RMX Automation Preview 2012-02-25

RMX Automation version 1.x User Interface:

And now…

RMX Automation version 2.0 User Interface

Please note that this is in very early stages of development. The entire UI is being ported from the old Win32 code base over to a web front-end. More details will be available in the next few weeks as development moves along.

Posted in Uncategorized | 2 Comments

Network Routing Problems

I’m currently under the impression that most ISPs in the Seattle-Tacoma region do not have direct peering with one-another at all. While this is a small sample of tests, I do find it strikingly odd that almost every single test within these two cities and between these two cities always routes through San Jose, California.

My four local test ISPs are
1) Click-Network Cable (Tacoma, WA)
2) Comcast Business Cable (Puyallup, WA)
3) Optic Fusion (Tacoma, WA)
4) Hurricane Electric (Seattle, WA)

And for added out-of-state testing, I’m including
5) Hurricane Electric (Fremont CA)

NOTE: These tests are all performed using tracert (Windows).
NOTE: some DNS names and IP addresses were removed to protect the identity of Darkain Multimedia’s tech support clients.

Round 1 – Click-Network (Tacoma WA)

Test 1-2: Click-Network to Comcast Business

  1    <1 ms    <1 ms    <1 ms  192.168.10.1
  2    15 ms     8 ms     7 ms  10.102.0.1
  3    14 ms     9 ms     9 ms  131.191.0.14
  4    10 ms    11 ms     9 ms  click_dts_border_g1-23.click-network.com [131.191.0.26]
  5     9 ms     9 ms    10 ms  sl-gw20-tac-10-0.sprintlink.net [144.228.24.133]
  6    12 ms    13 ms    13 ms  sl-crs1-tac-0-9-3-0.sprintlink.net [144.232.11.59]
  7    10 ms     9 ms     9 ms  sl-gw50-sea-.sprintlink.net [144.232.1.151]
  8    12 ms    16 ms    19 ms  te-0-5-0-2-pe03.seattle.wa.ibone.comcast.net [66.208.228.77]
  9    12 ms    14 ms    11 ms  be-13-cr01.seattle.wa.ibone.comcast.net [68.86.84.109]
 10    25 ms    14 ms    15 ms  so-6-1-0-0-ar03.seattle.wa.seattle.comcast.net [68.86.95.22]
 11    12 ms    13 ms    14 ms  po-60-ur02.tacoma.wa.seattle.comcast.net [68.85.240.90]
 12    12 ms    14 ms    14 ms  68.87.207.234
 13    25 ms    24 ms    26 ms  xxxxxx.hsd1.wa.comcast.net [xxx.xxx.xxx.xxx]

This first test worked perfectly. The routing path of Tacoma WA - Seattle WA - Tacoma WA - Puyallup WA is perfectly acceptable. Seattle WA is a much larger carrier exchange than Tacoma WA, so these results are expected.

Test 1-3: Click-Network to Optic Fusion

  1    <1 ms    <1 ms    <1 ms  192.168.10.1
  2     8 ms     8 ms     7 ms  10.102.0.1
  3     9 ms     9 ms     9 ms  131.191.0.14
  4     8 ms     9 ms    10 ms  click_dts_border_g1-23.click-network.com [131.191.0.26]
  5    15 ms     9 ms    10 ms  sl-gw20-tac-10-2.sprintlink.net [144.223.84.169]
  6    21 ms    13 ms     9 ms  sl-crs2-tac-0-9-3-0.sprintlink.net [144.232.11.61]
  7    33 ms    33 ms    30 ms  sl-crs2-sj-0-5-2-0.sprintlink.net [144.232.18.204]
  8    34 ms    35 ms    33 ms  sl-st31-sj-0-15-0-0.sprintlink.net [144.232.8.151]
  9    32 ms    42 ms    40 ms  sl-integ92-316012-0.sprintlink.net [144.223.166.114]
 10    61 ms    55 ms    54 ms  tg9-3.cr02.sntdcabl.integra.net [209.63.81.69]
 11    53 ms    53 ms    51 ms  tg13-1.cr02.rcrdcauu.integra.net [209.63.114.169]
 12    50 ms    52 ms    51 ms  209.63.83.9
 13    86 ms    55 ms    50 ms  209.63.83.5
 14    51 ms    52 ms    54 ms  ge5-1.ar10.ptleorte.integra.net [209.63.115.18]
 15   121 ms    54 ms    53 ms  gi2-2.cr01.tac.opticfusion.net [64.122.170.154]
 16    80 ms    73 ms    60 ms  gi2-1.dr01.tac.opticfusion.net [209.147.112.46]
 17    65 ms    58 ms    54 ms  xxx.xxx.xxx.xxx

This next test is the first indicator of a problem. Optic Fusion has carrier exchanges in both Tacoma WA and Seattle WA. Click-Network routes through SprintLink, which from the first trace route, we observe that SprinkLink has direct routing to the carrier exchange in Seattle as well. Despite both of these potential links, this particular trace runs the route of Tacoma WA - San Jose CA - Portland OR - Tacoma WA.

What makes this one much worse though... Optic Fusion lists Click-Network as a direct peering partner. This means that Click-Network should in theory be routing packets directly to Optic Fusion for this router, completely bypassing SprintLink altogether. (source: http://www.opticfusion.net/netmon/weathermap.png)

Test 1-4: Click-Network to Hurricane Electric (Seattle WA)

  1     4 ms     3 ms    <1 ms  192.168.10.1
  2     7 ms     7 ms    16 ms  10.102.0.1
  3     8 ms     8 ms     8 ms  131.191.0.16
  4    11 ms    14 ms    69 ms  click_dtn_border_g1-23.click-network.com [131.191.0.24]
  5     9 ms     8 ms     8 ms  sl-gw5-tac-4-1.sprintlink.net [144.223.158.229]
  6    26 ms    32 ms    31 ms  sl-gw5-tac-14-0.sprintlink.net [144.232.2.2]
  7    33 ms    33 ms    41 ms  sl-crs2-sj-0-5-2-0.sprintlink.net [144.232.18.204]
  8    36 ms    34 ms    32 ms  sl-st31-sj-0-15-0-0.sprintlink.net [144.232.8.151]
  9    33 ms    31 ms    45 ms  144.232.18.142
 10    33 ms    32 ms    41 ms  hurricane-ic-138359-sjo-bb1.c.telia.net [213.248.67.106]
 11    54 ms    53 ms    52 ms  10gigabitethernet4-3.core1.sea1.he.net [72.52.92.158]
 12    52 ms    53 ms    51 ms  tserv14.sea1.ipv6.he.net [216.218.226.238]

As we see once again, SprintLink has opted to route through San Jose CA despite having direct access to Seattle WA. From San Jose CA, Hurricane Electric uses a direct link to bring the route back up to Seattle WA. That makes this full route as Tacoma WA - San Jose CA - Seattle WA.

Test 1-5: Click-Network to Hurricane Electric (Fremont CA)

  1    <1 ms    <1 ms    <1 ms  192.168.10.1
  2     7 ms     6 ms     7 ms  10.102.0.1
  3     9 ms     8 ms     9 ms  131.191.0.16
  4    10 ms    11 ms    10 ms  131.191.0.32
  5    16 ms    23 ms    20 ms  sl-gw5-tac-4-1.sprintlink.net [144.223.158.229]
  6     9 ms     9 ms    11 ms  sl-gw5-tac-14-0.sprintlink.net [144.232.2.2]
  7    35 ms    34 ms    32 ms  sl-crs2-sj-0-5-2-0.sprintlink.net [144.232.18.204]
  8    32 ms    32 ms    35 ms  sl-st31-sj-0-15-0-0.sprintlink.net [144.232.8.151]
  9    33 ms    38 ms    32 ms  144.232.18.142
 10    44 ms    34 ms    38 ms  hurricane-ic-138359-sjo-bb1.c.telia.net [213.248.67.106]
 11    36 ms    86 ms    36 ms  10gigabitethernet1-2.core1.fmt2.he.net [72.52.92.73]
 12    38 ms    34 ms    33 ms  tserv3.fmt2.ipv6.he.net [72.52.104.74]

The two Hurricane Electric IP addresses used for testing are both IPv6 Tunnel Broker addresses (see tunnelbroker.net for more details). I assumed when signing up for the IPv6 tunnel broker service that using either Optic Fusion or Hurricane Electric (Seattle WA) would be my lowest latency solution. After countless testing and retesting, the results presented here are the norm. Routing to Hurricane Electric (Fremont CA) from Click-Network (Tacoma WA) has consistently lower latency than routing through Optic Fusion (Tacoma WA) or Hurricane Electric (Seattle WA).

Round 2 - Comcast Business (Puyallup WA)

Test 2-1: Comcast Business to Click-Network

  1    <1 ms    <1 ms    <1 ms  192.168.100.1
  2     1 ms    <1 ms    <1 ms  10.1.10.1
  3    11 ms    11 ms    10 ms  73.102.132.1
  4    10 ms    10 ms    10 ms  te-4-5-ur02.tacoma.wa.seattle.comcast.net [68.87.207.233]
  5    12 ms    11 ms    13 ms  ae-6-0-ar03.seattle.wa.seattle.comcast.net [68.85.240.89]
  6    16 ms    16 ms    16 ms  pos-1-14-0-0-cr01.seattle.wa.ibone.comcast.net [68.86.90.85]
  7    16 ms    11 ms    13 ms  be-11-pe03.seattle.wa.ibone.comcast.net [68.86.84.78]
  8    12 ms    16 ms    15 ms  66.208.228.78
  9    68 ms    21 ms    35 ms  sl-crs1-tac-.sprintlink.net [144.232.1.149]
 10    18 ms    18 ms    17 ms  sl-gw20-tac-0-0-0.sprintlink.net [144.232.11.58]
 11    16 ms    18 ms    17 ms  sl-click1-418525-0.sprintlink.net [144.228.24.134]
 12    18 ms    16 ms    17 ms  click_dts_core_g1-23.click-network.com [131.191.0.27]
 13    22 ms    19 ms    21 ms  131.191.0.15

Much like with the previous test, the reverse path is pretty much the same. Puyallup WA - Tacoma WA - Seattle WA - Tacoma WA

Test 2-3: Comcast Business to Optic Fusion

  1    <1 ms    <1 ms     1 ms  192.168.100.1
  2    <1 ms    <1 ms    <1 ms  10.1.10.1
  3    10 ms    10 ms    17 ms  73.102.132.1
  4    59 ms    15 ms    19 ms  te-4-5-ur02.tacoma.wa.seattle.comcast.net [68.87.207.233]
  5    11 ms    13 ms    67 ms  ae-6-0-ar03.seattle.wa.seattle.comcast.net [68.85.240.89]
  6    17 ms    15 ms    17 ms  pos-1-14-0-0-cr01.seattle.wa.ibone.comcast.net [68.86.90.85]
  7    14 ms    14 ms    12 ms  pos-0-0-0-0-pe01.seattle.wa.ibone.comcast.net [68.86.86.138]
  8    14 ms    13 ms    16 ms  173-167-56-190-static.hfc.comcastbusiness.net [173.167.56.190]
  9    92 ms   218 ms   212 ms  tg9-4.cr01.sttlwatw.integra.net [209.63.114.133]
 10    19 ms    21 ms    23 ms  pc1--1001.br01.lsancarc.integra.net [209.63.114.149]
 11    21 ms    20 ms    19 ms  tg13-1.cr01.ptleorte.integra.net [209.63.114.98]
 12    98 ms    21 ms    18 ms  ge5-1.ar10.ptleorte.integra.net [209.63.115.18]
 13    24 ms    24 ms    24 ms  gi2-2.cr01.tac.opticfusion.net [64.122.170.154]
 14    22 ms    21 ms    23 ms  209.147.112.50
 15    72 ms   167 ms   199 ms  vl100.dr01.tac.opticfusion.net [66.113.96.1]
 16    26 ms    23 ms    24 ms  xxx.xxx.xxx.xxx

While not as bad as the previous ISP's results, this one still raises some questions. Once again Optic Fusion lists Comcast on their "connectivity" page (source: http://www.opticfusion.net/connectivity.php). This route traces through Puyallup WA - Tacoma WA - Seattle WA - Portland OR - Tacoma WA. Once again we see where in Seattle WA both Comcast and Optic Fusion have carrier exchanges, however they are not directly peering with one-another.

Test 2-4: Comcast Business to Hurricane Electric (Seattle WA)

  1    <1 ms    <1 ms    <1 ms  192.168.100.1
  2    15 ms    <1 ms    <1 ms  10.1.10.1
  3    11 ms    17 ms    12 ms  73.102.132.1
  4    12 ms    16 ms    19 ms  te-7-5-ur01.tacoma.wa.seattle.comcast.net [68.87.207.225]
  5    13 ms    11 ms    11 ms  ae-6-0-ar03.burien.wa.seattle.comcast.net [68.85.240.85]
  6    15 ms    48 ms    12 ms  ae-2-0-ar03.seattle.wa.seattle.comcast.net [68.86.177.146]
  7    14 ms    15 ms    14 ms  pos-1-4-0-0-cr01.seattle.wa.ibone.comcast.net [68.86.90.209]
  8   136 ms   226 ms   203 ms  208.178.58.85
  9    42 ms    51 ms    34 ms  Hurrican-Electric-LLC.Port-channel100.ar3.SJC2.gblx.net [64.214.174.246]
 10    31 ms    43 ms    71 ms  10gigabitethernet4-3.core1.sea1.he.net [72.52.92.158]
 11    33 ms    33 ms   100 ms  tserv14.sea1.ipv6.he.net [216.218.226.238]

Just like with the previous ISP, Comcast is routing through San Jose to reach Hurricane Electric (Seattle WA). This time it routes through Puyallup WA - Tacoma WA - Burien WA - Seattle WA - San Jose CA - Seattle WA. Yet another missed carrier exchange in Seattle WA!

Test 2-5: Comcast Business to Hurricane Electric (Fremont CA)

  1    <1 ms    <1 ms    <1 ms  192.168.100.1
  2     1 ms    <1 ms     2 ms  10.1.10.1
  3    11 ms     9 ms     7 ms  73.102.132.1
  4     9 ms     9 ms    19 ms  te-7-5-ur01.tacoma.wa.seattle.comcast.net [68.87.207.225]
  5    13 ms    10 ms     9 ms  ae-6-0-ar03.burien.wa.seattle.comcast.net [68.85.240.85]
  6    22 ms     9 ms    18 ms  ae-2-0-ar03.seattle.wa.seattle.comcast.net [68.86.177.146]
  7    15 ms    16 ms    16 ms  pos-1-4-0-0-cr01.seattle.wa.ibone.comcast.net [68.86.90.209]
  8    95 ms    14 ms    12 ms  208.178.58.85
  9    42 ms    37 ms    35 ms  Hurrican-Electric-LLC.Port-channel100.ar3.SJC2.gblx.net [64.214.174.246]
 10    45 ms    45 ms    48 ms  10gigabitethernet1-2.core1.fmt2.he.net [72.52.92.73]
 11    39 ms    39 ms    38 ms  tserv3.fmt2.ipv6.he.net [72.52.104.74]

Once again we're routing through San Jose CA. Unlike the previous ISP though, both Fremont CA and Seattle WA endpoints for Hurricane Electric are running at about the same latency on this path. This route traces through Puyallup WA - Tacoma WA - Burien WA - Seattle WA - San Jose CA - Seattle WA.

Round 3 - Optic Fusion (Tacoma WA)

Test 3-1: Optic Fusion to Click-Network

  1     9 ms    <1 ms    <1 ms  172.30.0.1
  2     1 ms     7 ms    <1 ms  fa7-16.dr01.tac.opticfusion.net [209.147.125.209]
  3     1 ms    <1 ms    <1 ms  gi2-4.cr02.tac.opticfusion.net [209.147.112.6]
  4     3 ms     3 ms     2 ms  gi2-7.cr02.sea.opticfusion.net [209.147.112.54]
  5     3 ms     3 ms     2 ms  64.125.186.33.mpr2.sea1.us.above.net [64.125.186.33]
  6    22 ms    21 ms    21 ms  xe-1-2-0.cr2.sjc2.us.above.net [64.125.31.22]
  7    22 ms    46 ms    21 ms  xe-0-0-0.cr1.sjc2.us.above.net [64.125.30.125]
  8    22 ms    21 ms    21 ms  xe-4-3-0.er1.sjc2.us.above.net [64.125.28.53]
  9    22 ms    21 ms    21 ms  xe-0-1-0.mpr3.sjc7.us.above.net [64.125.30.174]
 10    22 ms    22 ms    22 ms  sl-st20-sj-11-0-4.sprintlink.net [144.228.111.89]
 11    24 ms    23 ms    23 ms  sl-crs2-sj-0-2-0-0.sprintlink.net [144.232.9.59]
 12    46 ms    47 ms    46 ms  sl-crs2-tac-0-5-3-0.sprintlink.net [144.232.18.205]
 13    45 ms    45 ms    45 ms  sl-gw20-tac-9-0-0.sprintlink.net [144.232.11.60]
 14    46 ms    46 ms    45 ms  sl-click1-388001-0.sprintlink.net [144.223.158.14]
 15    46 ms    45 ms    45 ms  click_dts_core_g1-23.click-network.com [131.191.0.27]
 16    46 ms    46 ms    46 ms  131.191.0.15

Here we can see another reverse path. This time it routes through Above.net instead of Integra. This route traces through Tacoma WA - Seattle WA - San Jose CA - Tacoma WA. And once again we have missed potential carrier exchanges in both Tacoma WA and Seattle WA.

Test 3-2: Optic Fusion to Comcast Business

  1     1 ms    <1 ms    <1 ms  172.30.0.1
  2     1 ms    <1 ms    <1 ms  fa7-16.dr01.tac.opticfusion.net [209.147.125.209]
  3     2 ms     1 ms     1 ms  gi2-4.cr01.tac.opticfusion.net [209.147.112.45]
  4     5 ms     4 ms    11 ms  64.122.170.153
  5    11 ms    10 ms    11 ms  ge2-10.cr01.ptleorte.integra.net [209.63.115.17]
  6    12 ms    15 ms    15 ms  tg13-1.cr01.sttlwatw.integra.net [209.63.114.97]
  7    11 ms    11 ms    11 ms  bs01.lsanca54.integra.net [209.63.114.150]
  8    11 ms    10 ms    11 ms  tg1-1.br01.sttlwawb.integra.net [209.63.114.134]
  9    12 ms    11 ms    11 ms  be-10-206-pe01.seattle.wa.ibone.comcast.net [173.167.56.189]
 10    13 ms    14 ms    15 ms  pos-0-5-0-0-cr01.seattle.wa.ibone.comcast.net [68.86.85.37]
 11    11 ms    11 ms    11 ms  so-1-1-0-0-ar03.seattle.wa.seattle.comcast.net [68.86.93.102]
 12    14 ms    14 ms    13 ms  po-60-ur02.tacoma.wa.seattle.comcast.net [68.85.240.90]
 13    14 ms    14 ms    13 ms  68.87.207.234
 14    21 ms    21 ms    22 ms  xxxxxx.hsd1.wa.comcast.net [xxx.xxx.xxx.xxx]

Much like with the reverse path, we see this route pass through Portland when Optic Fusion a direct carrier exchange in Seattle WA. The full route is Tacoma WA - Portland OR - Seattle WA - Tacoma WA - Puyallup WA

Test 3-4: Optic Fusion to Hurricane Electric (Seattle WA)

  1    <1 ms    <1 ms    <1 ms  172.30.0.1
  2     1 ms    <1 ms     1 ms  fa7-16.dr01.tac.opticfusion.net [209.147.125.209]
  3     1 ms     1 ms    <1 ms  gi2-4.cr02.tac.opticfusion.net [209.147.112.6]
  4     3 ms     3 ms     2 ms  gi2-7.cr02.sea.opticfusion.net [209.147.112.54]
  5     3 ms     2 ms     2 ms  64.125.186.33.mpr2.sea1.us.above.net [64.125.186.33]
  6     3 ms     3 ms     3 ms  xe-0-0-0.mpr1.sea1.us.above.net [64.125.31.9]
  7     3 ms     3 ms     3 ms  10gigabitethernet1-3.core1.sea1.he.net [206.81.80.40]
  8     3 ms     3 ms     2 ms  tserv14.sea1.ipv6.he.net [216.218.226.238]

I think we finally have a winner here! This route is great, it is using only local carrier exchanges. Optic Fusion uses their own internal hop from Tacoma WA to Seattle WA followed by a near direct connection to Hurricane Electric from there. This really shows what the ISPs could have if they routed properly: ~2-3 millisecond latency from start-point to end-point. The entire route is simply Tacoma WA to Seattle WA as expected! This may be a result of both points being data centers rather than consumer/business end points.

Test 3-5: Optic Fusion to Hurricane Electric (Fremont CA)

  1    <1 ms    <1 ms    <1 ms  172.30.0.1
  2     1 ms    <1 ms    <1 ms  fa7-16.dr01.tac.opticfusion.net [209.147.125.209]
  3     1 ms    <1 ms    <1 ms  gi2-4.cr02.tac.opticfusion.net [209.147.112.6]
  4     3 ms     3 ms     2 ms  gi2-7.cr02.sea.opticfusion.net [209.147.112.54]
  5     3 ms     2 ms     2 ms  64.125.186.33.mpr2.sea1.us.above.net [64.125.186.33]
  6     3 ms     3 ms     2 ms  xe-0-0-0.mpr1.sea1.us.above.net [64.125.31.9]
  7     3 ms     3 ms     3 ms  10gigabitethernet1-3.core1.sea1.he.net [206.81.80.40]
  8    30 ms    24 ms    23 ms  10gigabitethernet9-1.core1.sjc2.he.net [72.52.92.157]
  9    24 ms    24 ms    24 ms  10gigabitethernet1-2.core1.fmt2.he.net [72.52.92.73]
 10    24 ms    24 ms    24 ms  tserv3.fmt2.ipv6.he.net [72.52.104.74]

Once again we're seeing almost direct routing to the end-point. This follows the same path as the previous trace to their Seattle WA end point and then proceeds to follow Hurricane Electric's network south to their Fremont CA end point. The full route is Tacoma WA - Seattle WA - San Jose CA - Fremont CA.

Final Thoughts

First, neither of Hurricane Electric end points were tested as starting points. I do not personally have that sort of access to their networks to test this out.

Next, it appears as though if you are not a data center attempting to route to another geographical close data center then your routes are going to be on higher latency lengthy paths. For my particular purposes of IPv6 tunneling over IPv4 it looks as though I should use Fremont CA (~33ms at 700 miles) instead of Tacoma WA (~55ms at 3 miles) or Seattle WA (~55ms at 35 miles).

Posted in Networking | Leave a comment

The Battle of the Bandwidths

I’ve been a dedicated Click-Network (Tacoma WA) Cable Internet service subscriber since before I can even remember. A few months ago while attending PAX Prime in Seattle, I received a phone call from home saying that our internet service was no longer functional. After returning home from this event, I contacted the ISP to find out what was up. It turns out that we ran over our 250 GiB/month data cap, something which I had no idea even existed. At the point in time when my household signed up for this service, these data caps were completely non-existent.

It was quite a shocker to find out that Click-Network instigated a 250 GiB/month cap without ever informing us. This “new” data cap wasn’t even new either, as it turns out that it is documented at the very last section of the ISP’s “Acceptable Use Policy” on their web site. Here is a quote from their web site:

Click! may revise this AUP from time to time without notice by posting a new version at www.clickcabletv.com and submitting it to ISPs who use Click! Network services. Accordingly, Users should consult this document regularly to ensure that their activities conform to the most recent version. Please direct any questions or comments regarding this AUP and/or complaints of violations of this AUP to your ISP immediately.

Source: http://www.clickcabletv.com/Internet/AUP.aspx (2012-01-25 10:00PM PST)

From that you can directly see that they have and always had full on intentions of simply changing policies without ever informing their customers, such as in my case.

Now, lets move on to more recent observations.

Since that point in time, I have made significant upgrades to my in-home local area network. Some of these upgrades included a much more powerful router which includes very details reports as well as a highly configurable firewall. While playing around with this router over the past two days, some things started to appear that seemed quite a bit out of place.

This is the 8-hour bandwidth graph for my LAN’s router. Highlighted is the bandwidth consumed from packets that were blocked by the firewall. This amounts to an average of 12.3 MiB every 8 hours.

Lets do some math!

12.3 / 8 = 1.5375 MiB/hour
1.5375 * 24 = 36.9 MiB/day
36.9 * 30 = 1107 MiB/month

And there you have it. Nearly 1.1 GiB of bandwidth per month is going straight to BLOCKED PACKETS. This is all wasted bandwidth. When talking with the ISP about the bandwidth issues before, I made it a point to ask about bandwidth overhead and things like this. They repeatedly confirmed that they count both packet data as well as packet overhead when measuring total consumer bandwidth for a given billing cycle.

Now where is all of this bandwidth going? Luckily my firewall logs tell me this! There is a constant flood of broadcast packets on the WAN address of the router. The source of these packets is originating from the ISP itself. Yes, this is right. The same ISP that instituted the 250 GiB/month limit is also taking away over 1 GiB/month from simply sending out broadcast packets across the whole network. While this only accounts for 0.44% of the total bandwidth allocation per month, this is still phantom bandwidth that has a chance of aiding in the ISP knocking me offline again.

Mischief

Back in the earlier days of the internet before we had Instant Messaging, we used something called Internet Relay Chat (IRC) to communicate instantly with one-another. Most popular IRC servers has “flooding” policies, wherein if you send too many commands to the IRC server in a short enough period of time, the server would disconnect you. One command you could issue is a “ping” command to another user on the network. The other user’s IRC client would then auto-reply with a “PONG” message (these are used to test latency between users).

What could you do with this? Well, if you have multiple systems all sending out PING messages to the same user at the same time, you could in theory get them kicked off of the server! This worked by having you and your friends all setup to send PING messages slower then allowed commands/second ratio the server has setup. Because the receiving client has multiple sets of messages to reply to, the larger quantity of replies would set it over the rate limit, effectively denial of service (DOS) attacking the user.

Now why would I bring up some old technology like that up in a blog post about ISP imposed bandwidth limits? Take a second to think of this scenario.

There are plenty of free and cheap web hosting services out there. It would not take much to setup several of these to all send bogus packets to a single IP address. Because the ISP then tracks the bandwidth consumption of these packets, regardless if the client accepts or rejects them, the customer can then be pushed over their bandwidth limits without their interaction at all.

Here in this next chapter of the internet, I fear this may become the next type of distributed denial of service (DDoS) attack.

If the RIAA/MPAA think you are pirating their media? Simple! Now they can flood your IP address with bandwidth so your ISP knocks you offline!

Say something online that the government takes offense to? No problem, They’ll just flood your IP address now so it looks like someone else is censoring you!

And with all that said, I will now forward the permalink of this post to Click-Network. Odds are they’ll ignore it, much in the same way they’ve ignored every single other email I’ve ever sent them (those other complaints are for a later time).

Posted in Networking, Security | Leave a comment

Old Software Practices – Canon EOS Utility

With the new year comes updating all of the copyright information to 2012. One thing that I do is I have my “Owner” and “Copyright” information set on my Canon EOS 50D camera body. What this does for me is the camera will auto-insert this metadata into every photo that I capture. With needing to replace my broken laptop in the middle of 2011, my new laptop no longer has the EOS Utility software available. This should be a simple fix, right? Simply download the software from Canon’s web site and install it…

!!! WRONG !!!

For their EOS Utility software, Canon is still using the old practice of only offering “software updates” through their web site, not the full application. Except, the software from Canon’s web site is indeed the full application, it is only the installer that has this “update” requirement!

What is this update requirement anyways? It means that a previous version of the software must already be on the system in order to install the software downloaded from their web site. What happens if you lose your initial install CD? You’re screwed! On top of this, I have an older Canon Rebel XT body. The installation CD which shipped with the Rebel XT body pre-dates Windows Vista and 7, and the installer fails to work properly under these operating systems.

So if you have an older camera body with a computer using a new operating system, you cannot install the software at all? Well, its not quite this bad.

Luckily with the current versions of EOS Utility, it’ll simply detect the prior version of EOS Utility off of the CD in your CD/DVD/BD drive. This means that you do not need to actually install the previous version, instead you only need to have the disc handy to do the install. Again, what happens if you lose your initial install CD? You’re screwed!

After my laptop died last year, I had considered getting a netbook as an ultra-portable replacement for the laptop. I already do all of my work on a desktop computer, and basically only use the laptop as a simple web browser and image storage device while on the road. If I would have gone down this route, I would have had another issue. Netbooks do not have CD/DVD/BD drives at all, making it impossible to use the CD to install the EOS Utility. Only two real options are available in this case. The first would be to buy an external optical drive just to “verify” that I have a legitimate copy of the original EOS Utility disc in order to install the copy from Canon’s web site. The second option would be to use my desktop computer to create an ISO image of the original CD (possibly violating copyright laws in the process) just so I could use the software for my camera bodies.


After all of this, the next issue arises with this problem. After finally getting the EOS Utility install and configuring my Canon EOS 50D body, it is then time to move on to configuring the Rebel XT body.

Because this camera body was released before Windows Vista came out, there are no drivers for this body to work with Windows Vista or 7. Even after getting the EOS Utility functional on this laptop, working with the Rebel XT simply wasn’t an option at first.

From here, I turned to my usual solution when working with legacy hardware and software. I booted up Windows XP in VMWare Workstation and forwarded the Rebel XT’s USB connection to the guest operating system.

Here comes the next issue. With today’s wide-screen laptops, the most common screen resolution seems to be 1366×768. Because VMWare runs in a window on top of the desktop, the virtual machine’s screen resolution is slightly lower then this. For what ever reason, Canon’s EOS Utility requires a screen resolution of 1024×768 or greater. This is a very strange requirement for the application considering most of the windows within the application are very small utility windows. The main EOS Utility window is small enough to fit into the archaic screen resolution of 640×480, so why the specific requirements for something much larger?

All of these requirements are imposed only by the application installers, not the applications themselves. This was a huge problem in the early days of Windows 2000, because games would check to see if “Are on we Windows NT” rather than “Do we have DirectX support” (Note: Windows 2000 shipped with DirectX 7 and most games worked flawlessly after hacking the installer package to allow them to install)

Posted in Photography, Software | 1 Comment

SOPA Emergency IP list

A very shocking thing is spreading like wildfire over on Tumblr right now. There is this viral post titled “SOPA Emergency IP list” which list “details” on how to “access” various web sites in the event that SOPA and/or PIPA are to be passed and DNS systems become compromised from it.

Before getting into that post in detail, let me explain some basic pieces of information first.

An IP Address: Think of this like your phone number. Every one in the public space is unique. Every phone has a unique phone number you can call. Every computer on the public internet has a public numerical IP address which is used to uniquely identify it and allow other computers to “call” it. These numbers are usually expressed in the form of 4 groups of numbers ranging from 0 to 255. (Note: this article is referencing IPv4 only, IPv6 will be discussed another day)

Domain Name System: DNS for short. This is the process of converting human readable text based “domain names” into numerical IP addresses. As an example, you’re currently reading this post from Darkain.com. In order to do so, in the background, your computer made a DNS request which converted that name into the numerical IP address 209.147.125.210. This process is known as “Name Resolution” and is performed by a “DNS Server”


Okay, now that you know what IP addresses and DNS name resolution is, lets get down to business with this scary trend and what it REALLY means. The US SOPA/PIPA bills threaten to break the process of DNS servers to properly resolve certain domain names. There are plenty of documents circulating the internet which describe the process of these bills far greater than I ever could. Those bills are not the focus of this article. The purpose, rather, is to address falsified ideas that are spreading across the internet because of it.

This is a list that is spreading like wildfire across Tumblr right now. As of this post there are over 36,000 reblogs of it. My big concern is that whomever published this list initially did not do their homework one bit in terms of how the internet and DNS system actually function together to help deliver a reliable end user experience.

Lets take a look at the very first IP address on this list. According to what they’re publishing, we should simply be able to put that IP address into the browser and get the same web page as we would if we typed in the name of the site ourselves, right? According to what I’ve listed above about how DNS names are simply translated into IP addresses and it is really the IP address which is used means this should all work perfectly as normal, right?

!!! WRONG !!!

Go and take a visit to http://174.121.194.34/ and this is what you’ll find. It is a “NOT FOUND” page! But wait, what gives? This is the same IP address returned when attempting to connect to http://www.tumblr.com, so why would it return a different page?

What is really going on here? Well it turns out that web browsers, when connecting to a web server, pass along the name of the web site as well. So after DNS name resolution, and IP access occurs, the domain name is used a second time in accessing the particular web site. This can bee seen in the highlighted “host” field which is passed along to the web server.

So why is the name being used twice? Why does the IP address AND domain name of a web site matter to the web server? With the IP address alone we can already contact the web server which has the web site we want on it! Well, it turns out that to help the internet grow, HTTP/1.1 introduced this “host” setting to allow multiple domains and therefor multiple web sites to reside on a single IP address. As you can see from this screen shot, both the Darkain.com and Repost.me domains reside on the same public IP address.

So then what is going on with Tumblr? They only have one site on that IP address, right? WRONG! They have to manage multiple domains through it. An example of this would be my photo blog: http://photoblog.darkain.com/ – This address resolves to the same IP address as the Tumblr server because they’re the ones hosting this service for me. How does the Tumblr servers know which blog should be presented to end users when their IP address is accessed? Yeah, that’s right. This is exactly what the “host” field is for when the web browser connects to the web server!

The main reason for this post is how troubled I am by the person who made that initial posting on Tumblr. They took the effort and time to track down and compile this vast list of IP addresses of several major web sites around the world. What they failed to do was to test even the very first IP address on their own list to see if it would even work.

UPDATE 2012-01-20 9:00AM: There is now a new list traveling around Tumblr. They’ve updated Tumblr’s URL to also include “dashboard” as apart of the URL: 174.121.194.34/dashboard – The problem with this? Try visiting that page. It is a redirect page to http://www.tumblr.com/dashboard which again is the named version of the web site. This still requires the DNS name resolution of tumblr.com once again, making it impossible to access without access to the DNS servers for this domain.


!!! TO COMPLICATE MATTERS EVEN WORSE !!!

Described above is only ONE issue with simply using IP addresses to access website in the face of SOPA/PIPA taking down the DNS system. Here are some more real-world examples, though given in far less detail for the time being. Each of these topics will be expanded upon in future “server optimization” articles written on this site.

1) Elastic IP Addresses – This is the process of having a non-static IP address. This is common for home users wanting to access their computers on the road, and may setup a service such as DynDNS to manage this for them. This is now becoming a commonplace idea in the commercial sector as well with the emergence of services such as Amazon Cloud Computing. Using services such as these, IP addresses are often times changing to reflect various server changes over time.

2) Geographical IP Addresses – An optimization employed by larger corporations is to setup data centers with servers as close to end users as possible. As an example, Google recently opened a data center in the Seattle Washington area. My current home is in the Tacoma area approximately 35 miles south of there. Before this data center went into place, my ping times with the Google servers were in the range of 50-75ms. I can now get constant ping times around 20ms with this new location being online. What does this mean? Different IP addresses for different locations! How does this work? Companies such as Google have geographical profiles of where their servers are located as well as profiles of where IP addresses which request the DNS name resolution are physically located. The DNS results that they return are optimized for the shortest and quickest possible end routing point from the requesting user.

3) DNS Based Load Balancing – Some services exist on multiple IP addresses. The DNS server which is returning the IP address for a given domain name that you’re requesting may be different from the next person to request it. While both IP addresses have end point servers with the same content, you and the other user were given the different IP addresses, therefor the server resource load is split between the two physical end-point servers.

Now start combining all three of these together. Yes, this is indeed a very real thing, and becoming a much more common place practice than you might think. Because a DNS record may be updated at any time, new servers with mirrored content can come online or go offline at any time. With cloud computing and elastic IPs, these addresses can easily change from day to day. To server administrators, most of this process is fully automated and eases scalability and disaster recovery. To the end user this means a seamless experience as remote servers are upgraded or repaired.

One example of all of this would be the IP address ranges for Google Apps servers. Note that they list both current AND former address ranges on this page. Also please note that these ranges are large blocks which contain over 4,000 address each. Source: http://support.google.com/postini/bin/answer.py?hl=en&answer=141669

Posted in Security | 2 Comments

Adobe Photoshop Lightroom 4 – First Impressions

First let me say that I’ve been using Lightroom since the early days of version 1.0. Lightroom has been the cornerstone of my photography workflow process since then. I use a wide range of functionality of the application, from metadata tagging and editing, to tethered capturing, to dumping and backing up my RAWs from CF cards, to editing, and to printing.

The Lightroom 4 Public Beta was released earlier this week. With my return home from Anime LA being at the same time, I’ve decided to go straight into production with the LR4 beta with this catalog.

The very first thing I noticed instantly was the “Basic” controls in the develop module. These have been revamped from previous versions.

1) “Brightness” has been removed.
2) “Recovery” has been replaced by a combination of “Highlights” and “Whites”
3) “Fill Light” has been replaced by “Shadows”
4) All values now default to ZERO, and support negative and positive values.

I’ve found this makes working with highlight and shadow recovery quite a bit more easy to deal with.

The next major change is the inclusion of the “Maps” module. With this, it is now easy to geotag physical locations where images were taken. I’ve spent quite a bit of time doing this using Flickr, so being able to do this before publishing there is a huge bonus! This module uses Google Maps for its imaging, so it has a great deal of control for precise placement of images on the map.


Lightroom 4 is still beta though, and this needs to be taken into consideration. In Lightroom 3, I’ve highlighted some bugs and issues I’ve had with it in the past. Testing out these in Lightroom 4 shows they have not been addressed at all yet.

First, when Lightroom is multi-threaded. The export threads run at “Normal” priority. This by itself isn’t an issue, unless you’re trying to multi-task. Lightroom creates a thread per core on the CPU, and uses the maximum amount of processing resources per thread available. When doing this, other applications running at “normal” thread priority are competing for the same CPU resources as Lightroom. Because of this, attempting to take a break and browse the internet or use other applications while Lightroom is exporting becomes extremely slow. If the thread priority for the exporting threads were to be dropped to “below-normal”, this would be instantly fixed.

The other main issue that was introduced with Lightroom 3 and not corrected in the this beta is the “Constrain Crop” bug. This is a very simple one to reproduce.

1) Take an image in portrait orientation.
2) Set “Distortion” to a positive value
3) Enable “Constrain Crop”
4) Attempt to move the crop location around the image.

When doing this, the constrain crop has the X and Y coordinates reversed, so there is a large section of the image which cannot be selected with the crop tool anymore. This ONLY effects portrait orientation image. I’ve personally reported this bug several times ever since it was introduced in Lightroom 3, so I’m quite sad to see that as of the Lightroom 4 beta that is has not been addressed at all.

From the screen shot below, there is room to move the crop up and down, however Lightroom does not allow this to happen. As soon as the image is rotated 90 degrees, it works as expected again.

Posted in Photoshop | Leave a comment

WHOIS Domain Owner Information

“WHOIS (pronounced as the phrase who is) is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information. The protocol stores and delivers database content in a human-readable format.[1] The Whois protocol is documented in RFC 3912.”
http://en.wikipedia.org/wiki/Whois

What does this mean for you as an end user? Not a whole heck of a lot.

What does this mean for you as a content publisher online? Quite a bit more than you may realize!

When you register for a domain name (example.com is a good example), the registrar asks you for all sorts of information that we are used to putting in for billing purposes. BUT, did you know that most of this information is made publicly available?

While looking up information to help a client move their domain name from one hosting company to another, I had to do a WHOIS request on their domain name to find out their authoritative DNS servers. In the process, I skimmed over their other WHOIS information and was quite shocked at the amount of personal information that they have readily available right in front of me. This particular client had their full first and last name, home street address (including city/state/zip code), and personal phone number.

There are many WHOIS personal information protection systems in place throughout the internet. This is a reminder that you should check your domain registration information to see what information you are freely handing out!

To check the information made publicly available for your domain name or any others on the internet, check out the following web site: http://www.networksolutions.com/whois/index.jsp

WHOIS Domain Registration Information

Posted in Networking, Security | Leave a comment

Reset Print Spooler Service

Lately one of our clients has been having issues with their printers on one particular machine. Rebooting the machine solves everything, but takes quite a while and the downtime is too long. Digging deeper, it appears that simply resetting the Print Spooler system service solves all of the various issues that occur.

The process of going in and resetting system services can easily be too complicated for average end-users, so we put together a simple script for them. Initially the script was written as a .BAT file, but this had limitations because it ran with normal user rights instead of administration rights. The user could right-click and “Run as Administrator”, but this added an extra unneeded and often forgotten step. To take things once step further, we wrote up the simple script using NSIS, which is forced to run as administrator because Windows thinks that it is an installer application.

This script can easily be adapted to any service name on the system.

NSIS Script:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
;--------------------------------
;Configuration
 
  ;General
  !define service "Print Spooler"
  !define name "Reset ${service} Service"
  Name "${name}"
  OutFile "${name}.exe"
 
  SilentInstall silent
 
 
Section "${name}"
  ExecWait 'NET STOP "${service}"'
  ExecWait 'NET START "${service}"'
 
  messageBox MB_OK "${name} has completed"
SectionEnd

Download Reset Print Spooler Service.exe

Posted in Quick Fixes, Source Code | Leave a comment

Individual Artistic Profiles

I recently had a discussion with some friends of mine on what the definition of “art” was, including what counts as “art” vs what is simple “there”. Naturally at the end of this conversation, no two people had the same exact idea of what counted as “art” or what actions counted as the creation of “art”, and we simply had to agree to disagree. From here I decided to start developing the concept that everyone has an “Individual Artistic Profile” in terms of what they thought was good art vs bad art, or even classifying something as not even being artistic at all.

And now for the real reason of this rant! I’ve been in contact with several people about potentially doing photo shoots here in the near future, such as here in the Tacoma/Seattle area, down in Reno, and at Anime-USA. I’m constantly being asked “what sort of shoots do you have in mind?” and to be quite honest, I think that the 140 character limit of Twitter makes it a little difficult to explain what I have in mind.

If you want to have the most absolute artistic photo shoot possible, you must first figure out something about yourself. You must find out what you believe to be artistic, focus on this, and then try to recreate it. Do you ever say to yourself anything along the lines of “Ooo, I sure do look good wearing blue”? If so, have you ever taken a step back and asked yourself why? This is a part of your artistic profile, but only a small part.

There are many categories to the artistic profile, and many sub-categories thereof. In the example above, the category “color” is used. This does not mean that everything in the photo should revolve around “blue” as this is only one aspect of the profile. The color(s) of the environment around you is also important. Is the background a blue-ish color to match the outfit? Or is it a goldish color to give it contrast? Maybe the background is green to help accent your green eyes?

Color is only the beginning of this! We can easily extend this out to countless other categories, such as poses, camera angles, elemental aspects (weather, landscape, AND color), emotional (happy, sad, cute, sexy, insightful, other worldly, distant, etc), and much more.

And now for the tricky part… None of this information is static at all either. What you love one day you’ll end up hating the next. We grow over time, and so do our artistic natures.

So, “how do we use this information to create better art?”

The first part is simple. Ignore yourself for a moment. Go out and look at other people’s artwork. With the internet, this is really easy with the vast amount of artistic oriented web sites. Start recognizing what you like, what you absolutely love, and what you hate. Do this passively over time, and start building a collection of sorts…

And now comes the hard part… Start to identify trends with the images you’ve selected over a period of time. Try to find the subtle relations between each of them. Look at each photo closely and start identifying what it is about the image you love so much. Is there really interesting and dynamic lighting? What about some unusual makeup that draws you in? How about the location the photo took place at?

Now start imagining yourself in those situations when those images were created. Try to imagine where each person was standing, what they were doing and what they must have been thinking. Oh, and here is a fun little secret… Just find the people who created a particular piece, and just ask them!

Start to identify who you want to be, not who you already are. Look to the future and dream of the scene you want to create. You are the star actor for your own dreams, and its our job to make that dream into a single instance reality which we call a work of “art”!

For those of you that are interested in working with me to do photo shoots in the future, I encourage you to start thinking about who you and and who you want to become. I also ask that you contact me with these insights ahead of time, so that we may dream this dream together.

Posted in Rant | Leave a comment

Visual Basic Source Code

I have uploaded all of my old Visual Basic 6.0 and earlier source code. This code is being provided as free for use for any purpose. All of the code was written in 2001 or earlier. Due to the age of this source code, it probably has no real value outside of being a basic learning tool for someone new to programming.

You can find all of the code here: Free Visual Basic Source Code

Posted in Software, Source Code | Leave a comment