|
| News | Profile | Code | Photography | Looking Glass | Projects | System Statistics | Uncategorized |
My News |
About two weeks ago I picked up a GSM variant of the Galaxy Nexus smartphone. I decided that after almost two years with my Nexus One, it was time for an upgrade.
I've been running the Nexus One with CyanogenMod since mid-2010. As such, I've gotten used to the built-in BusyBox, enhanced power widget, status bar tweaks, OpenVPN functionality, and general hacker-friendly operation. I was hesitant to grab the Galaxy Nexus, which ships with Android 4.0 (codenamed Ice Cream Sandwich) until CyanogenMod 9, but I ended up ordering it anyway. Hopefully CM 9 will be out soon, but I'm not going to ask when!
If you're unfamiliar with the Nexus product line, it's a collection of Android devices (currently just phones) that run vanilla versions of Android. No carrier modifications or garbage are present, just plain Android. Unfortunately, a number of other Samsung devices sport names similar to the Galaxy Nexus, but should not be confused with it. Here's a list of Nexus devices, that are pure vanilla Android:
Here's a list of the non-Nexus devices that may be confused:
The Galaxy Nexus is a large phone with a 4.6" (diagonal) screen at 720x1280 pixels. The screen itself is very sharp and clear, although sometimes with a white background some bands are visible. I can't tell if this is a manufacturing defect or not.
Unlike the Nexus One, the Galaxy Nexus has the sleep button on the side and lacks a ball. The only way to physically wake the phone is to hit this button, unlike on the Nexus One where it can be configured to wake on both sleep button and ball depress. I'm slightly worried that the singular sleep button might wear out over time, but perhaps I'm being overly paranoid.
Android 4.0 seems like a nice upgrade from the 2.3.x series. I've never used an Android tablet with 3.x so I'm not sure how many 4.0 features first appeared in that version. The user interface is GPU-accelerated and provides smooth transitions through menus, although after a few minutes I disabled all the animations in the hopes of maximizing battery life. The 4.0.1 version I'm running uses Linux 3.0.1:
root@android:/sdcard # uname -a Linux localhost 3.0.1-ga052f63 #1 SMP PREEMPT Mon Nov 21 16:05:10 PST 2011 armv7l GNU/Linux
The voice recognition is vastly improved over previous Android versions, although I don't use it all that often. In Android 2.3.x, the voice recognition would require the user to speak a few words and those would be sent to Google and returned in text form at once. In 4.0, instead of buffering the whole phrase, apparently the audio samples are streamed live to Google, which results in recognized words appearing on the screen almost as they're said. In other words, there appears to be no limit to the amount of words that can be recognized at once. Very cool, if you don't mind the extra data being chewed up by such things.
The GN has soft buttons instead of hardware buttons like on the Nexus One. These are nice because I can finally buy a pair of those touchscreen-friendly gloves and have them work! The Nexus One's hard buttons wouldn't ever work with those gloves, for some reason.
The photo gallery now automatically synchronizes Picasa albums, which struck me as a little odd when I first opened it. It's obvious that Google is trying to integrate Google+ more tightly with all aspects of Android. My contacts initially included all of my Google+ contacts, too, until I disabled that (I typically have no desire to call or e-mail the majority of my Google+ contacts).
The GSM variant of the Galaxy Nexus supports all GSM and UMTS frequencies used throughout the globe. This means that it can be used with any GSM carrier without the risk of things like HSPA+ not working. This makes the phone compatible with both AT&T and T-Mobile work out of the box.
The dual-core OMAP processor is interesting. Interesting as in only one core is active most of the time, with the second core only being used under high load or other situations. Perhaps this is the norm for dual-core CPUs in mobile devices, as it's an obvious way of extending battery life. Here's /proc/cpuinfo under normal situations:
root@android:/sdcard # cat /proc/cpuinfo Processor : ARMv7 Processor rev 10 (v7l) processor : 0 BogoMIPS : 597.12 processor : 1 BogoMIPS : 597.12 Features : swp half thumb fastmult vfp edsp thumbee neon vfpv3 CPU implementer : 0x41 CPU architecture: 7 CPU variant : 0x2 CPU part : 0xc09 CPU revision : 10 Hardware : Tuna Revision : 0009 Serial : 01298fc30100203f
Under high load the bogoMIPS increases to 2047. I've seen both cores listed in /proc/cpuinfo in the past, but when writing this I was unable to trigger activation of both cores. Anyway, we can see this from the kernel log:
root@android:/sdcard # dmesg|grep CPU|tail <6>[111361.896057] Enabling non-boot CPUs ... <4>[111361.912170] CPU1: Booted secondary processor <6>[111361.913208] CPU1 is up <6>[111361.917938] Switched to NOHz mode on CPU #1 <4>[111362.918182] Disabling non-boot CPUs ... <5>[111362.918823] CPU1: shutdown <6>[111363.056030] Enabling non-boot CPUs ... <4>[111363.072174] CPU1: Booted secondary processor <6>[111363.073211] CPU1 is up <6>[111363.078124] Switched to NOHz mode on CPU #1
Speaking about CPUs, the developer options offer a nifty CPU utilization overlay graph to see what applications are hogging it:
Since it can be seen here, I'll point out that Zynga's craptacular development of Words With Friends still causes it to chew up 100% of a single core when running. I suspect this is due to polling things that should be event or interrupt-driven instead. The game is so addicting, though!
Unfortunately, there are a few things about the Galaxy Nexus that are annoying.
Let's start with the hardware: the phone is just too large. Or, maybe my hands are just too small! While holding the phone, I have trouble reaching my thumb up to the top left portion of the screen. At first this was just an annoyance, however after using the phone for 15-20 minutes my arm started hurting from the strain. The large size combined with its thin and somewhat slippery frame makes it easy to drop. I've had a few close calls already while using the phone outside with one hand.
The sleep button should be on the top of the phone, not on the side. I don't use a case or belt clip for the phone and usually put it in my pants pocket. Unfortunately I find myself accidentally hitting the sleep button when putting it into my pocket, which results in a few incorrectly dialed emergency numbers or screen unlock attempts.
The GN wouldn't connect to my 5 GHz SSID at home. I've got my Cisco 1142 WAP configured for 802.11a and 802.11n, but the GN wouldn't see it at all, whether the SSID was broadcast or not! More research is needed, but this was a let down.
The screenshot feature that's built into Android 4.0 is a little weird. Why didn't they just add it to the power menu (hold sleep) like CyanogenMod 7.x did? It's annoying to have to hold volume down and sleep.
A huge annoyance with Android 4.0 was that it automatically signed me into Google Talk without notifying me (I never use Google Talk). I only figured this out because I saw myself online from my other XMPP account. It was easy to disable, but this should not by on by default.
The SMS emoticon icons are really ugly:
In general, things crash frequently. I don't think I have bad hardware (RAM, etc.) because I've heard similar reports from other GN (LTE variants) users. Applications crash and the phone has hard locked twice. It's annoying that there's no watchdog that automatically reboots or some way to trigger a hard reboot via the sleep button. So, in the case of a hard lock, removing the back case and battery is required. Also, the back case seems flimsy and cheap. I feel like I'm going to break it half the time.
I've had AT&T as my wireless carrier since sometime in 2007. I've moved the same SIM card between over half a dozen different phones without any issue and mostly kept the same plan. Since the Galaxy Nexus supports all five UMTS frequencies, I figured I wouldn't have a problem using HSPA+ on AT&T and getting some extra speed over my Nexus One. Unfortunately, this didn't work out.
After using the phone for the first week, I didn't notice any increased speeds. The Ookla mobile speed test application returned plain old congested HSPA speeds (1.7 Mbps downstream, and < 1 Mbps upstream), although latency seemed to be improved (39 ms RTT). I was puzzled since the network type indicated HSPA+:
root@android:/sdcard # getprop gsm.network.type HSPA:11
After searching around I came upon this article that basically convinced me to leave AT&T. Essentially, AT&T won't grant customers access to the enhanced backhaul that traditionally accompanies the HSPA+ connection unless they're equipped with a 4G data plan (no price difference). Unfortunately, the only way to get a 4G data plan is to have an AT&T-supported device (ie, device sold by them). Obviously, an unlocked GSM Galaxy Nexus wasn't one of these devices and lying about this to customer service wasn't going to do any good because the IMEI won't be accepted.
Some folks claim they've gotten the AT&T employees to temporarily associate an IMEI from one of the in-store phones with their account to activate the 4G data plan, then switch it right back. I didn't go down this road not because I didn't think I couldn't finagle myself a 4G plan but because I don't agree with such a policy in the first place. I decided to switch to T-Mobile, and it was the best decision I've made in awhile.
The very next day I strolled into the local T-Mobile store and picked up a SIM card with the $60/month unlimited everything plan. After 2 GiB T-Mobile will cap me to EDGE speeds, but that's fine. I ported my number from AT&T and haven't looked back. The HSPA+ speed is blazing at night and not too bad during the day. The best I've gotten so far is 8 Mbps downstream and 1.7 Mbps upstream. Coverage at my condo is excellent and at work it's decent, too. Overall, it's slightly worse than AT&T but that hasn't bothered me, yet. What's a little strange is T-Mobile's internal IPv4 addressing scheme: they use pieces of 22/8 and 25/8 for mobile clients! I guess they don't have much public space to speak of and RFC 1918 can only go so far.
I also signed up for the T-Mobile IPv6 trial, which seems to work great. I think it'll work with any phone that sports an IPv6-enabled pppd, which aren't many, so far. The IPv6 trial is a separate APN that provides a single IPv6 address and DNS server (fd00:976a::9; it's whitelisted by Google over IPv6). IPv4 connectivity is provided by a NAT64 gateway alongside DNS64. The NAT64 prefix appears to be fd00:976a:c004:8fb1::/96 and the last 32 bits of this prefix directly map to an IPv4 address. Yes, these fd00 addresses are ULA, which makes sense so T-Mobile doesn't have to worry about their NAT64 gateway becoming accidentally public. I consistently get addresses out of the 2607:fb90:400::/40 prefix, and SSH seems to be allowed inbound! This makes copying files from my phone much easier when not on Wi-Fi. I have a feeling it won't last, though. Also, it's easy to switch back to the IPv4 APN with three taps, in case things go wrong. Two things that do not work on the IPv6 APN are MMS and applications that utilize ICMP.
The Galaxy Nexus is a great, albeit buggy, phone.. if you've got big hands and have T-Mobile. Otherwise, get the LTE version from Verizon Wireless and stay in the country. Android 4.0 has promise, if they can fix the bugs. Overall, I think everything software-related will be better when CyanogenMod 9.x is released!
A number of sites on the Internet are blacked out to protest SOPA and PIPA:
I figured I'd do the same (see the top banner). To get a list of your representatives (so you can tell them to voice opposition to both these bills), go here.
I recently deployed DNSSEC on almost all of my domains and lived to talk about it!
A little history, first. Back in July of 2010 I used ISC's DLV registry to sign one of my domains since the com. and net. TLDs weren't signed at the time. The DLV registry provided a list of trust anchors so individuals could sign their domains and DNSSEC validating caches could easily look them up. I signed tengigabitethernet.com. with no ZSK rollover and it worked! I also configured all of my internal caches to perform DNSSEC validation (dnssec-validation yes; along with making sure the "." keys are fresh).
Since com., net., org., and most other TLDs are now signed, a few months ago I decided it was time for me to sign the remainder of my domains and figure out how to perform automatic ZSK rollover.
I first started reading a few documents about the right way to sign zones and get together a sane configuration with BIND (9.7.3 at the time). This howto probably contained the most information, so I used it primarily. Creating the keys and signing domains was familiar to me at this point, so that was mostly review. I then started to research the best way of performing automatic ZSK rollover, which turned out to be the difficult part.
For security reasons, it's recommended to roll over the ZSKs (zone signing key, as opposed to a key signing key which isn't published) periodically. I decided that it would be good to roll my ZSKs every over month (the odd-numbered months, specified as 1,3,5,7,9,11 via cron). After searching the Internet for some suggestions on best practices for ZSK rollover, it seemed that most folks were using a new directive in BIND that took the throught out of this: dnssec-auto.
The dnssec-auto configuration directive was introduced starting with BIND 9.7.0 and includes the ability to automatically re-sign zones and perform routine key maintenance, including key rollovers. Apparently this feature was introduced prematurely and creating new keys with dnssec-auto automatically wasn't possible until 9.8.0. This sounded exactly what I wanted, however.. a bit of a rub, this requires that all zones be converted to dynamic zones. This is required because BIND needs to constantly re-write the zone files (it actually uses a journal) and mainatin them by keeping serial numbers updated.
Dynamic zones didn't seem to be a big deal at first, but I decided I didn't want to go this route right now for a number of reasons. First, moving from a static zone to a dynamic zone removes the ability for me to edit the zone file by hand, which I've gotten used to doing. Maybe I'm the only one who does this, but I use zone files in lieu of an official IP address management system and include all sorts of comments in them. To maintain dynamic zones, one must use the nsupdate(1) utility that ships with BIND. It's not a difficult tool to use, and very easily to script. The second reason is somewhat related: I was unable to find the equivalent of $GENERATE macros to use with nsupdate. This may be by design, but it's annoying.
A few workarounds for the above might be to move comments to TXT records and write scripts to emulate $GENERATE functionality that prepare a batch of nsupdate commands. I suspect down the line I will eventually have to cave and move to a dynamic style of DNS zone maintenance, but it's not going to be today.
So, after deciding I was going to keep things manual, I created some scripts from scratch to handle ZSK rollover. They run dnssec-keygen, dnssec-signzone, and reload BIND as needed. I automated serial number generaton and initial DNSSEC key generation at the same time. Long story short, this allows me to still edit the original zone files in my external view and have the signed copies be served up by BIND. The copies of each zone are appended by the characters ".signed" and these zones are included in named.conf.local (yes, I'm using Debian GNU/Linux). It's a little wasteful, because I have a shared SOA for all of my domains and my scripts re-sign all of my zones for any DNS change. Although for my setup, it's not a big deal.
If you're curious what these scripts look like, check them out here. Please keep in mind that these are very specific to my setup and if you decide to use them you'll essentially have to figure them out yourself and obviously change update-soa.sh to reflect what you want your SOA to look like.
Anyway, to get my DNSSEC setup live, I took the DS records (dsset-*) and had my registrars add them to the parents. This is required so caches that have DNSSEC validation enabled will go ahead and actually perform validation. The DS record authenticates the chain of trust from the parent down to the child zone. So, com. has a DS record for prolixium.com. and uses it to validate that the DNSKEY for prolixium.com. is valid and can be used to check the RRSIG RRs for each record queried. Here's how it looks:
% dig +short @a.gtld-servers.net. prolixium.com. DS 57876 7 1 5B9D902C4E4B15833369B7EED602370B3A525334
Now, this is sometimes when it gets hairy. Since adding the DS key to the parent is the registrar's responsibility, they may or may not support it, or may only support it for a subset of their zones. Even worse, some registrars may advertise support for DNSSEC but in actuality only support it when you use their nameservers as opposed to your own. Because of this, make absolutely sure your registrar has an option in their interface for adding DS records beforehand.
As an aside, Go Daddy has excellent DNSSEC support, but unfortunately supports the evil that is SOPA (their latest flip-flopping should not distract you from the fact that they potentially helped write it and also got an exception from the shutdown clause). I had most of my domains with Go Daddy but moved all but one to name.com and Joker. name.com irrirated me because they only officially support DNSSEC for org., have no mention of DNSSEC in any of their knowledge base, and initially filed my support inquiry as spam. Fortunately the DS records in the parents ended up staying put even after the transfer from Go Daddy, so I guess I'm set for now. Joker supports DNSSEC for all of their domains that are signed.
After signing my zones, I used two web-based DNSSEC checking utilities to validate my configuration: DNSViz and the Verisign DNSSEC Debugger.
In conclusion, although signing zones the manual way ends up taking much longer and causes much more pain, it's a great way to learn DNSSEC!
Here's my traditional Year in Review article for 2011. Last year I deviated from the norm by writing an entry on my predictions for 2011 and beyond, but that was only a one time deal.
It's been a big year for IPv6 (come on, you knew I would be starting this with something IPv6-related). World IPv6 Day was the catalyst for many IPv6 initiatives throughout the globe, as well as one at my place of employment. Although I can't specifically state who I work for in a blog or web forum I can say that it's a large MSO. I led the effort to dual-stack our enterprise network and more or less succeeded by the time June 8th rolled around, although we didn't participate directly in World IPv6 Day. Our website was dual-stacked a few weeks after and, from what I know, there hasn't been a single problem reported! The above image of IPv6 statistics from World IPv6 Day is courtesy of Akamai.
Oh, one more thing about IPv6.. my license plate was featured on a NetworkWorld slideshow, for obvious reasons.
On the FOSS front, I made contributions to two projects: MTR (the traceroute program) and the Linux kernel. I added some stability fixes and IPv6 support (via reverse engineering) to the LG-VL600 USB LTE modem driver in the Linux kernel (see here). The LG-VL600 is one of the USB modems that's sold by Verizon Wireless for use on their LTE network. I also created a patch to decode ICMP extensions for MPLS (see here), which has recently been included in version 0.82.
I've educated myself quite a bit on the operations of DNSSEC and have signed 7x of my domains with automatically rolling ZSKs, so far. I'll be writing up a blog entry solely on my experience with DNSSEC in a few days, so stay tuned!
I passed the JNCIP-SEC Juniper Networks certification. Hopefully in early 2012 I'll be able to attempt the JNCIE-SEC!
As far as work itself is concerned, 2011 wasn't the best of years due to a variety of factors. It wasn't a complete and utter disaster, but it wasn't a good year, either. We'll see if 2012 can do better!
I turned 30 years of age. Really, there's not much else to say about this because it wasn't all that enjoyable. I'd prefer to tell people my current age is 0x1e, but I have a feeling that might result in some strange looks.
Early in 2011 I decided I wanted to get into photography, so I took an introductory DSLR class at The Light Factory in uptown Charlotte. I also picked up a Canon 60D with the EF-S 18-135mm f/3.5-5.6 IS and EF-S 60mm f/2.8 Macro USM lenses. Later in the year I picked up the EF 70-300mm f/4-5.6 IS USM (unfortunately not before leaving for the Galápagos Islands).
The Light Factory class, although fairly basic, provided the foundation I needed to continue exploring my new-found hobby. Among other things, I found I like to take evening photos of cityscapes or close-ups with the macro lens. I've lately been trying out the fad that is HDR (without making the result look completely silly).
I keep telling myself I'll eventually setup a separate website for my photography, but for now it's just strewn around here. In the meantime, some of these images might be interesting.
For those interested, the simple montage above was created by GIMP 2.6 running under Mac OS X - the compilation errors when using MacPorts suddenly disappeared one day! Images sources (left to right): Lightning, IMG_0510.jpg, and img_0342.jpg.
In addition to my standard trips up and down the east coast of the United States for work and family visits, I took two other noteworthy trips in 2011.
To attend NANOG 51, I traveled to Miami, FL in early 2011 and stayed at the Hotel InterContinental Miami just outside the downtown area. The NANOG conference is a North American tri-yearly get together for network operators and Internet companies. It's basically a fun geek-out for engineers, complete with presentations and panels discussing various technologies and issues. Although some folks attend individually, most are there representing their employer and have its AS number on their badge, which I did.
I had a great northeastern view from my hotel room, so I took a time-lapse of the sunrise one morning and added some trance music to it!
I also took a trip to the Galápagos Islands. It was a fascinating experience and certainly worth the almost two weeks away from the office (for several reasons). It's one thing to see wildlife from a distance or behind bars, but completely different to have them prance right in front of you (sea lions and marine iguanas). This trip marked the first time in my life that I've crossed the equator. I got a silly t-shirt for it, too..
Several of my friends got engaged and a few got married in the past year. Actually, I think most of the engagements happened in the past two weeks of 2011.. enough that I thought I was missing out on some conspiracy! I'm just joking, if it's not apparent. Also, did I mention I've been seeing someone for the last couple of months? Well, I have been! She's quite fun to hang out with and isn't scared of all my computer and networking equipment.
I suppose the last thing I should mention about 2011 is SOPA. Hopefully you know what it is, and don't need to click on the link. Anyway, back in September I finally got sick of Register.com's high prices and lack of DNSSEC support, so I moved prolixium.com and prolixium.net to Go Daddy where I had a few other domains. I also bought a wildcard SSL certificate from them for prolixium.com. Little did I know that they had a hand in writing SOPA and initially supported it (most folks think they still do, since there's a section of the bill that excludes Go Daddy domains from certain shutdowns)! Not wanting to have anything to do with a company that supports such a dangerous bill, I moved 6x of my domains away from Go Daddy a few days ago, but have to wait until January to move prolixium.com and prolixium.net. Is it a waste of money? No, it's not - it tells companies that SOPA is important to customers and they should not support it. Hopefully there will be some votes against the bill in 2012 and it won't pass. Otherwise, 2012 will start with Internet censorship in the United States, which would be nothing short of a travesty.
I suppose the last thing to share are my 2012 new year's resolutions. I'd rather not make them all public, so here are just a few of them:
Obtain the JNCIE-SEC certification
There's not much else to say about this one. I got the JNCIP-SEC earlier this year, but I would like to wait for one of the boot camps to be offered so I can get some real study material.
Be nicer at work
I've been a bit of a grouch and pessimist at work over the last year - possibly for good reasons, but that doesn't matter. However, in 2012 I will try not to say I don't care or be overly pessimistic about anything.
Exercise more
I swim 4-5 days a week now, doing 2,600 meters in each 45-50 minute session. However, almost all of that is freestyle with only one or two lengths of butterfly mixed in. I'd like to increase that to two full laps of butterfly per session.
I currently do 20 push-ups and 20 sit-ups each morning. This is going to be a tough one on the weekdays (due to time constraints - I hate getting up early!), but I'm going to try to double both of these.
Make three contributions to FOSS projects
In 2011 I contributed to MTR and the Linux kernel with patches that added functionality and fixed bugs. I'd like to increase this number to three, this year. I believe in free and open source software, and although I'm not that great of a programmer, I'd like to help make it better.
Blog more, Facebook less
I need to blog more often. Right now I average about one or two blog entries per month - I'd like to increase that to one or two blog entries per week. The topics will remain the same (technology, science, rants, etc.).
I also need to limit viewing Facebook to once every other day or even less. It's typically a big waste of time for me and I think I've spent way too much time on it in 2011. I really don't need to see pictures of naked newborn babies, people writing love letters to each other via their walls (although it is still amusing to see that some people still think wall to wall conversations are private), checking in at each and ever restaurant they visit, or letting the world know they completed their workout of the day.
Although I'm going to detach from Facebook a bit more, I'm going to try to go in the opposite direction with Twitter. Unlike Facebook (or even Google+, at this point), I find Twitter to be quite informative on matters of technology and news. It's also a great place to crowdsource questions or recommendations on technical topics. It's also fun to have some communication with celebrities (my definition of celebrities include creators of BitTorrent, trance producers and DJs, etc.) every once and awhile.
Make >= 100 edits to Wikipedia
I really like Wikipedia. I think it's one of the best things on the Internet and I contribute to it with my time (edits) and money (yearly donations). I only made 29 edits this past year, but I'd like to make over 100 in 2012.
And that's it. Have a Happy New Year!
I've recently heard a few instances of the word factoid used incorrectly when fact should have been used instead. Apparently some individuals think that factoid is a fancy veresion of fact when it couldn't be farther from the truth:
Here's fact from Dictionary.com:
fact [fakt]
noun
1. something that actually exists; reality; truth: Your fears have no basis in fact.
2. something known to exist or to have happened: Space travel is now a fact.
3. a truth known by actual experience or observation; something known to be true: Scientists gather facts about plant growth.
4. something said to be true or supposed to have happened: The facts given by the witness are highly questionable.
5. Law. Often, facts. an actual or alleged event or circumstance, as distinguished from its legal effect or consequence. Compare question of fact, question of law.
And now factoid:
fac·toid [fak-toid]
noun
1. an insignificant or trivial fact.
2. something fictitious or unsubstantiated that is presented as fact, devised especially to gain publicity and accepted because of constant repetition.
Even Urban Dictionary has got it mostly correct.
So, if you're just going to use factoid to sound cool.. don't!
It's been awhile since I've written anything here, so this will be a somewhat combined post.
For three days last week I attended an IPv6 training course at the Microsoft campus in Charlotte. The course was primarily for systems engineers from my department, but I sat in with the hopes that I might pick up a thing or two that will help keep our teams on the same page regarding IPv6 deployment.
The course went over IPv6 basics, transition technologies, deployment considerations, and touched a little bit on security. There were a few labs, which involved setting up various IPv6-related scenarios on Windows Server 2008 R2 (via Hyper-V on laptops, shocker there).
The content of the course was fairly decent, except for three major errors that I pointed out during the instruction:
(1) It was initially stated that clients send one DNS request to their local cache. The cache decides if it should return an A or AAAA record, based on some fictious variables. This was corrected (DNS clients send both A and AAAA queries to the cache, then themselves determine which should be used based on the presence of a GUA address and default route).
(2) When discussing 6to4 tunneling, it was stated that local relays should be used, with no mention of 192.88.99.1. Oddly, the course material stated that 6to4.ipv6.microsoft.com should be used as the relay, which has an A record of 192.88.99.1.
(3) It was stated that router-to-router links must use /64s. I cited that many major ISPs in the United States currently use /126s and /127s for such links, backing it up with some text from RFC 6164 (section 5, specifically).
The course also introduced some strong recommendations I vehemently disagreed with, one of which is the use of RAs and DHCPv6 in the enterprise data center. The instructor stated over and over again that it's hard to type in IPv6 addresses compared to IPv4 addresses for every single server, when using static assignments. So, of course, the solution is the use of RAs (with the M and O flags set), DHCPv6, and DDNS.
I think this is a horrible idea because of the added complexity and dependence on not one, or two, but three external services: router advertisements, DHCPv6 services, and dynamic DNS. The failure of any of these can possibly lead to servers becoming unreachable after a reboot or other network-related interruption. To get even more basic, I object to the use of router advertisements (RAs) in the enterprise data center, to begin with. Sure, in greenfield deployments this might be fine, but turning up RAs cause all IPv6-aware hosts to add a default route, if nothing else (assume the A flag is disabled). This is all some operating systems need to cause the network stacks to start resolving AAAA records and attempt to connect to IPv6 addresses before they're really ready. So, then, in order to selectively turn up IPv6 on some servers, all the other servers must be configured to not accept RAs - a monumental task for most enterprises where there are many platforms involved.
It was also mentioned that the DHCPv6 server on Windows Server 2008 R2 doesn't support static reservations for clients, so there's no way to ensure that clients receive the same address each time, other than the almost infinitely large address space in a /64. For this reason, it appears that it might not be possible to definitively predetermine the IPv6 address of a server before it hits the wire in the data center. To add some icing on the cake, it was suggested that firewall policies be based on the DNS, not addresses or prefixes!
Really, is manually typing an IPv6 and IPv4 address really that difficult to do during the server provisioning process? It only needs to be done once, and can easily be scripted. I asked the instructor for the reasoning behind this DHCPv6 recommendation, and got nothing more than "typing IPv6 addresses is hard." Flummoxed, I started up a thread on the IPv6 operations mailing list, bug got back less than definitive results.
Anyway, the course was fairly well-received by the systems engineers, and I think it'll help speed up deployment in our data centers (erm, it's been there for awhile, but no RAs!). However, I have a feeling I'll be fighting folks on the DHCPv6 issue in the future, if Microsoft sticks with their current recommendation. I got to pass by the Microsoft company store as part of the trip, and picked up some software on the cheap and a Microsoft shirt I'll be sure to wear to the office (to confuse everyone, obviously).
In unrelated news, there's a bill floating around in the House of Representatives that could possibly do some decent damage to the Internet in the United States: SOPA. The Stop Online Piracy Act (SOPA, H.R. 3261) is a bill introduced in the House with the goal to fight copyright infringement and counterfeitting on the Internet. Unfortunately, this bill is so broad that it threatens some open source projects and opens the door for federally-mandated DNS filtering (ie, censorship), something that should send shivers down your spine. Read more about it at the EFF. Feel free to call or write to your congressmen and state representatives about it. Really, this bill needs to be done away with.
Oh, I finally got a real SSL certificate for *.prolixium.com from GoDaddy, recently. If you hit the SSL version of my site, you shouldn't get any certificate errors. I also transferred prolixium.com and prolixium.net from Register.com to GoDaddy, too. It was fairly painless, but took a week for Register.com to get me the EPP codes and authorize the transfer. Other than Register.com's prices being highway robbery, I transferred because of this response to my question about DNSSEC support:
Discussion Thread
---------------------------------------------------------------
Response Via Email(David B.) - 11/03/2011 01:14 PM
Dear Mark.
Thank you for contacting Register.com.
We currently do not support the DNSSEC provision in the registry and at this time there is no indication that this will be added for our customers.
If you have any further questions, please reply to this email or contact a Web Services Consultant 24 hours a day, 7 days a week, at the numbers below.
Thank you for choosing Register.com.
Customer Support
Register.com, Inc.
Toll free within the U.S. and Canada: (877) 731-4441
Outside the U.S. and Canada: (902) 749-5918
Well, now that I'm with GoDaddy for almost all of my domains, and they support DNSSEC now, I should probably set it up, right? Yeah, I'll get to it later!
I'm really sick of UIs going through constant changes. Why do new versions of operating systems feel the need to alter the user interface, when the original one works fine?
Windows 8, ICS, Mac OS X, and even Ubuntu are all forcing users to learn a new user interface. Why? The old one works fine! Sure, Windows 7 and Android 2.3 (and 3.x) may have some bugs and quirks.. but do they need a different UI? I don't think so. iOS, strangely enough, has stayed mostly the same over the years. Go Apple! Alright, I said something nice about Apple, but I'll bash them later (read on).
This isn't limited to operating systems, either. Microsoft Office 2007 radically changed the user interface for almost all of their office applications (Visio didn't see the change until 2010). As a long time Microsoft Office user (Outlook, Visio, and Word), the change cost me some time to get used to. Annoying!
Again, why?
Steve, a coworker and friend of mine, has a good answer:
So people see a "difference". "Oh, it's upgraded, it looks different"
I think he hit the nail on the head. Most consumers don't care about kernel scheduler optimizations, filesystem tweaks, API fixes, or support for the latest and greatest protocols. If the UI looks the same, they will whine that there isn't much of an upgrade. Heck, if the UI changes, most software companies can claim that they've got a new operating system, even though most of the APIs, kernel code, etc. hasn't been touched.
Alright, let's ask why.. again.
Well, I think a part of this is due to Apple. Over the last decade, people have gone from knowing a little bit about the inner workings of their computers and operating systems to not caring one bit. I hear so often "I use Apple because it just works" and "I don't care how it works." Sure, that's fine, but now because people don't know or care about such things, they don't put any thought to the changes that happen at this level. So, moving from 2.4 to 2.6 of the Linux kernel isn't seen at all by the user, if all they are basing the upgrade on is the user interface. If Apple swapped out the *BSD core of OS X and replaced it with the Linux kernel but kept the UI the same.. would most consumers care? Probably not.
Let's think about this from another perspective. If Juniper Networks decided to throw out the CLI for its flagship Junos network operating system (say, for version 12.0) and come up with something completely different, network service providers (NSPs) and enterprises would have a cow! There'd be an "Occupy Juniper" movement almost instantly. Sure, it might work out over the next year, but then if they did the same thing in 14.0, they'd probably start losing large customers.
Sure, it's comparing apples and oranges, but it's interesting to think about.
For now, I guess we're left with changing UIs every year or two for consumer electronics. Maybe it'll settle down in the future, but I don't see that happening any time soon.
What do you think? Am I off my rocker? Yes, probably..
I recently returned from a trip to the Galápagos Islands. It was a fantrastic and eye-opening week and a half in Ecuador, which I'll try to recount the highlights.
First, a quick technical note about the photos and videos...
I took my Canon 60D with the 18-135 mm zoom and 60 mm macro lenses, but I only ended up using the 18-135 mm one. There were some shots that would have looked fantastic with the macro, but I probably would have been scolded since we were supposed to stay at least eight feet away from all the wildlife. Anyway, I took a few photos and videos. The video clips (720p@60, H.264) amounted to 21 GiB and the photos (5184 x 3456 pixels, JPEG) to 9.7 GiB with a grand total of roughly 30.7 GiB. I was using a 16 GiB SD card, so I got in the habit of swapping it out every day. I took most of the shots in manual mode with the aperture wide open, only varying the shutter speed, focal length, and ISO settings. Automatic mode just wasn't producing very good shots, for some reason. I used UV and circular polarizer filters for some of the days. Also, I bought a mini-tripod but never really used it.
If you don't care to read the highlights below, and want to jump straight to the photos, here you go:
The above is more or less in order, except for the Quito (some photos were taken during the second visit) and miscellaneous galleries. A very small percentage of the photos aren't mine, and they should be obvious (because they might be of me!). If they're not, just look at the EXIF data at the bottom of the image - pictures that aren't mine aren't shot with a Canon 60D (or Nexus One). Below is a timeline of the trip followed by some details on the wildlife and miscellaneous observations. I've interleaved some smaller and/or cropped variations of the above photos, too.
The itinerary we took was dictated by Celebrity Cruises, since this was in fact a river cruise (probably just to distinguish it from a Caribbean or Meditteranean-type trip). We flew to Quito, Ecuador via Houston, TX and arrived in the early morning on September 30th, staying at the JW Marriott Quito. We spent two days there; one by ourselves and one with the Celebrity tour group (90 people who accompanied us on the ship, too, and some tour guides). And, shocker.. I got a sunburn the first day since I'm a bit stupid and like to learn the hard way every year.
The tour group exposed us to some of the highlights of the area: government buildings, old churches, the local cuisine (love the blackberry juice!), and a trip that took us north of the city to a location that was supposedly at a latitude of 0°0'0" (it actully wasn't, since the original inhabitants didn't have GPS receivers at the time, but it was close enough). Here's a screenshot of the GPS receiver information on my phone:
Since Quito is located in the mountains, the temperature was fairly cool for being so close to the equator. When we were there it got up to around 25°C during the day but got down to 12°C during the evening and part of the morning.
From Quito we took a roughly two hour flight to the Galápagos Islands, specifically Baltra Island, since that's the only one with an air strip. The airline was called AeroGal, and appeared specific to trips between the Galápagos Islands and the South American mainland. Upon arriving in a tiny airport, we took a bus to the bay and traveled to our ship, the Celebrity Xpedition, via Zodiac (a name-brand dinghy), since it wasn't anchored in the bay. In fact, all of our excursions were via Zodiac, which made things interesting when the sea was choppy.
The Celebrity Xpedition is a small boat built in 2001. It's registered in Guayaquil and carries a maximum of 100 passengers and 65 crew. As a result it moves quite a bit more than other typical larger cruise ships. I saw quite a few passengers with the sea sickness patches behind their ears. Since there were three of us, we got a suite with a verandah, which was a nice touch.
The Xpedition took us around to eight of the islands, crossing the equator twice along the route:
The weather in the Galápagos was probably around 22 to 24°C most of the time and partly cloudy during the day. It was sunny sometimes, but certainly not the majority of the time.
Our first excursion was on Sunday, which took us around and onto North Seymour Island via Zodiac. The first thing I noticed about the island is that it was very dry and desolate with lots of cacti and some little green bushes strewn about. This description pretty much sums up all of the Galápagos Islands (except some of the highlands) at this time of year. The rainy season between December and February is when it gets very green.. and overrun with bugs and inclement weather.
We saw sea lions, blue-footed boobies, frigatebirds, yellow wurblers, and marine iguanas. The majority of the rocks we saw the wildlife sitting on are volcanic in origin, which were very dark and sharp.
For the first excursion, I thought we saw quite a bit of wildlife, but it was nothing compared to the next several days. We were instructed to remain at least eight feet away from the wildlife, and to not touch or otherwise disturb them (no flash photography, no yelling at them, feeding, etc.). Surprisingly, most of the wildlife wasn't scared of humans, at all. I walked right past a blue-footed boobie next to its young and it didn't give me the time of day.
On Monday we visited San Cristóbal Island in the morning, which has a small population. After visiting a small museum with the history of the Galápagos (violent and unfortunate, I might say) we shopped a little bit and then headed back to the ship. In the afternoon we visited Española Island, where we were greeted by tons of iguanas and barking sea lions. This was the first island that presented us with a large amount and variety of wildlife.
The marine iguanas that we saw looked pretty menacing, but really are no danger to humans or really anything else on the islands. They're slow-moving, eat algae from the shore, and mostly just sit out in the sun during the day:
The sea lions were loud and active, except when they weren't. Apparently it takes some effort to move on land, so we would routinely see them hopping along at a quick pace and then fall flat on their face and seem to take a nap for a minute or two.
Española Island also presented us with lots of lava lizards, two variants of boobies (Nazca and Blue-footed), and some interesting Galápagos crabs.
On Tuesday we had our first snorkeling experience in the Galápagos. We took the advanced deep sea snorkeling around Champion Island, and used wetsuits since the water was 20°C. It was still cold even with the wetsuit. We saw lots of fish and a sea turtle, but nothing really all that interesting, except for the sea lion swimming around with some of us during the tail end. It probably would have been better if the sun was out to provide more illumination of the reef.
On Tuesday afternoon we visited Floreana Island where we saw some Galápagos Penguins on the rocks near the shore. While in the Zodiac we also got a chance to see some sea turtles poking their heads out of the water to breathe. Getting a good shot was a little difficult.
We took a hike up to the Baroness Lookout (our tour guide gave us the abridged story about this), which gave us a few photo opportunities:
The next day (Wednesday) we went to Bachas beach on Santa Cruz Island and did a short walk and snorkeling. We spotted our first flamingo on the walk. The snorkeling wasn't all that good due to cloudy water (and the sun wasn't out once again).
In the afternoon we went to Bartolomé Island and hiked up 114 meters where we saw some interesting vegetation, lizards, cacti, and a nice view of the island:
In hindsight, this was the day I should have used the circular polarizer filter. We also saw some penguins close to the shore before snorkeling again:
On Thursday we landed in Urbina Bay at Isabela Island and took a 2.0 mile hike across part of the island, which included some rocky turtain and dense vegetation. I was honestly surprised that all of the people in our tour group managed it without issue, since there was quite a bit of balancing involved. The landing part was interesting because we saw a fierce shark fight (for food) right near the beach. We ended up seeing some different wildlife, including two giant tortoises and a couple land iguanas.
We saw a Galápagos Hawk sitting on one of the national park stop signs:
On Thursday afternoon we took an excursion to Fernandina Island where we saw the most iguanas on the trip, so far:
I also snagged a short clip of some of them fighting (not mating: listen to the tour guide):
We also spotted a couple oystercatchers, which have a distinctive head and beak:
Friday brought us to Santiago Island where we saw some fur seals. I kept forgetting the subtle differences between seals and sea lions and eventually just learned to identify them by their colors: seals are black and sea lions are gold. The seals were the first species of wildlife we encountered in the Galápagos that seemed genuinely scared of humans.
We managed to spot a few orcas a mile or two from the island, and did some whale watching for a little bit. I took a few photos, but wasn't able see much detail. The best shot I got that showed the distinguishing white area near the eye is this one:
Snorkeling at Santiago Island was great. I was literally inches away from some sea lions swimming by and we saw one constantly diving down into a crevice looking for food. I spotted a jellyfish, sea turtle, and stingray (I think it was a stingray, it was under a bunch of sand), too. It's too bad I don't own an underwater camera.
In the afternoon we went on a longish hike to Dragon Hill on Santa Cruz (yep, we returned!). The terrain looked a bit like Mars:
Our last day brought us to Puerto Ayora on Santa Cruz. It's one of the heavily populated ports with an urban area and lots of farmland. We took a trip to the Charles Darwin Research Station where we saw some giant tortoises in captivity. One of them was Lonesome George, a 90 year-old tortoise who can't seem to find a compatible mate. He's the last one of his subspecies (categoried as EW: extinct in the wild). They apparently breed giant tortoises at the CDRS, too:
In the afternoon we traveled to the highlands (see map here) and visited a lava tube. We also saw lots of the giant tortoises in their natural habitat:
The highlands were overcast, humid, and very green. Apparently it mists there all the time, so all sorts of plants grow. It was in stark contrast to the rest of the Galápagos islands we'd visted earlier in the week.
The next day we flew back to Quito via AeroGal and departed for home the next day.
Here's a list of everything we saw on or from land:
And a list of things we saw while snorkeling (incomplete, since it was hard to identify most of the fish):
The two animals that were the most visible during the tours are the sea lions and marine iguanas. The sea lions were fun to watch, since they would play with each other or just walk right in front of us, barking. We saw quite a few young sea lions, too. Their vocal cords apparently aren't very developed so their bark sounds a bit different (and cute). Here's a video:
The marine iguanas were everywhere. Sometimes it would be hard to walk since they were scattered all over the trail. For food, they swim into the ocean and eat algae, but have to expunge the sea water from their system when they get back on land. As a result they were constantly doing what one might identify as sneezing. But, instead of a sneeze it was really just the iguana blowing out the salt water from their system. I almost got sprayed by one as it was doing this, too! Also, they smell really bad, especially when there are 20 or 30 of them piled on top of each other.
The giant tortoises are big and slow moving. Shocker, really. They can grow up to 300 kg and have no ears, so they can't hear a thing. They can detect vibrations in the ground, though, so they can tell someone is approaching. When we were walking too near to some of them, they would omit a hiss that sounded like Darth Vader, and pull their head into their shell.
Lots of the birds that we saw on land we also saw from the ship.. even when we were traveling between islands! The Blue-footed Boobies and Frigates apparently travel far out to sea to hunt for fish. We watched several of them nose-diving in the water right near the ship. I got a lucky shot, here:
There were quite a few symbiotic and mutualistic relationships we witnessed among the wildlife. The lava lizards crawl on the sea lions and eat the flies (that apparently get really annoying for the sea lions). Some of the finches pick off ectoparasites from the tortoises, too. There were a few others I don't recall, unfortunately.
About half of the 90 passengers on the cruise were from the United States, I think. The others were either from Canada, England, Hong Kong, or elsewhere. I think only two or three of the passengers were younger than me.
Since my Nexus One works throughout most of the world, I picked up an international data plan for $50 from AT&T that gave me 125 MiB per month. So, without fear of overage charges, data on my phone worked in Quito, the Galápagos Islands, and on the ship. In Quito I had a choice between two Ecudaorian GSM providers: PORTAGSM and MOVISTAR, both of which seemed to use 850/1900 for UMTS and provided HSPA for data. On the Galápagos Islands I picked up both of the same Ecuadorian cellular providers but with wildly high (but usable) latency. Apparently in 2002 the Galápagos Islands obtained a satellite connection back to mainland Ecuador, which is used for the cellular backhaul, too. On the ship, there was a similar cellular site (only supported GPRS) backended by a satellite, but the performance was horrible. And when I mean horrible, it was completely unusable at times:
Request timeout for icmp_seq 311 Request timeout for icmp_seq 312 64 bytes from 69.9.189.182: icmp_seq=163 ttl=46 time=150991.762 ms 64 bytes from 69.9.189.182: icmp_seq=164 ttl=46 time=150401.031 ms
On Wednesday we took a tour of the bridge of the Celebrity Xpedition. It was a fairly modern-looking bridge with no wheel and most components were computer-controlled. I spotted a networking rack that housed a few Linksys-branded devices and a satellite router. Expensive shipboard Wi-Fi was provided by a Cisco WLC (yay 1.1.1.1!) that was apparently centrally-located on the mainland. It was better than the cellular connection, but not by much:
HOST: orion Loss% Snt Last Avg Best Wrst StDev 1.|-- 192.168.172.1 0.0% 32 1.8 2.3 1.1 9.1 2.1 2.|-- 192.168.15.1 3.1% 32 2.5 2.9 1.7 12.7 2.0 3.|-- 10.224.7.49 3.1% 32 7.2 5.0 3.4 11.7 1.8 4.|-- 10.102.33.53 3.1% 32 671.7 635.1 594.5 693.9 27.3 5.|-- 10.102.33.1 3.1% 32 710.9 638.2 592.1 710.9 27.3 6.|-- 10.102.1.5 3.1% 32 648.1 628.4 589.0 688.0 26.4 7.|-- mci.gwa.vizada-net.net 3.1% 32 681.0 640.5 595.9 743.5 34.5 8.|-- serial3-3.gw4.bos4.alter. 43.8% 32 609.4 636.4 601.9 766.7 37.4 9.|-- 0.ge-3-3-3.xl3.bos4.alter 43.8% 32 646.4 642.8 597.9 714.1 31.3 10.|-- 0.xe-6-1-2.xt1.nyc4.alter 43.8% 32 664.7 650.8 610.3 709.3 29.4 11.|-- gigabitethernet6-0-0.gw1. 45.2% 31 681.1 654.2 602.3 687.6 23.8 12.|-- teliasonera-gw.customer.a 45.2% 31 718.1 654.3 598.6 718.1 37.7 13.|-- nyk-b6-link.telia.net 45.2% 31 656.2 650.5 620.2 709.5 22.5 14.|-- 0.te1-4.tsr1.lga5.us.voxe 6.5% 31 746.9 647.7 608.3 746.9 30.1 15.|-- 0.ae57.csr2.lga6.us.voxel 6.5% 31 684.3 659.7 605.0 817.1 47.0 16.|-- dax.prolixium.com 25.8% 31 646.9 649.7 599.6 716.5 33.9
There was some crazy ICMP error throttling that caused the erroneous packet-loss. Anyway, our stateroom suite status gave us three hours of free use for the week.
Lots of the Galápagos species seemed to be just slightly different than those found in the rest of the world. To distinguish them, it seems that "Galápagos" was added to the title. I kept wondering if we were going to see a Galápagos squirrel.
Some of the tour guides gave us pieces of history about the islands. Apparently the early settlers on the islands brought donkies, dogs, birds, hogs, etc. that disrupted the wildlife on the islands. Some of these animals died off since they couldn't handle the harsh climate and some of the others apparently were slaughtered by ecological societies in order to preserve the balance. One tour guide specifically said that one of the societies is currently investigating the use of painball-like guns to kill a certain species of black bird that is doing damage to the ecology on the island. Sometimes I get confused about what's natural and what isn't, but maybe that's just me.
On an unrelated note, the airport security in Quito (UIO) was very strange compared to airports in the United States. There are two security checkpoints passengers pass through on their way to the plane. The first one is at ticketing, which is similar to a pre-9/11 checkpoint at a United States airport. The second one is at the gate itself, and involves airport employees going through passengers' carry-ons. Afterwards while the passengers wait at the gate, a dog is sent loose and sniffs all of the passenger's carry-on bags. Another security oddity (a good one, I might add) is the checking of baggage claim tickets upon pickup. I don't think I've ever been at an airport in the United States that cares about baggage claim tickets. Ashame.
Not sure what else to say here, but it was an awesome almost two weeks away from the office. Although it's not the cheapest vacation, I'd definitely recommend it!
     |
Page generation time: 0.211 seconds. |
