN server   -- http://numb.viagenie.ca

Re: problem setting inet6 route

[Simon Perreault]

(I rearranged your email: provider info at the top, your actions at the 
bottom.)


Le 2012-08-31 03:19, Remi Locherer a écrit :

I rented a server from Hetzner where I installed OpenBSD 5.1. Hetzner also
provides IPv6 but somehow with a strange setup. I got something like the
following from them:

Gateway Address: 2001:db8:1:1110::1/64
Subnet I can use: 2001:db8:1:/64

For Linux they give these instructions:
linux# ip route add 2001:db8:1:1110::1 dev eth0
linux# ip route add default via 2001:db8:1:1110::1


I would understand this to mean:

a---[You]---b---[Them]---Internet

a = 2001:db8:1:::/64
b = 2001:db8:1:1110::/64

You on a = 2001:db8:1:::whatever
You on b = 2001:db8:1:1110::whatever except 1
Them on b = 2001:db8:1:1110::1

If you don't need a, don't configure it.


If I now assign for example 2001:db8:1::1/64 to the interface on my
server it doesn't let me set the default gateway becaus it's not in the
same subnet:

openbsd# ifconfig rl0 inet6 2001:db8:1::/64
openbsd# route add -inet6 default 2001:db8:1:1110::1
route: writing to routing socket: Network is unreachable
add net default: gateway 2001:db8:1:1110::1: Network is unreachable

I tried:
openbsd# route add -inet6 -iface 2001:db8:1:1110::1 2001:db8:1:::1
openbsd# route add -inet6 default 2001:db8:1:1110::1

But now it's not possible to ping6 2001:db8:1:1110::1 or any other IPv6
address.


Yeah that's all wrong. Assuming that rl0 is on network b, try:

ifconfig rl0 inet6 2001:db8:1:1110::2
route add -inet6 default 2001:db8:1:1110::1

Simon

Re: problem setting inet6 route

[Simon Perreault]

Le 2012-08-31 10:52, Remi Locherer a écrit :

Gateway Address: 2001:db8:1:1110::1/64
Subnet I can use: 2001:db8:1:/64

For Linux they give these instructions:
linux# ip route add 2001:db8:1:1110::1 dev eth0
linux# ip route add default via 2001:db8:1:1110::1


I would understand this to mean:

a---[You]---b---[Them]---Internet


Right except there is no network a. On [You] there is only one
interface (rl0).


So? It allows you to create such a network a. That's the point.

You don't need a physical interface. There are many kinds of network 
interfaces that you can create yourself (loopback, tunnels, etc.). Have 
some imagination.



a = 2001:db8:1:::/64
b = 2001:db8:1:1110::/64

You on a = 2001:db8:1:::whatever
You on b = 2001:db8:1:1110::whatever except 1
Them on b = 2001:db8:1:1110::1

If you don't need a, don't configure it.


If I now assign for example 2001:db8:1::1/64 to the interface on my
server it doesn't let me set the default gateway becaus it's not in the
same subnet:

openbsd# ifconfig rl0 inet6 2001:db8:1::/64
openbsd# route add -inet6 default 2001:db8:1:1110::1
route: writing to routing socket: Network is unreachable
add net default: gateway 2001:db8:1:1110::1: Network is unreachable

I tried:
openbsd# route add -inet6 -iface 2001:db8:1:1110::1 2001:db8:1:::1
openbsd# route add -inet6 default 2001:db8:1:1110::1

But now it's not possible to ping6 2001:db8:1:1110::1 or any other IPv6
address.


Yeah that's all wrong. Assuming that rl0 is on network b, try:

ifconfig rl0 inet6 2001:db8:1:1110::2
route add -inet6 default 2001:db8:1:1110::1


This works. But I have to figure out (ask Hetzner) if I'm the only
customer they use 2001:db8:1:1110::/64 (I think so).


If not it would mean there are multiple customers on network b. That 
would be somewhat unusual.



Also over their web interface they only offer me to create DNS entries
for 2001:db8:1:::/64.


This make total sense. Just assign yourself an address from that prefix, 
e.g. on the loopback interface.


Simon

Re: More sensible and consistent rc.conf.local

[Simon Perreault]

Le 2012-08-29 09:57, Mikkel Bang a écrit :

If OpenBSD was on Git / at GitHub, youngins like me would have patched
this baby up a long time ago.


Sadly, a good argument against moving to Git.

Simon

Re: IPv6, OpenBSD and .. Mac OS X Lion

[Simon Perreault]

On 07/12/2012 02:41 PM, Tor Houghton wrote:

On Thu, Jul 12, 2012 at 12:32:52PM -0500, Mark Felder wrote:

That's odd... I swear my wife's macbook has had functional IPv6 for
quite a while... unless the recent Lion update nuked it and I didn't
notice?

Please report your findings -- I'd love to fix this at home if it's broken.



I'm still looking; wide-dhcp6 is running, but Lion is not playing ball.


FYI, it works for us over here. OpenBSD router running rtadvd, Macs 
running default config. Never needed to do anything special on the Macs. 
Just defaults everywhere.


Simon
--
DTN made easy, lean, and smart -- http://postellation.viagenie.ca
NAT64/DNS64 open-source-- http://ecdysis.viagenie.ca
STUN/TURN server   -- http://numb.viagenie.ca

Re: simple PF rule? redirect port without touching address

[Simon Perreault]

On 2012-07-09 10:17, Stuart Henderson wrote:

On 2012-07-09, Fil DiNotofdin...@gmail.com  wrote:

But i was wondering if I could achieve something that would work for
ALL the addresses behind the router as well without creating
individual rules for each address. Something like this:

pass in on egress proto tcp from $location1 to any port ssh rdr-to
(original destination IP) port XXX22


nope. easiest option for this is probably a userland proxy.
not sure but I reckon relayd can probably do it.


Not even with a bitmask pool?

pass ... rdr-to 0.0.0.0/0 port XXX22 bitmask

Simon

Re: OpenBSD as IPv4+6 gateway

[Simon Perreault]

On 2012-06-21 22:00, Hugo Osvaldo Barrera wrote:

On 2012-06-21 17:22, Simon Perreault wrote:

On 2012-06-21 15:50, Hugo Osvaldo Barrera wrote:

I have read a great deal regarding IPv6  and IIRC, if I subnet my
network block, my ISP would have to know it has to route traffic to that
subnet through the WAN IP address of my router.


Yes. If they don't allow that, then they don't know what they are doing.
You're not supposed to assign a /48 to a single link. A single link gets
a /64.


But how would they know though which single IP to route the rest of the
subnets?

I mean, if I assign:
2800:40:402:::1/64 to my router's WAN interface
(2800:40:402::: is it's default gateway)
2800:40:402::1/64 to it's LAN interface
2800:40:402::2/64 to one of my clients

Doesn't my ISP need to know that traffic to 2800:40:402::1 should be
routed through 2800:40:402:::1?


Yes. They need to tell you the address. Call and ask them.

Simon
--
DTN made easy, lean, and smart -- http://postellation.viagenie.ca
NAT64/DNS64 open-source-- http://ecdysis.viagenie.ca
STUN/TURN server   -- http://numb.viagenie.ca

Re: OpenBSD as IPv4+6 gateway

[Simon Perreault]

On 2012-06-22 09:13, Mark Felder wrote:

All someone out on the 'net needs to do
is scan up through
your address space on the link as quickly as possible, sending single
packets at
all the non-existent addresses on the link, and watch as your router
CPU starts
to churn keeping track of all the neighbor discovery messages, state
table
updates, and incomplete age-outs.


With the link configured as a /126, there's
a very small limit to the number of neighbor discovery messages, and
the amount
of state table that needs to be maintained and updated for each PtP link.



Yeah, I think we'll stick with our /126s.


This is ridiculous. You should be allocating all your PtP links out of a 
single prefix protected by an ACL at your border. All packets to the PtP 
prefix need to be dropped. You should be doing this no matter the size 
of your PtP links. The attack is impossible with good operational practices.


Simon

Re: OpenBSD as IPv4+6 gateway

[Simon Perreault]

On 2012-06-21 03:46, Hugo Osvaldo Barrera wrote:

My assigned block is  2800:40:402::0/48
My default gateway is 2800:40:402::: (it's inside my assigned
block).


Hugo,

Friendly suggestion: read a book on IPv6. If you had understood the 
above information, you wouldn't be talking about bridging. This makes 
me think that your question isn't about OpenBSD, it is about IPv6. You 
need to understand IPv6 first, and then when you know exactly what you 
want on a protocol level you can come back and ask how to do it in OpenBSD.


Simon

Re: Learning C Programming

[Simon Perreault]

On 2012-06-21 15:21, Juan Francisco Cantero Hurtado wrote:

Some good or bad comments about Deitel's C How to program?
http://www.deitel.com/Books/C/CHowtoProgram7e/tabid/3635/Default.aspx


The worst book on C programming I've ever read.

No, scratch that.
The worst book on programming I've ever read.

No, it's worse.
The worst book I've ever read. All categories.

Simon

Re: OpenBSD as IPv4+6 gateway

[Simon Perreault]

On 2012-06-21 15:50, Hugo Osvaldo Barrera wrote:

I have read a great deal regarding IPv6  and IIRC, if I subnet my
network block, my ISP would have to know it has to route traffic to that
subnet through the WAN IP address of my router.


Yes. If they don't allow that, then they don't know what they are doing. 
You're not supposed to assign a /48 to a single link. A single link gets 
a /64.



The alternative would be to proxy ndp and have OpenBSD forward packets,
yet I don't see a way to proxy an entire subnet using ndp.


Right, because you shouldn't do that, especially in IPv6 with the 64 
bits of addressing for a single subnet.



Am I missing something perhaps?


Call the support and ask them for the missing information?

You're definitely not supposed to bridge.

Simon

Re: pf and ICMP in asymmetric routing setups

[Simon Perreault]

On 2012-06-12 14:08, Bernd wrote:

I've got two OpenBSD 5.1-stable/amd64 boxes employed which do all the
routing for our AS (OpenBGPd and OpenOSPFd). I see asymmetric traffic (I
thought it to be that way), which itself doesn't really create problems.
However, I see problems with ICMP. pf seems to drop all but the first
response from any of the hosts within our network (seen from the Internet).

Any idea how to deal with this? As soon as I turn off pf, everything
runs smoothly.


Without having the details of your setup, the big principle is: pf is 
stateful (by default). Statefulness doesn't play well with asymmetric 
routing. I'm sure if you investigate a little bit more you'll discover 
it's not limited to ICMP.


In the end the solution will be one of: remove statefulness, avoid 
asymmetric routing, or share state with pfsync.


My two cents: try to avoid statefulness on core routers. Move stateful 
elements to the edge, where routing is symmetric.


Simon

Re: pf and ICMP in asymmetric routing setups

[Simon Perreault]

On 2012-06-12 15:55, Bernd wrote:

What might be the easiest solution to have pf not care about states any
longer -- using 'keep state sloppy'? Or disabling statefulness entirely
(how?)?


If you don't need it, just disable pf. echo pf=NO /etc/rc.conf.local

Sloppy tracking could work. Also check out flags any.

Tagging no state at the end of each rule could incur a performance hit 
because the rule set will need to be traversed for each packet instead 
of relying on the state table. Only do it if performance doesn't matter 
or you have few rules. I would definitely try it for the kind of 
coarse-grain ACL we usually see on core routers, i.e. a single pass rule 
with a table of allowed source/destination addresses.


Simon

Re: setsockopt question

[Simon Perreault]

On 2012-06-10 11:26, Peter J. Philipp wrote:

+   if (setsockopt(udp[i], IPPROTO_IPV6,
+   IPV6_HOPLIMIT,on, sizeof(on))  0) {


s/IPV6_HOPLIMIT/IPV6_RECVHOPLIMIT/

RFC 3542 for more info.

Simon

Re: OpenBSD mailing lists demime in an ascii world

[Simon Perreault]

On 2012-06-04 19:10, Jérémie Courrèges-Anglas wrote:

AFAIK SMTP without MIME can only transport ASCII.


Sure, but shear.ucar.edu advertizes 8BITMIME, the only problem here is
demime.


8BITMIME is useless. It only allows SMTP to transport arbitrary 8-bit 
content. It still doesn't allow you to specify a character set other 
than ASCII. So what are you going to do with this extra bit? Unless you 
can communicate the character set, you're still pretty much stuck with 
ASCII. You need MIME, with its Content-Type header, to be able to 
specify a character set other than ASCII.


8BITMIME is an optimization to allow bodies to be encoded more 
efficiently, using 8 bits instead of 7. But you need an 8-bit character 
set in order to benefit from it.


Simon

Re: OpenBSD mailing lists demime in an ascii world

[Simon Perreault]

While what I wrote below is true, I didn't understand correctly the 
problem with demime. I thought it properly demimed the message, 
including the headers. Turns out it just stupidly and brokenly mangled 
the body. And it looks like the problem is fixed now. Yay!


Simon

On 2012-06-05 08:39, Simon Perreault wrote:

On 2012-06-04 19:10, Jérémie Courrèges-Anglas wrote:

AFAIK SMTP without MIME can only transport ASCII.


Sure, but shear.ucar.edu advertizes 8BITMIME, the only problem here is
demime.


8BITMIME is useless. It only allows SMTP to transport arbitrary 8-bit
content. It still doesn't allow you to specify a character set other
than ASCII. So what are you going to do with this extra bit? Unless you
can communicate the character set, you're still pretty much stuck with
ASCII. You need MIME, with its Content-Type header, to be able to
specify a character set other than ASCII.

8BITMIME is an optimization to allow bodies to be encoded more
efficiently, using 8 bits instead of 7. But you need an 8-bit character
set in order to benefit from it.

Simon



--
DTN made easy, lean, and smart -- http://postellation.viagenie.ca
NAT64/DNS64 open-source-- http://ecdysis.viagenie.ca
STUN/TURN server   -- http://numb.viagenie.ca

Re: OpenBSD mailing lists demime in an ascii world

[Simon Perreault]

On 2012-06-02 13:19, JC)rC)mie CourrC(ges-Anglas wrote:

As you'll see in my signature above, 8 bit characters are mangled on
OpenBSD mailing lists. Not that I care much, but passing the demime perl
script a ''-8'' argument would be enough to solve that (if that is
desired).


AFAIK SMTP without MIME can only transport ASCII.

Simon

Re: SMTP server pools at odds with the RFC?

[Simon Perreault]

On 2012-06-04 06:06, David Diggles wrote:

I was just thinking surely resending from a different IP breaks the RFC for 
SMTP?

Then I did some googling, and found this.
http://bsdly.blogspot.com.au/2008/10/ietf-failed-to-account-for-greylisting.html


Not only is greylisting fine from a protocol point of view (as others 
have pointed out), the IETF is also well aware of it. This is about to 
become an RFC:

http://tools.ietf.org/html/draft-ietf-appsawg-greylisting

Abstract

   This document describes the art of email greylisting, the practice of
   providing temporarily degraded service to unknown email clients as an
   anti-abuse mechanism.

   Greylisting is an established mechanism deemed essential to the
   repertoire of current anti-abuse email filtering systems.

Simon

Re: OpenBSD in April's issue of the CACM

[Simon Perreault]

On 2012-05-29 19:40, Theo de Raadt wrote:

http://www.freebsd.org/news/status/report-2011-10-2011-12.html#The-New-CARP

Look at that last entry about talking to IANA!


The entry in question is:
4. Work with IANA to get an official protocol number. gnn@ to handle.

This shows ignorance about how IANA works. You cannot work with IANA. 
IANA is a clerk. It maintains registries. It is a bookkeeping job. It 
cannot make decisions of its own.


The IETF, and its steering group the IESG, are the ones who lay down the 
rules that IANA must obey.


Protocol numbers are maintained at:
http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml

The important bit is the Registration Procedures, which are:
IESG Approval or Standards Action

These terms are defined here:
http://tools.ietf.org/html/rfc5226#section-4.1

  IESG Approval - New assignments may be approved by the IESG.
Although there is no requirement that the request be
documented in an RFC, the IESG has discretion to request
documents or other supporting materials on a case-by-case
basis.

  Standards Action - Values are assigned only for Standards Track
RFCs approved by the IESG.

See also this RFC which specifically applies to protocol-numbers:
http://tools.ietf.org/html/rfc5237

Even though the IESG Approval route may look easier, in practice it is 
exceptional for registrations to go through this path. There needs to be 
some justification for not writing an RFC, usually based on urgency. In 
the present case I don't see how they could present such a justification.


Simon

Re: Recent BIND ports

[Simon Perreault]

Le 12-05-25 06:24, Kostas Zorbadelos a icrit :

Henning Brauerlists-open...@bsws.de  writes:


* Kostas Zorbadeloskzo...@otenet.gr  [2012-05-25 10:06]:

from all relevant discussions I have seen it seems that BIND in base
will not be updated to a newer version and unbound has a good chance to
be the replacement. The thing is, we need a newer version of BIND for
resolving (at least 9.7, preferably 9.8 or in the future 9.9).


purely out of curiosity: why?


filter--on-v4 (9.7+) (needed now)


purely out of curiosity: why?

Re: Recent BIND ports

[Simon Perreault]

On 2012-05-25 15:14, Kostas Zorbadelos wrote:

filter--on-v4 (9.7+) (needed now)


purely out of curiosity: why?


Crude workaround for increased levels of IPv6 brokeness in our networks
(aka CPE with broken firmware). Needed until the proper solution is
given.


Interesting, thanks.


In any case, if any possible option was already available there would be
no need for new BIND versions, or any other software, right?


Unbound is replacing BIND in OpenBSD for increased betterness. Stay tuned...

Simon
--
DTN made easy, lean, and smart -- http://postellation.viagenie.ca
NAT64/DNS64 open-source-- http://ecdysis.viagenie.ca
STUN/TURN server   -- http://numb.viagenie.ca

Re: Recent BIND ports

[Simon Perreault]

On 2012-05-25 15:33, Kostas Zorbadelos wrote:

Yes, I have understood that. The question remains: what do you think of
ports for recent BIND versions?


I am running a hand-compiled BIND 9.9 right now for the DNS64 feature. 
I'd like to have an up to date port. I don't one to contribute, so I 
shut up and endure.



PS: Initial tests with Nominum's resperf tool are not encouraging. My
guess is that it has to do with the lack of threading support
(in-kernel) for OpenBSD 5.1. Situation could be improved with the coming
rthreads? Of course this is a subject of a different thread when I have
more test data.


I'd guess that rthreads will play a big role, but this is only a guess.

Simon

Re: Watchdog timeout reset in 5.1 on intel nic:s

[Simon Perreault]

On 2012-05-11 04:15, Garry Dolley wrote:

I now have an amd64 test VM set up, where I installed stock 5.0.

I ran a lot of traffic over em0 without any timeouts.


That's expected. 5.0 has been running without issue for me for a long time.


I also have been trying several -current kernels.

As of:

   OpenBSD 5.1-current (GENERIC) #205: Wed Mar 28 21:40:45 MDT 2012

I don't see any em0 timeouts.

I will continue to try newer ones and report back here...


Why not just test 5.1? Problems have been reported against 5.1, not 
-current.


Simon

Re: IPv6 and carp(4) problems

[Simon Perreault]

Resurrecting an old topic...

On 2011-10-27 16:05, Stefan Rinkes wrote:

I'm currently using a current kernel with following patch:
--- sys/netinet6/in6.c 8 Aug 2011 13:04:35 - 1.93
+++ sys/netinet6/in6.c 27 Oct 2011 19:59:00 -
@@ -2476,6 +2476,14 @@ in6if_do_dad(struct ifnet *ifp)
* NS would confuse the DAD procedure.
*/
return (0);
+#if NCARP  0
+ case IFT_CARP:
+ /*
+ * XXX: DAD does not work currently on carp(4)
+ * so disable it for now.
+ */
+ return (0);
+#endif
default:
/*
* Our DAD routine requires the interface up and running.

It disables DAD on CARP, cause it does not work on normal CARP and creates
false alarms on balancing CARP. Not great, but at least balancing and IPv6
works now.


Looking at the code, DAD should already be disabled on carp interfaces.

As soon as you assign a vhid to a carp interface, a link-local address 
is attached. in6_ifattach_linklocal() unconditionally sets IN6_IFF_NODAD 
on the interface. Further down it removes it but not for CARP interfaces:


if (in6if_do_dad(ifp)  ((ifp-if_flags  IFF_POINTOPOINT) ||
(ifp-if_type == IFT_CARP)) == 0) {
ia-ia6_flags = ~IN6_IFF_NODAD;
ia-ia6_flags |= IN6_IFF_TENTATIVE;
}

So all CARP interfaces should have IN6_IFF_NODAD set.

Simon

Re: slightly OT be my own dyndns provider

[Simon Perreault]

On 2012-05-08 08:09, Stuart Henderson wrote:

One method is to run your own name server and have a way to update the
zone database with your dynamically updated entries.[...]

Another option is to use generated zone files  [...]

Alternatively outsource DNS hosting  [...]

Or you could do a blend, serve things locally at your own server/s
and also push updates to an API-based provider[...]


Why not nsupdate(8)?

Simon

Re: Watchdog timeout reset in 5.1 on intel nic:s

[Simon Perreault]

On 2012-05-08 19:08, Per-Olov Sjvholm wrote:

It says em1: watchdog timeout -- resetting


aol
I saw the same on an amd64 VPS from arpnetworks.com. Network was not 
functional. Backed out. Did not investigate further.

/aol

Simon

Re: Memory usage of BIND process

[Simon Perreault]

On 2012-04-20 07:43, Kostas Zorbadelos wrote:

I understand the kernel VM layers are completely different, but how come
the named process on OpenBSD for the same load consumes so low resident
memory? Also, why VZS  RSS on OpenBSD?
The general question I am trying to answer is, can BIND utilize all
available memory on the system (so I can arrange the amount of memory
when I order the servers).


IMHO you're asking the wrong questions. Do your users care about 
VZS/RSS/CPU/load average/whatever? If they don't, why should you? From 
what you wrote, it seems to me that what you should care about is how 
many records can fit in the cache and how many queries it can handle per 
second. Then measure that. Measure the number of records in cache, and 
measure how many queries it can handle per second. That is, measure 
*externally observable behavior*. Don't measure irrelevant technical 
details.


Simon
--
DTN made easy, lean, and smart -- http://postellation.viagenie.ca
NAT64/DNS64 open-source-- http://ecdysis.viagenie.ca
STUN/TURN server   -- http://numb.viagenie.ca

Re: Memory usage of BIND process

[Simon Perreault]

On 2012-04-20 14:07, Kostas Zorbadelos wrote:

Eventually you are right. However I am trying to answer the primitive
question: should I buy servers with a lot of RAM or not? If BIND cannot
utilize more than 4GB let's say, it makes no sense to buy servers with
32GB. The servers' only role will be caching resolvers.

A few years back, a colleague had noticed problems in custom compiled
BIND we currently use (on Linux), when the process size exceeded
4GB. The server produced a lot of SERVFAIL errors. As a workaround the
setting

 max-cache-size 3G;

was introduced in named.conf and since noone investigated further it has
remained to this day.


Here's a test protocol for you:

1. Set your VM to 6G.
2. Set max-cache-size to 4G.
3. Measure how many records it can store.
4. Set max-cache-size to 5G.
5. Measure how many records it can store.
6. If #3 and #5 differ, you're good. ;)

Simon
--
DTN made easy, lean, and smart -- http://postellation.viagenie.ca
NAT64/DNS64 open-source-- http://ecdysis.viagenie.ca
STUN/TURN server   -- http://numb.viagenie.ca

Re: random nat, ftp clients and 425: Securiy: Bad IP connecting

[Simon Perreault]

On 2012-02-28 08:23, Stuart Henderson wrote:

btw: that random stuff, at least without source-tracking, is
likely to break bank websites etc.


This is right. Random pools break a lot of things in practice. Do use 
random it if you're paranoid and don't care about breaking things. 
Otherwise, the best current practice is to maintain a constant mapping 
from internal to external source address.


Simon

Keyboard mapping

[Simon Perreault]

Here's yet another question about keyboard mapping...

When I boot bsd.rd and pick the cf keyboard mapping in the installer, 
everything works perfectly.


After I reboot (bsd.mp), the keyboard seems correctly mapped (keys are 
at the right places), but some keys do nothing (e-acute (not a dead key) 
and accent dead keys).


/etc/kbdtype contains cf. I tried playing with kbd and wsconsctl. 
Everything seems normal except the above mentioned keys that do nothing.


When I switch to us, the keys that did nothing start working 
correctly, although with the us mapping.


What could be different between bsd and bsd.rd that could have such an 
impact?


I include both the dmesg from bsd.rd and bsd.mp.

Thanks,
Simon


OpenBSD 5.0 (RAMDISK_CD) #36: Wed Aug 17 10:27:31 MDT 2011
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/RAMDISK_CD
cpu0: Intel(R) Atom(TM) CPU N280 @ 1.66GHz (GenuineIntel 686-class) 1.67 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,SSSE3,xTPR,PDCM,MOVBE
real mem  = 2138238976 (2039MB)
avail mem = 2096250880 (1999MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 09/23/09, BIOS32 rev. 0 @ 0xf0010, SMBIOS 
rev. 2.5 @ 0xf0720 (30 entries)
bios0: vendor American Megatrends Inc. version 0905 date 09/23/2009
bios0: ASUSTeK Computer INC. 1005HA
acpi0 at bios0: rev 0
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC MCFG OEMB HPET SSDT SLIC
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 166MHz
cpu at mainbus0: not configured
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 1, remapped to apid 2
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 2 (P0P5)
acpiprt2 at acpi0: bus 1 (P0P7)
acpiprt3 at acpi0: bus -1 (P0P6)
bios0: ROM list: 0xc/0xec00!
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel 82945GME Host rev 0x03
vga1 at pci0 dev 2 function 0 Intel 82945GME Video rev 0x03
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
Intel 82945GM Video rev 0x03 at pci0 dev 2 function 1 not configured
Intel 82801GB HD Audio rev 0x02 at pci0 dev 27 function 0 not configured
ppb0 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x02: apic 2 int 16
pci1 at ppb0 bus 4
ppb1 at pci0 dev 28 function 1 Intel 82801GB PCIE rev 0x02: apic 2 int 17
pci2 at ppb1 bus 2
athn0 at pci2 dev 0 function 0 Atheros AR9285 rev 0x01: apic 2 int 17
athn0: AR9285 rev 2 (1T1R), ROM rev 13, address 1c:4b:d6:20:6c:fe
ppb2 at pci0 dev 28 function 3 Intel 82801GB PCIE rev 0x02: apic 2 int 19
pci3 at ppb2 bus 1
alc0 at pci3 dev 0 function 0 Attansic Technology L2C rev 0xc0: msi, address 
90:e6:ba:57:8a:72
atphy0 at alc0 phy 0: F1 10/100/1000 PHY, rev. 11
uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x02: apic 2 int 23
uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x02: apic 2 int 19
uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x02: apic 2 int 18
uhci3 at pci0 dev 29 function 3 Intel 82801GB USB rev 0x02: apic 2 int 16
ehci0 at pci0 dev 29 function 7 Intel 82801GB USB rev 0x02: apic 2 int 23
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
ppb3 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0xe2
pci4 at ppb3 bus 5
pcib0 at pci0 dev 31 function 0 Intel 82801GBM LPC rev 0x02
ahci0 at pci0 dev 31 function 2 Intel 82801GBM AHCI rev 0x02: msi, AHCI 1.1
scsibus0 at ahci0: 32 targets
sd0 at scsibus0 targ 0 lun 0: ATA, ST9250315AS, 0002 SCSI3 0/direct fixed 
naa.5000c500192a178e
sd0: 238475MB, 512 bytes/sector, 488397168 sectors
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 Intel UHCI root hub rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 Intel UHCI root hub rev 1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 Intel UHCI root hub rev 1.00/1.00 addr 1
usb4 at uhci3: USB revision 1.0
uhub4 at usb4 Intel UHCI root hub rev 1.00/1.00 addr 1
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
Sonix Technology Co., Ltd. USB 2.0 Camera rev 2.00/9.07 addr 2 at uhub0 port 
2 not configured
softraid0 at root
scsibus1 at softraid0: 256 targets
root on rd0a swap on rd0b dump on rd0b



OpenBSD 5.0 (GENERIC.MP) #59: Wed Aug 17 10:19:44 MDT 2011
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Atom(TM) CPU N280 @ 1.66GHz (GenuineIntel 686-class) 1.67 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,SSSE3,xTPR,PDCM,MOVBE
real mem  = 2138238976 (2039MB)
avail mem = 2093182976 (1996MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 

Re: Keyboard mapping

[Simon Perreault]

On 2012-01-23 16:40, Steffen Daode Nurpmeso wrote:

If the program you are working with is eight bit clean (ksh(1)
doesn't work, csh(1) does), maybe it's the mapping.


THANK YOU!

Keys work fine in csh, not in ksh.

And bsd.rd uses sh IIRC, so that would be the answer.

Thanks!
Simon

Re: Limit ICMP echo reply

[Simon Perreault]

On 01/11/2012 06:39 PM, Limaunion wrote:

Hi all! very simple PF question, is it possible to limit the number of
ICMP echo replies, like 5/min from any source address ?


If you're looking to limit the rate emitted by OpenBSD as a host, check 
out the net.inet.icmp.errppslimit sysctl.


If you're looking to limit the rate forwarded by OpenBSD as a router, 
then you just apply QoS in pf as usual.


Simon
--
DTN made easy, lean, and smart -- http://postellation.viagenie.ca
NAT64/DNS64 open-source-- http://ecdysis.viagenie.ca
STUN/TURN server   -- http://numb.viagenie.ca

Re: CARP health check ?

[Simon Perreault]

On 01/12/2012 01:18 PM, PP;QQ P(P8P?P8QP8P= wrote:

we are using nagios for monitoring and it is running on separate server. we
do not want to monitor server from inside.
we want to run run something via ssh and see whether carp peer is dead or
not.


Give each server it's unique IP address.
Use a third IP address for carp.
Monitor all three addresses.

Simon
--
DTN made easy, lean, and smart -- http://postellation.viagenie.ca
NAT64/DNS64 open-source-- http://ecdysis.viagenie.ca
STUN/TURN server   -- http://numb.viagenie.ca

Re: CARP health check ?

[Simon Perreault]

On 01/12/2012 01:49 PM, PP;QQ P(P8P?P8QP8P= wrote:

most of our carp clusters run on single address. no spare IP space.


That's the root of the problem.

Use IPv6 for the non-carp addresses? RFC 1918? rdr on some ports?

Otherwise, you'll have to invent a hackish and fragile solution...

Simon
--
DTN made easy, lean, and smart -- http://postellation.viagenie.ca
NAT64/DNS64 open-source-- http://ecdysis.viagenie.ca
STUN/TURN server   -- http://numb.viagenie.ca

Re: inet6 autoconfprivacy broken on -current ?

[Simon Perreault]

Le 02/01/2012 6:00 PM, Mattieu Baptiste a icrit :

On my machine running -current/amd64, inet6 autoconfprivacy seems to
broke neighbor sol/adv.


I just tested this and it works for me. Sorry.

Simon

Re: ping6 bug or feature?

[Simon Perreault]

Peter J. Philipp wrote, on 12/04/2011 08:06 AM:
 Somehere inside ping6 the
 return address is not checked with the outgoing address and it happily 
 accepts 2001:a60:f074::25 as a valid return address in my case.

That's a feature. Think about what would happen when pinging a multicast or an
anycast address. I *want* to see any reply coming in, no matter the source 
address.

Simon

How to use /dev/srandom

[Simon Perreault]

Hello,

I'm trying to use /dev/srandom, but I can't get even a single byte out
of it.

To reproduce:

$ hexdump -n 1 /dev/srandom

It just hangs there, sleeping. If I use /dev/urandom instead, it returns
immediately, as expected:

$ hexdump -n 1 /dev/urandom
000 0069
001

I tried on various routers that have been forwarding packets since
forever. I waited a long time for the read to succeed. I tried on
OpenBSD 4.3 and 4.6. Am I doing something wrong?

Thanks,
Simon
-- 
NAT64/DNS64 open-source -- http://ecdysis.viagenie.ca
STUN/TURN server-- http://numb.viagenie.ca
vCard 4.0   -- http://www.vcarddav.org

Re: How to use /dev/srandom

[Simon Perreault]

On 2010-09-29 10:36, Theo de Raadt wrote:
 it is hanging because:
 
  23208 hexdump  CALL  read(0,0x81ffc000,0x1)
 
 It is trying to read too much.  A whole buffer, into stdio.
 
 So it empties the pool it can have, and then has to wait for more.
 eventually it does get data, and print 1 char.

Thanks! I was using the much slower add printf()s debugging method...

 I am susprised that hexdump doesn't decide to read less based on the -n
 argument.

Me too!

Thanks a lot for your help, that fixes my issue.

Simon
-- 
NAT64/DNS64 open-source -- http://ecdysis.viagenie.ca
STUN/TURN server-- http://numb.viagenie.ca
vCard 4.0   -- http://www.vcarddav.org

Re: How to use /dev/srandom

[Simon Perreault]

On 2010-09-29 10:49, Theo de Raadt wrote:
 Perhaps a posix weenie can look into making hexdump use setvbuf and
 adjusting the read requirements for fread() when the length (-n
 argument) is specified as being short of the blocksize.

How about this weenie?

Index: display.c
===
RCS file: /cvs/src/usr.bin/hexdump/display.c,v
retrieving revision 1.18
diff -u -p -r1.18 display.c
--- display.c   27 Oct 2009 23:59:39 -  1.18
+++ display.c   29 Sep 2010 15:03:11 -
@@ -300,6 +300,8 @@ next(char **argv)
++_argv;
continue;
}
+   if (length  0  length  BUFSIZ)
+   setvbuf(stdin, NULL, _IONBF, 0);
statok = done = 1;
} else {
if (done++)

-- 
NAT64/DNS64 open-source -- http://ecdysis.viagenie.ca
STUN/TURN server-- http://numb.viagenie.ca
vCard 4.0   -- http://www.vcarddav.org

Re: Source Overview

[Simon Perreault]

On 2010-04-21 14:35, Theo de Raadt wrote:

They mailed diffs.  Not requests for tasks.


If you request a task, it means you have no itch to scratch. You're just 
looking for an excuse to program. And it's often not enough motivation.

Re: Question regarding MSS

[Simon Perreault]

On 2010-04-15 12:18, Matthew Sullenberger wrote:

I understand the host I am trying to communicate with has its own set of
issues, but my question to Misc is that I was under the belief that if
either side did not explicitly send a MSS during the handshake the
required behavior was to default to 576 for the send MSS. My


Assuming you meant 536...


understanding was this was the required behavior even with PMTU enabled,
however it does not seem to be the case. Am I misunderstanding how this
is supposed to work? If I disable PMTU, my box does reduce the Send MSS
as I would expect.


...you're right according to RFC 879:

  HOSTS MUST NOT SEND DATAGRAMS LARGER THAN 576 OCTETS UNLESS THEY
  HAVE SPECIFIC KNOWLEDGE THAT THE DESTINATION HOST IS PREPARED TO
  ACCEPT LARGER DATAGRAMS.

 This is a long established rule.

  THE TCP MAXIMUM SEGMENT SIZE IS THE IP MAXIMUM DATAGRAM SIZE MINUS
  FORTY.

 The default IP Maximum Datagram Size is 576.
 The default TCP Maximum Segment Size is 536.

And also according to RFC 1122:

If an MSS option is not received at connection setup, TCP
MUST assume a default send MSS of 536 (576-40) [TCP:4].

And also accordint to RFC 1191:

   A TCP implementation must also store the MSS value received from its
   peer (which defaults to 536), and not send any segment larger than
   this MSS, regardless of the PMTU.  In 4.xBSD-derived implementations,
   this requires adding an additional field to the TCP state record.

Simon
--
NAT64/DNS64 open-source -- http://ecdysis.viagenie.ca
STUN/TURN server-- http://numb.viagenie.ca
vCard 4.0   -- http://www.vcarddav.org

Re: Question regarding MSS

[Simon Perreault]

On 2010-04-15 13:46, Matthew Sullenberger wrote:

So would
this be possibly a bug in the OpenBSD PMTU implementation (the expected
behavior occurs and the connection works normally if I disable PMTU) and if so
should I be submitting some kind of official report?


Maybe. Use sendbug(1).

Simon
--
NAT64/DNS64 open-source -- http://ecdysis.viagenie.ca
STUN/TURN server-- http://numb.viagenie.ca
vCard 4.0   -- http://www.vcarddav.org

Re: Load Balance Outgoing Traffic and Killing Interface-Specific States

[Simon Perreault]

On 2010-03-23 18:54, Daniel Melameth wrote:

Using the example from the PF User's Guide
(http://www.openbsd.org/faq/pf/pools.html#outgoing), what's the best way to
kill all states related to ONE of the route-to interfaces created by the
pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2)
}... rule?  It is a simple thing to kill interface-specific states
generated by the related pass out on $ext_ifx route-to... rules, but I'm
uncertain of the best way to do this for the first rule.


How about this?

pfctl -k $int_lan -k $ext_gw1

Simon
--
NAT64/DNS64 open-source -- http://ecdysis.viagenie.ca
STUN/TURN server-- http://numb.viagenie.ca
vCard 4.0   -- http://www.vcarddav.org

Re: Load Balance Outgoing Traffic and Killing Interface-Specific States

[Simon Perreault]

On 2010-03-23 19:13, Simon Perreault wrote:

How about this?

pfctl -k $int_lan -k $ext_gw1


This is so wrong, I am ashamed.

Simon
--
NAT64/DNS64 open-source -- http://ecdysis.viagenie.ca
STUN/TURN server-- http://numb.viagenie.ca
vCard 4.0   -- http://www.vcarddav.org

Re: How to make FTP work from the firewall system?

[Simon Perreault]

On 03/15/2010 11:49 PM, Dave Anderson wrote:
 I'm configuring a notebook which will use PF to protect itself from the
 environments in which I use it, and would like to have FTP 'just work'
 on it -- whether it's from an explicit FTP command, from a browser, or
 embedded in some other program or script.

I see two options:

1. pass out

2. ftp-proxy(8)

Simon
-- 
DNS64 open-source   -- http://ecdysis.viagenie.ca
STUN/TURN server-- http://numb.viagenie.ca
vCard 4.0   -- http://www.vcarddav.org

Re: How to make FTP work from the firewall system?

[Simon Perreault]

J.C. Roberts wrote:

match out on ? proto tcp from ? to any port ftp \
rdr-to 127.0.0.1 port 8021


You can't do that. rdr-to only works on input.


Without testing it, I don't know how the potential loop can be avoided,
or if it even needs to be avoided (note the match out example for
isakmp in the pf.conf(5) man page).


That example uses nat-to, which only works on output.

Simon
--
NAT64/DNS64 open-source -- http://ecdysis.viagenie.ca
STUN/TURN server-- http://numb.viagenie.ca
vCard 4.0   -- http://www.vcarddav.org