2% of IPv4 address space left!

Yes, you heard me. IANA has only 2% of all IPv4 addresses left to hand out. In terms of /8 this is 7. Of these 7, five will be automatically handed out to the 5 regional registries meaning there are really only 2 /8s left up for grabs and rumor has it these will go early next year making and end to it all.

I just wonder how much media beat up it will get?

And the other burning question, are you IPv6 ready will soon be on everyones lips. I at least know my work is ready but still I haven't got native IPv6 yet and I've no idea about my home or mobile operators as to wether they will have IPv6 available anytime soon.

Even major content is still shy about IPv6, come on Google, it's time to get out from behind your Google over IPv6 program and offer native IPv6 to anyone who asks without some prior arrangement. It's not helping.

If you're worried about the .01% of people who might have an issue, make sure you make available lots of resources on how to fix their connectivity!!

Anyway, that's my IPv6 rant for today.

Hope you enjoyed!

In the 1/8 block.

Some while ago I noticed that APNIC had been allocated the 1.0.0.0/8 block. This was a cause for concern as it has been one of the more well know bogon prefixes. These are address blocks that may be used within organizations instead of the rfc1918 address space, e.g. 10.0.0.0/8. I've spoken people who have done this and the usual reason is to avoid issues with others who might be using rfc1918 address space.

iPhone screenshot.

The result, many ISPs would filter these bogon routes lest they leak out onto the Internet.

Now, to cut a long story short, I've noticed my iPhone now has an IP from this range. Time will tell if there are any connectivity issues.

TSHOOT Books

Yay, today I finally got my foundation learning guide for TSHOOT. I discovered recently that you can get two types of Ciscopress books, Exam certification guides which are all about passing the exam, and the Foundation Learning guides which are more like a course and give you much more depth.

I already had the certification guide so I thought I should really have the foundation learning guide (after failing SWITCH) so I ordered it from Amazon but as usual when you are waiting for something it takes forever to turn up.

So today, some 19 days later it finally arrived on my desk so now for some hard core reading as my exam is less than 1 month away!!

Wish me luck!

CCNP SWITCH Passed

Yes, finally I managed to pass CCNP SWITCH exam.

Lesson to be learned, make sure you read all those tiny sections at the back of the book that mention exam updates.

It turns out that between publishing of the official certification guide and my sitting the exam the first time around, Cisco had updated the exam curriculum. As a result, the book author had written extra content as a PDF to be downloaded from the publishers website.

If I had know that before my first attempt, perhaps I would have passed, who knows. As it is I took advantage of several other aids to study for my second attempt and I guess it all worked as I passed.

Only one more exam for CCNP, that's TSHOOT booked for Dec 14th!

Wish me luck.

Fixed my Internet

Last night I finally fixed my Internet! I have a Cisco 857W router for my ADSL connection (thank you eBay) but had problems with it. Every so often, it would simply stop passing traffic. The router wouldn't report any particular issues but wouldn't pass any traffic down the ADSL line. Everything else on the router appeared to be normal.

So, being the network engineer, I downloaded the latest IOS and updated my router. Not only did this not fix the problem but it introduced another one. It would appear that every new connection would loose the first few packets. A ping would loose the first packet, telnetting to port 80 on a website, would delay for several seconds before responding.

It was enough of a problem to prevent the ABC's iView on the PS3 to stop working which was annoying.

Normal web surfing would still work but felt a tad slower. Speed tests would show the expected bandwidth but have a horrendous ping response (> 1000ms).

So last night I downgraded slightly but went from an ED release (Early Deployment in Cisco speak) to an MD release (maintenance release) and found that all these problems have gone away.

I guess this says that there are problems with the latest ED release for my router. It remains to be seen if this MD release fixes the original problem that I was trying to fix.

Wish me luck!

CCNP Switch Fail

I recently failed my CCNP SWITCH exam. Only by a few marks ( < 5%) but enough nonetheless. At first I was upset but now I've come to realize that I wasn't thinking the right way about a lot of the questions, particularly the simulations.

Previously, I had seen sims in Cisco exams which clearly stated what the end goal was in technical terms but this exam was more about giving a set of requirements and letting you figure out what was required. During the exam I wasn't thinking through the requirements at all, just my own set of technical goals, e.g. must get this ether channel up.

Having had time to think about, I now realize that this comes down to my lack of experience (despite doing Cisco networking for 8 years) of doing design work. I have never sat down at a planning meeting with a client to determine their requirements, not have I been involved in a peer review process in an engineering team.

My networking role is just me looking after a large network (> 800 virtual users) all by myself, with no other network engineers and no 'client'.

The end result is I know my network very well but I have never had to plan or design from scratch which showed up in the exam.

I want to be a good engineer but planning and design are hard to study for unless you've had the exposure.

Never fear, I will keep at it and I hope now I at least better understand what is required of these types of questions in the exam.

Enabling rapid-pvst

This post is about my attempts to enable rapid-pvst (802.1w) on one of my switch blocks at work. My previous attempt had resulted in lots of loopback errors disabling up-links on the access switches.

My only thought at the time was that perhaps I had way too many end-to-end VLANs that took too long to converge. Now, having read up on rapid-pvst , I now believe it was probably the fact that during the process of enabling rapid-pvst, the default pvst has to be switched off and for a small period you are running without any spanning tree. If you have enough traffic then the probability is high that you could get a loop during this interval. It could still be a combination of effects though and since my original failure, I have been agressive with switchport trunk allow vlans ... to restrict the number of end-to-end VLANs and have been rewarded with success.

I now have managed to get rapid-pvst working on one of the switch blocks to which I originally had problems with. This time though, knowing more I took a cautious approach.

• Step 1, Enable loopback errdisable recovery so that if for some reason the original problem reoccurred I wouldn't have to get console access to my access switches or reboot them. This can be done with errdisable recovery cause loopback
  
• Step 2, Turn on consoles message so I can see any errors that might occur. (terminal monitor)
• Step 3, Enabled rapid-pvst and wait spanning-tree mode rapid-pvst
• Step 4, Save your work once switch is stable.

I noticed on each access layer switch, the management interface went down and came back up. Once I had completed all the access layer switches, I then did the core switch (only one) and once finished I had a stable switchblock running rapid-pvst. Here is the output of show span vlan 188:

VLAN0188
  Spanning tree enabled protocol rstp
  Root ID    Priority    24764
             Address     001b.8f97.2180
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    24764  (priority 24576 sys-id-ext 188)
             Address     001b.8f97.2180
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/1               Desg FWD 4         128.1    P2p
Gi0/2               Desg FWD 4         128.2    P2p
Gi0/3               Desg FWD 4         128.3    P2p
Gi0/4               Desg FWD 4         128.4    P2p
Gi0/5               Desg FWD 4         128.5    P2p
Gi0/6               Desg FWD 4         128.6    P2p
Gi0/7               Desg FWD 4         128.7    P2p
Gi0/8               Desg FWD 4         128.8    P2p
Gi0/9               Desg FWD 4         128.9    P2p
Gi0/10              Desg FWD 4         128.10   P2p
Gi0/11              Desg FWD 4         128.11   P2p
Gi0/12              Desg FWD 4         128.12   P2p
Gi0/17              Desg FWD 19        128.17   P2p Edge
Gi0/27              Desg FWD 4         128.27   P2p Peer(STP)
Gi0/28              Desg FWD 4         128.28   P2p Peer(STP)

This switch block is one of the ones that I had the loopback issue with so I am happy to have gotten it working here. I will now rinse and repeat and see if I can get it working everywhere!

Are we there yet? Sick of waiting for IPv6?

Just a quick one today.

I've been using IPv6 since the days of the 6bone and have been waiting ever since for commercial service. Initially I was only interested in IPv6 access at home but now that I look after my own commercial offering, I really want IPv6 available at work.

My provider (who also happens to be my parent company) has allowed me to join their trial of IPv6 via a tunnel from my Internet routers. This along with a /48 allocation of address space as at least allowed me to do a proof of concept and get all my infrastructure properly configure.

The big question is, with IPv4 running out within the year , why oh why am I still waiting for my service provider to get on board and provide IPv6 service?

I've now been told December this year but only if I sign up to a new Internet connection. I've yet to be told if they will be charging extra for IPv6 which would be counter productive. Given that my provider is my parent company, I have no choice but to wait, but what a long wait it's been.

The trouble with TCAM

Let me start by saying that whilst I am not a CCIE, I understand that the commands presented here are supposed to be CCIE level when it comes to switches.

The background is that I look after a network which uses layer 3 switches for the core/distribution layer. These are mostly 3560s. When I first started implementing the 3560 switches, I read that they supported IPv6. Being an early adopter when it came to IPv6, I sought to enable IPv6.

It turns out that how you enable IPv6 on the 3560 family is by repartitioning the CAM/TCAM tables using the sdm prefer command. This command dictates how much space us used for various kinds of resources, such as layer 2 entries, L3 routes, multicast routes and the mix between them.

Now when I first enabled IPv6 on my 3560s I didn't really understand what a TCAM was or why it was critical to layer 3 operations so I ended up making a choice that for years has impacted the performance of the network.

The command I used at the time was:

# sdm prefer dual-ipv4-and-ipv6 vlan

I figured at the time that I had a few vlans and that would be the way to go. Here is the table showing the mix of resources you get when you choose this option:

The selected template optimizes the resources in

 the switch to support this level of features for

 8 routed interfaces and 1024 VLANs.

  number of unicast mac addresses:                  8K

  number of IPv4 IGMP groups + multicast routes:    1K

  number of IPv4 unicast routes:                    0

  number of IPv6 multicast groups:                  1K

  number of directly-connected IPv6 addresses:      0

  number of indirect IPv6 unicast routes:           0

  number of IPv4 policy based routing aces:         0

  number of IPv4/MAC qos aces:                      0.75K

  number of IPv4/MAC security aces:                 1K

  number of IPv6 policy based routing aces:         0

  number of IPv6 qos aces:                          0.5K

  number of IPv6 security aces:                     0.5K

Can you see something a bit strange here? This line is the issue:

number of IPv4 unicast routes:                    0

Since most of my network was still IPv4, this line allow no space in the TCAM for IPv4 unicast routes! That was most of my traffic. The net result was periodic spikes in CPU usage on the switches when significant traffic went through them. It wasn't until recently, when studying for my CCNP SWITCH exam that I realized that these switches actually do routing in hardware for most traffic as long as there is room in the TCAM.

So I had a configuration that specifically did not have any room in the TCAM so all IPv4 unicast routing on these switches was being done in software. Now the CPU in a 3560 isn't great but its probably sufficient for low level traffic and having a dedicated backup LAN meant that a lot of heavy traffic wasn't routed, yet periodically there was enough traffic to spike the CPU. The cpu would max out at over 80% which is enough to mean other services could suffer.

Before you start thinking that I was a bit negligent letting this issue carry on for 'years' let me state that I had tried to debug this according to the methods suggested by Cisco.

I started out with doing:

#show proc cpu | ex 0.00

This shows the cpu tables excluding anything that's not taking up any CPU. The output of this showed IP Input was the process taking up all the CPU. This is exactly what to expect if lots of traffic is getting punted to the CPU. The next step is to find out why. The command:

# show ip cef switching statistics

       Reason                          Drop       Punt  Punt2Host

RP LES TTL expired                        0          0          1

RP LES Features                           0       4881          0

RP LES Total                              0       4881          1

All    Total                              0       4881          1

This command shows what is causing the CPU punts to occur. TTL is obvious but features requires more detail:

# show ip cef switching statistics feature

IPv4 CEF input features:

       Feature                Drop    Consume       Punt  Punt2Host Gave route

       NAT Outside               0          0       4881          0          0

Total                            0          0       4881          0          0

IPv4 CEF output features:

       Feature                Drop    Consume       Punt  Punt2Host    New i/f

Total                            0          0          0          0          0

IPv4 CEF post-encap features:

       Feature                Drop    Consume       Punt  Punt2Host    New i/f

Total                            0          0          0          0          0

IPv4 CEF for us features:

       Feature                Drop    Consume       Punt  Punt2Host    New i/f

Total                            0          0          0          0          0

This command, in my case, showed huge amounts of NAT Outside Punts. At this point I was stumped. I searched repeatedly for anything that could trigger NAT and explain what was going on.

As you may have guessed by now, that output was a furfy with the problem had nothing to do with NAT.

From the above output of the sdm preferences, it is now obvious that my naive choice for the sdm prefences resulted in no space in the TCAM for IPv4 routes and thus all IPv4 routing was being done by the CPU using the IP Input process.

The solution? Simply change the sdm preferences to dual-ipv4-and-ipv6 default!
 "desktop IPv4 and IPv6 default" template:

 The selected template optimizes the resources in

 the switch to support this level of features for

 8 routed interfaces and 1024 VLANs.

  number of unicast mac addresses:                  2K

  number of IPv4 IGMP groups + multicast routes:    1K

  number of IPv4 unicast routes:                    3K

    number of directly-connected IPv4 hosts:        2K

    number of indirect IPv4 routes:                 1K

  number of IPv6 multicast groups:                  1K

  number of directly-connected IPv6 addresses:      2K

  number of indirect IPv6 unicast routes:           1K

  number of IPv4 policy based routing aces:         0

  number of IPv4/MAC qos aces:                      0.75K

  number of IPv4/MAC security aces:                 1K

  number of IPv6 policy based routing aces:         0

  number of IPv6 qos aces:                          0.5K

  number of IPv6 security aces:                     0.5K

Now I have plenty of space for both IPv4 and IPv6 routes what I loose is policy based routing but hey, that's something I can live with. Since this change I haven't had a single CPU spike (> 2 days now).


I have also since learnt that you don't get taught about SDM preferences until you study routing and switching at the expert level.

That's what you get for being an early adopter!

IPv6 Caveat - Apache & XP

I encountered an interesting problem with my Intranet today.

Certain pages were just hanging halfway through loading. Sure that doesn't sound very exciting but upon inspection of the source code I discovered it was a SOAP call that was hanging.

Trying a manual connection via telnet replicated the hang with an interesting point. It was trying to connect via IPv6. Now I didn't recall manually entering an IPv6 AAAA record into my primary DNS but it so happens that the target machine for this SOAP call is an XP box running the Windows version of the Apache web server and yes, I did recently enabled IPv6 on that machine.

So, diagnosis (yes short post today) is that whilst XP (SP3) supports IPv6 and Apache on other operating systems supports IPv6 it would appear that the two together do not support IPv6. That coupled with Active Directory automatic DNS updates and you have my problem.

The solution was to create a different URL for the SOAP service which only had an IPv4 record and update all the SOAP calls and WSDL files that described the SOAP service in the first place.

So, lesson to be learned, IPv6 support is still lacking despite being around for 15 years. I guess if I'd updated this box to Vista or Windows 7 it might be different but I'm not sure. Before you ask, no I can't install linux, my security vendor doesn't support linux, at least not for this product.

Oh well. Not everything is ready for IPv6 yet.

Apples Ping beset with Spam

Ok, yet another social networking offering, this time by Apple. Apple appears to be doing a Google and trying to get in on everything. This one though seems to be specific to the music industry and our consumption of their product.

So I signed up, to check it out. Nothing that exciting yet but already I've noted spam. People setting up accounts simply to comment on anything and everything to tout their wares, the one I saw was funnily enough about how to get a free iPhone.

Time will tell what Apple chooses to do about this. I've yet to see a web interface for Ping which is telling. If you can only access Ping via iTunes then it will be much less accessable than other social services.

Who knows if the 'net public will want to sign up for yet another social service. I think the only people who will will be people Apple already has a relationship with, i.e. iPhone and iPod users who have an iTunes account.

I can't see the draw, can you?

Bring on the NBN

By now, I think, the general public are probably sick of hearing about the NBN despite it being such a 'hot' election issue. Election? When was that? It was so long ago, I've forgotten, but we can still hear about the NBN.

Being a tech-head, I've done my share of cringing at the reasons people give for why it's a bad idea. Most average people I've polled say its a good idea but too expensive. To that, I'd like to quote an expert:

"The ubiquitous use of high capacity across the entire population is intended to alter the way in which services are delivered, in which we define work and entertainment and the way in which a relatively small population in the south Pacific Ocean defines its place as a developed and hopefully highly competitive economy in a global context. These are indeed great expectations and the price tag is entirely commensurate with the level of euphoric optimism that is associated with this national project." - Geoff Houston Chief Scientist at APNIC

I happen to agree. The NBN is the same style of public work as the original copper network was back in its day. Perhaps the same debate was had then but I don't think it was an election issue. The public wasn't asked to choose a technology solution for the nations future network.

That's what it comes down to. Each side has offered a solution and the public had been asked via an election to choose which they want. Of course the public is in no position to choose based on technical merits so instead they go with all they know, price. But how on earth does the public weigh up the price of an NBN? Can't find them at Coles or Woolies or even at Dick Smith Powerhouse!

I would like to state a simple reason for the NBN, we need it for all the reasons we can't think of right now. It's not about faster porn, or downloading illegal movies, though many might use those as arguments. Think more about providing cable TV to all those that don't have a big black cable hanging on their telegraph poles. Think about making a national community TV station. Think about having the ability to watch your recorded shows from your set top box at your mates place (copyright permitting).

These are things you can only do if most people have the same service. I remember a few years back trying to do the web cam  thing with my sister in the UK. We did it because it was nice to see a face but it almost always deteriorated into a frozen image because neither of us had the sort of bandwidth required. Well imagine being able to do something similar but with the quality you expect from TV, HD TV even, across the globe. That would make this planet we live on seem a whole lot smaller. It wouldn't be such a separation to live in another country from your nearest and dearest. But a broadband policy that merely seeks to add some more people onto our aging copper network is just not good enough.

Copper and even wireless have limits. The further you are from either, the slower it gets. The speeds 'suggested' for each are never obtainable, so whilst it might be said that everyone will get 12Mb, that's just a suggested figure and your millage may vary. Certainly my existing service is billed as ADSL2+ yet I only get 4Mb. There is very little chance they are going to build a new exchange close to my residence so I have nothing to look forward to. No Internet TV, no HD video calls.

So I for one, welcome our new NBN overlords... 

Anatomy of a Paypal Scam

Over the course of the last few days I have been the target of a paypal scam. This was one involving a car I have for sale online. The gist of the scam is detailed here.

The first part that threw me was the perpetrator was claiming to be on a oil rig, having no phone access but working Internet access.

"thanks for mailing back,i am a petroleum engineer and i am on rig right now.i am buying this as a birthday gift for my dad,i've been trying to reach you but i discovered that our  phone is currently scrambled due to the bad weather please bear with me .I can only pay through paypal at the moment as i dont have access to my bank account online,but i have it attached to my paypal account and this is why i insisted on using paypal,i will like you to send me your paypal email so i can deposited the money."

I gather this was a ploy so that I could only contact him via the Internet and not speak to him in person. The mobile number he gave just rang out with no voicemail.

The next step was that the car had to go to Darwin which is a long way from where I am and that he couldn't pay for the pickup agent from his location.

He offered extra money above the price of the car to cover this if I could just wire the extra money to his pickup agent in the UK (never mind the issue of using a pickup agent in the UK to move a car in Australia).

The clincher came the next morning when a fake paypal email came saying money had been transferred into my account (it hadn't) but to release the total value I had to prove that I had sent the money to the pickup agent.

The email looked fake. Checking the headers (View Original in gmail) gives:

Received: by 10.216.15.8 with SMTP id e8mr41876wee.59.1282688603259; Tue, 24
 Aug 2010 15:23:23 -0700 (PDT)
Sender: mark.markspencer.spencer8@gmail.com
Received: by 10.216.170.140 with HTTP; Tue, 24 Aug 2010 15:23:23 -0700 (PDT)
Date: Wed, 25 Aug 2010 00:23:23 +0200
X-Google-Sender-Auth: ovZN1dj6pw_bFlMm7Z5wEsKi3LQ
Message-ID: 
Subject: ****Regarding Your Payment****
From: "service@paypal.com" 

If you have dealt with Paypal before you know that notifications for instant payments 

come from the person doing the payment, not from Paypal. I did a search for Mark Spencer 

and variations on that name appear with many scams. If they were smart it would be an 

alias but lets not presume too much here.

During my long conversation with the scammer (yes he wanted to chat too) it was 

evident that he didnt understand english that well and didn't get that he'd been

sprung. me: I should tell you I work in IT. This sounds too much like a scam to be anything but.

Jayceon: but?

I send the original email on to the advertising agency who confirmed it was definately a scam. I also 

forwarded the fake paypal emails to paypal so that they can investigate. I don't expect anything

to come from this but it was an interesting experience nonetheless.

I have a full chat log plus all the original emails if anyone is interested. 

iPhone4 Tethering Part2 Multiple Devices

Tonight I did some more experimentation with the tethering on the iPhone4 (yes you can do it on the earlier models too) to see about multiple devices.

In my earlier post, I discovered that the address range assigned to tethered devices is 172.10.20.0/28. Given this range, I presumed that multple devices could tether through the iPhone together.

To test this, I tethered my laptop and my wife's MacBook through my iPhone together. Both devices recieved an IP address in the above network. To my surprise they could ping each other without any issues. I guess you could call that an ad-hoc bluetooth network with the iPhone acting as an access point!

I also checked the externally visible IP addresses and as suspected they are both appearing behind the same externally assigned IP address from the 3G network.

So I guess the next question, could you say, have a whole bunch of devices all tethered through an iPhone? Imagine the possibilities, a classroom of students sitting out in the park all on the 'net through a single device?

Interesting possibilities indeed...

Facetime ™ on the iPhone4

Finally I know someone else with an iPhone4. It has only taken a month! As soon as his phone was on the network we tested Facetime™.I have to say it does work as expected though you have to be careful as to what type of network access you use for wireless.

To me it's obvious, but perhaps to non-technical folk it might not be; You need to have a direct connection to the Internet, this means you can't go via a proxy. We have two wireless networks here and one uses a proxy the other doesn't. The proxy one does not work for Facetime™.

I haven't much on how this protocol works but I assume its similar to a peer to peer application where UDP packets are sent out to create an outbound hole in a firewall that can then be used by the person at the other end of the call. Presumably there is a central registration service which associates a persons mobile number with their current outbound IP address. Again, this is how peer-to-peer networks work.

There's no way they could get away with channelling all video through a central site given how much latency there is getting to Australia.

The quick tests we did showed that the latency was noticable but not Über laggy.

The video quality was passable but with useful lighting it would be better.

All in all, a useful service. Hopefully down the track they will open the protocol and allow other devices to talk with iPhones.

PostgreSQL and xpath

Wow.

It all started with me being a lazy developer. I had to store some figures and rather than create a new database table I decided to reuse an existing one. Only problem was that the existing table only had a field of type text for storing these figures (power readings). No worries, I thought, I'll just encode it as XML and use PHP to extract the info when I need it.

Sounds ok so far? Well, I guess I could have gone down that path but it broke my general way of doing things. I wanted to be able to summerize data inside the database where the data lived rather than externally.

So I began looking at what options there were for working with XML inside postgreSQL. Well if you do a simple search for these terms you find yourself looking at the manual for version 8.2 . I soon discovered that XML support in 8.2 was limited at best with third party add-ons required to be useful.

When I took at look at the manual for 8.3 though, it became aparant that I could do XML manipulation as part of a regular SQL query! Imagine that. Now, that lovely XML data that I had sneakily placed into a text field could behave like all the other data that had been given its own columns.

Try this on for size as a scary looking but way cool SQL query for postgreSQL:

SELECT
date_trunc('month'::text, lo.ti_start)::date AS "Reading Taken",
cl.cl_name AS "Client", (xpath('/load/board/text()'::text, lo.ti_data::xml)::text[])[1] AS "DB",
avg((xpath('/load/reading/phase[@units=''amps'']/text()'::text, lo.ti_data::xml)::text[]::real[])[1])::numeric(6,1) AS "Phase1 (A)", avg((xpath('/load/reading/phase[@units=''amps'']/text()'::text, lo.ti_data::xml)::text[]::real[])[2])::numeric(6,1) AS "Phase2 (A)", avg((xpath('/load/reading/phase[@units=''amps'']/text()'::text, lo.ti_data::xml)::text[]::real[])[3])::numeric(6,1) AS "Phase3 (A)", avg((xpath('/load/reading/phase[@units=''kw'']/text()'::text, lo.ti_data::xml)::text[]::real[])[1])::numeric(6,2) AS "Phase1 (kW)", avg((xpath('/load/reading/phase[@units=''kw'']/text()'::text, lo.ti_data::xml)::text[]::real[])[2])::numeric(6,2) AS "Phase2 (kW)", avg((xpath('/load/reading/phase[@units=''kw'']/text()'::text, lo.ti_data::xml)::text[]::real[])[3])::numeric(6,2) AS "Phase3 (kW)"
FROM netdb.load lo, netdb.client cl
WHERE lo.se_type = 39 AND lo.cl_id = cl.cl_id AND lo.cl_id = 3
GROUP BY date_trunc('month'::text, lo.ti_start)::date, cl.cl_name, (xpath('/load/board/text()'::text, lo.ti_data::xml)::text[])[1];

As you can see, with the xpath function, you can treat any text block as XML and then manipulate, select or group by the results.

This is such a powerful idea that I'm still geeking out about it. For a long time I had seen XML formats as a data storage format, throw in XPath and XQuery and you have somethign that could potentially replace a RDBMS. Now think about XML inside your RDBMS and you get the best of both worlds. Better still, you can slowly add XML into your existing database without having to retool all your existing code.

What a fantastic idea.

Look forward to doing lots of cool things with XML and postgreSQL.

Read this knol that I wrote on this subject.

iphone4 Tethering

After receiving my new iPhone4 on the 2nd of August, I was surprised to find my Telco now allowed tethering for free. This was a change from my previous contract for my iPhone 3 which required a call to the telco and an additional charge of $9.99 / month.

So here I am blogging via a tethered connection to my iPhone and I thought I would check what addresses I get on each device. To my surprise, I get a different IP address on each device. I discovered this by using one of those "what is my IP" sites (e.g. here). Yet my laptop locally had an IP in the 172.10.20.0/28 address space and also the next three hops out from my laptop.

traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  172.10.20.1 (172.10.20.1)  24.506 ms
 2  172.22.68.131 (172.22.68.131)  82.246 ms
 3  172.22.68.2 (172.22.68.2)  116.105 ms

This makes me think that my tethered traffic is being tunneled through my iPhones 3G connection. To make matters even more muddy, the ping app I have on my iPhone reports yet another IP address different to that reported by the ip address website. This makes me think perhaps there might be some transparent proxying going on.

Further analysis I find that the address site and ssh connection show consistent results for both devices. The only difference is the laptop is reporting a different local IP than that of the SSH connection or address website. The range allocated is a /28 which makes me think the iPhone supports multiple devices connected via bluetooth tethering to a single IP address which exists on the phone. Thus the ISP allocates one IP for the iPhone and a separate one for the tethering. This still doesn't explain the three hops from the tethered device inside the 172.16.0.0/12 private address space but I'll leave that to someone else to explain.

But the best news is that it works a treat and I no longer have to take a 3G dongle with me to access the 'net on my laptop.

More questions that answers I'm afraid but at least interesting networking. If only I could capture the network packets inside the iPhone.

Perhaps there's a useful document out on the 'net that describes the actual process going on.

I'll leave that to you as an excercise.

Sample iPhone Image and Video

This image was taken on my new iPhone4 which arrived this morning. The shot was taken in my office with lots of sunlight and contrast. Bear in mind that the image has been squashed to 1600 horizontal pixels by Picasa so you don't see the whole resolution but it gives you a good idea of the potention of the iPhone's new camera.

I will try and upload the original image somewhere but its not small and will take a while.

I have also created a test video from the phone and uploaded it to youtube.

Scanning an IPv6 Subnet

If you are a network geek like me you may have been reading a lot lately about IPv6 and how it is different from IPv4. From a security perspective, one of things stated as being a benefit of IPv6 is the mind boggling size of a subnet to the extend that most network engineers will state that we need never subnet again. I would have to agree! But from the other side of the security coin, how does one scan an IPv6 subnet as a result? I'm not thinking about hacking but perhaps about performing your own security scanning with a tool like OpenVAS.

Lets have a think about how we might achieve this. First, a lesson in IPv6 for the uninitiated. IPv6 addresses are 128 bits long, I'm sure you've all read that somewhere. What that represents in raw numbers is huge. What is more useful is how that 128 bits are broken up. As an end user, you will probably recieve either a /48 or smaller allocation. Consumers will perhaps only recieve a /56 or perhaps even a /64.

The important thing to know is that even though the ISP may well leave you 80 bits to play with the done thing is to allocate the last 64 bits as the interface identifier. Most posts I've seen have simply taken those 64 bits as a given (i.e. a very large number of possibilities) and ignore the scanning possibilities.

I think there are a few things to note about the structure of the 64 bits. Firstly, engineers are free to allocate these bits how they see fit and of course if these bits are allocated at random then yes it will be a near impossible task to scan an IPv6 subnet.

But if the engineer uses EUI-64 to fill out the 64 bits then we know a bit more about the structure of these bits. Put simply, EUI-64 states that you break apart the MAC address and place the bit pattern FFFE in between. You also flip the 7th bit in the 2nd hex digit but hey whose counting?

So we have reduced the 64 bits down to say 48 bits. Still a lot of bits but perhaps we can get a bit closer. The first half of a MAC address identifies the vendor of the NIC. We can make a smart guess about the NIC vendor, say pick a list of 1024 vendor IDs or perhaps 256 and we can reduce the 48 bits down to 32 bits to scan.  You may even be able to use information about what portion of the lower 24 bits has been allocated by various vendors to narrow down that part of the search also.

 Also worth considering is for those engineers who choose to allocate the 64 bits manually, many will use relatively small numbers for this purpose. The first 64 bits already uniquely identifies the subnet so there's no need for a large number.

So perhaps you would try a sequential scan of the lower bits, say 8 or 10 bits scanning from 1 to 1000. Then try for random numbers within sensable ranges for the vendor IDs you are using.

Now I'm not forgetting the first 64 bit but I wouldn't suggest using scanning to find the content of these bits. It isn't that hard to find allocations of IPv6 that have been given out but the best you will get is the first 48 bits.

Alternatively, there are many ways to collect this information. A fake website sent in a spam email could get people to deliver traffic to you which would expose lots of useful information. Mostly this technique would be useful for internet facing systems. Internal systems would be heavily protected by firewalls even without NAT. 

So what do we have? If we can find the /48 allocation, then we have the 16 bits that make up the subnet number, plus say 32 bits of scanning for the lower 32 bits. How long will it take to scan a single /48 using this optimising methods?

We have a total of 48 bits to scan which makes for a large number. If we scan 1024 addresses every second then it will still take over 8700 years to do a single IPv6 subnet. This is a long time in anyone's reckoning but certainly a lot shorter than you might see in the media.

I think others could do a better job than I have but it would still be a large task. Perhaps you're doing this internally and you don't mind whacking your network then you could get this down, Gigabit networks can do many more packets per second. Perhaps you could have better guesses for the subnet number?

I think its still in the realm of impractical but if you were sufficiently motivated perhaps you might find a way to scan.

This of course is to scan a single IPv6 subnet!

I would imagine that perhaps in the IPv6 future, we will see slow persistent scanning develop for those that have the time. IPv6 scanning won't be for the casual players.

Passed CCNP ROUTE

Passed the first part of my CCNP, the ROUTE exam (642-902). It wasn't as scary as I had thought, planning whilst important was just a small part of the overall exam. I actually enjoyed the exam process though I was freaked out at the end when it didn't show me my score. I thought that was a sure sign I'd failed.

Even when I left the testing room, the lady at the desk waved my result sheet around without actually telling me if I'd passed which was annoying. I had to wait for her to hand it to me (after signing me out) before I knew that I'd passed. Very anxious moments!

So now onto the next exam (yes, already booked for end of Sept) , though now I feel much more capable.

Life without a Home Button

Yes, the home button on my iPhone has died. For those of you without an iPhone, this button is the way you quit one application and can choose another. This is because the iPhone software (currently) only permits a single application to be running at the same time.

As you can imagine, this makes it very difficult to use the iPhone as you get stuck in a single application.

But, there are ways you can switch applications without using the home button. The iPhone software does actually run in the background, it only allows a single user application but the OS still runs. Thus when you receive an SMS for instance you will be presented with an alert. If you touch the alert you will be switched to the SMS app.

 Whalla! So, you wonder, how many apps can you switch between like this?

I have begun to think this through and have come up with the following so far:

1. From any app, receive SMS to get to SMS app
2. From any app, receive a phone call to get to the phone call app.
3. From any app, receive an SMS with a URL in it to get to Safari via the SMS app!
4. From Safari, find a link to an app in the app store to get to app store app.
5. From app store app, install any app to get back to the home screen (what the home button would normally do in a single press!)

I haven't thought of any others yet but so far, just enough to get me around. If I really have to swap apps, then I have to reboot to get back to the home screen. I guess this should go into a state diagram like a FSM?

I lesson in learning

I was recently asked to do some updates for a church website. I do websites, I told myself, how hard can it be? After all I looked after my departments internal website and it wasn't that bad.

The previous administrator had casually mentioned to me that the website in question was an MVC type website. It didn't click at the time what he meant and I didn't think about it until I went to make these changes.

Ever heard of the concept of design patterns? I could remember something of this from my phase as an iPhone developer. Design patterns are used extensively when programming for the iPhone but I had only the vaguest notion the why and how.

So I dug in as without understanding MVC there was no hope I was going to 'get' this website.


MVC is actually a very nice way of structuring your application. Commands from the user are sent to the controller classes which fetch data from the model (which also implements application logic) and sends it to the view classes for display.

From this simple understanding, I realized that my own internal website was very broken in terms of design with these three components all mushed together into all doing mega classes. Which is ok, but it makes extending the application much harder to engineer.


So now I find myself midway through redesigning my internal website to be MVC as it just makes so much more sense. I guess I never really was a good website programmer. It's not my real job I guess but neither is anything else I do.

At least I haven't stopped learning!

OSPF Lab for CCNP ROUTE

This is the diagram for a lab I did recently to play with OSPF as part of my CCNP ROUTE study. As you can see from the notes, I used this to test:

• Multiple areas
• Summerization at R8 to 10.8.0.0/16
• Virtual link to join two separate area 0 networks between R1 and R5
• I also messed around with R6 having interfaces in both area 8 and area 4 and was very surprised with the results. It still worked!

Whoring myself about

It seems silly not to, then again, noone comes here to why bother?

Confused? Check out the add on the right for amazon. Yep, I'm an amazon associate and now I'm advertising their wares on this blog as well as my other site.

It's ok, I actually like books and Amazon isn't really that evil compared to some companies I know.

So, if you like you can click on their adds and see what takes your fancy. On my site I have a book store where you can buy a bunch of Cisco books if you're studying for anything in that vein.

Please, help me out here!

Only a year left of IPv4

Yep, on Friday my IPv4 counter was showing just under 500 days, but its been updated to include the recent May allocations of two slash-8 blocks to RIPE. My counter now only reads 356 days until the end of the Internet!


Or at least for no more IPv4 blocks to be allocated to the RIRs. To quote the Simpsons(tm), "This is a perfect time to panic!".

Only 18 blocks left to allocate, won't be long now.

I predict no much will happen until the RIRs run out of addresses.

After that, who knows.

Certification treadmill

I just recieved my official CCNA Voice certificate in the mail on Friday. That makes three Cisco certifications I have now: CCNA, CCNA Security and CCNA Voice.

So now I am working on my CCNP which I first contemplated in 2002! This time I'm serious as I have two juniors at work, working towards their CCNA certificates and it would just feel wrong to be at the same level.

I've been phaffing around with CCNA level certificates, now I have finally pulled my finger out and booked the first exam for CCNP, ROUTE.

I am reasonably confidant I can pull it off. I have ROUTE scheduled for end of June, SWITCH for end of Sept and finally TSHOOT (the most interesting looking one) for December sometime.

But me being me, have already been looking forward to next year. I wanted to do CCDP (design prof) as it's only one exam different from CCNP until I realized that you needed the CCDA also. So next year the plan is to sit those two, CCDA then CCDP and then perhaps CCNA Wireless so I can collect the whole set!

Sounds like a plan?

Should I go on to CCIE? Just for the hell of it?
I'm actually tempted to follow the design train on to CCDE and (dreaming now) CCA!

Tell him he's dreaming!

CME <=> Avaya CM5

I'm currently studying for my CCNA Voice certification. As part of this I have configured a router with CME (Call Manager Express) which is the mini PBX that you can run on a suitable Cisco router.

I have manage to get most of this running as expected as per the methods shown in the very useful CBT Nuggets videos which I have access to through work.

Yet there was one problem. Whilst I could call from Avaya to Cisco and have a proper voice path, calls from Cisco to Avaya failed. I would hear silence after dialling then eventually a busy tone.

I have been scratching my head for a week now trying to work out what was wrong but debug utilities on the Avaya side are nothing like the Cisco ones.

I took to considering the differences between the ideal network topology as shown in the videos where the CME router is configured as a router on a stick, and my own topology, where I have a router with two interfaces. My router had it's own network for the IP phones whilst the Cisco IP Communicator (CIPC) client that I was using was not on this separate network.

I started thinking about source and destination IP addresses. Now whilst the CIPC client had no issues registering from another network presumably due to the ip source-address command under telephony-service. Yet this did not dictate what source IP address the router would use when talking to dial-peers.

Thus whilst I had configured my Avaya to talk to the CME router via it's dedicated NIC, this only worked for call signalling coming from the Avaya. Call signaling coming from CME to the Avaya had a different source IP than the trunk far end I had configured on the Avaya and thus the Avaya was rejecting the call attempt.

I simply updated the Avaya configuration to use the closest IP address (topology wise) and whalla it works. I can now dial from Cisco => Avaya and all details come across!

Lesson to be learned, don't assume things.

BGP oh the joys

For reasons unknown my internal routing protocol 'lost' it's route to our provider independant address space this morning. The symptoms were a complete loss of access to the Internet. Logging a fault with the relavent ISP returned a 'no problem here' response.

We have redundant Internet feeds so I was confounded that both of them should fail at the same time. Further investigation determined that access to the Internet worked fine using an address from the /30 each ISP provided for connectivity. So it was just our address space.

Whilst waiting for the ISPs to get back to me (I had made it clear it was a routing issue not a service issue) I double checked and lo and behold my gateway routers no longer had a route for our address block. I'm sure I had one before but not having one now meant BGP had nothing to advertise.

BGP is different from other routing protocols in that it will only advertise to other parties (people with a different ASNUM) that which is already in your routing table.

I'm sure I had a route before but thinking about it, I believe the route came from BGP in the first place. It's like a circular argument, it works as longs as you don't stop. So some network change stopped BGP advertising to itself our block of address space and thus it no longer existed in the routing table of my gateway routers, and thus BGP could no longer advertise our block to the upstream providers.

Talk about a chain of events.

So I now have a static route to Null0 for our block to ensure BGP always has something to advertise. I should make it a backup route (high admin distance) so my IGP can insert something if it needs to.

Oh the joys.

New Years Resolution

Ok, I've decieded what to do next after CCNA Security certification. I will give myself this year to acheive CCNP certification. I have access to CBT Nuggets through work so I will use that to get my CCNP exams.

Wish me luck.

Cisco Terminal Server

Today I have been setting up my new secure management network. This consists of a little segment behind a firewall that I will VPN to to get console access to critical routers in the network.

I had a 32 ASYNC module from ages ago and went about configuring it.

Mostly it was reasonably straight forward but I seemed to remember something about setting the modem type. So far I could get console access onto my PIx firewall and an old 2600 router acting as the console server. I just couldn't get the console on the switch working.

As it turns out, if you set the modem to DialIn then that gets the switch console working.

Useful information for anyone out there trying this.

Blast from the Past

I managed to stumble across this famous piece of writing from the formative years of the commercial Internet...

http://w2.eff.org/Censorship/Internet_censorship_bills/barlow_0296.declaration

I remember reading that whilst trying to patch together my degree at university, the same place I learnt about the Internet and how big it was. Of course the Internet of the early 90s fame was far different from the one most people know today. Yet even then the potential of the medium was overwhelming to me a struggling computing student.

The very concept of near instant communication over the entire globle using email was astounding. I remember showing my sister the joys of real time chat to random people in Perth. Of course this was before IM or even the web. This was back when search was via Archie.au and you could finger university servers to see who was logged in then 'talk' to them directly.

Wow, what a flashback. How things have changed. Now almost everything is web based, just like everything is TCP/IP. I guess it's nice to have a little perspective and understand a bit about where things have come from.

A Difficult Choice

I have made a new years resolution to blog more...

I am coming up on ten years in my current job. Logic says its time for a change but after ten years, change is a difficult thing to contemplate. I have the problem of having reasonable job satisfaction coupled with the nagging sensation that I could do better. Add to that the fact that I can't easily define my current position and it makes the thought of changing jobs daunting.

I have considered network engineer, generic manager, project manager and can't think of what else.

Any ideas? I had been waiting for my boss to move up the food chain but I fear he's in the same boat as me, likes what he does, reluctant to move and just in a cushy place.

I have recently aquired my CCNA Security specialization but I just can't see work rating that worth of a pay increase considering I'm not a network engineer.

Oh the pain of it all.