The way it works is pretty simple: the IPv6 prefix 2002::/16 is allocated specifically to 6to4 tunneling. If you set up a tunnel to 192.88.99.1 (which is an anycast IP address), you will be able to use 2002:xxxx:xxxx/48 as IP address space (where xxxx is your public IPv4 address in hex). So for example if your public IPv4 IP is 192.0.2.240, you will have 2002:c000:02f0::/48 as publicly routable IP address space!

I found a great site that explains how to configure this kind of 6to4 tunnel on various operating systems. It tells you what your current IP is and tells you how to configure the tunnel based on that IP. You can also specify an IP to use.

Using this, I experimented with both Comcast and CenturyLink and found CenturyLink’s 6to4 relay to have significantly lower latency. I also discovered, from traceroutes, that CenturyLink appears to be using a 6to4 relay at Hurricane Electric!

The nice thing about this is that you don’t have to sign up for account or anything. You just configure it properly and it works. With a /48 all to yourself.

Related articles

• How the End of IPv4 Affects Email and Hosting (circleid.com)
• David Tomaschik: IPv6: On my Linode, and at Home (systemoverlord.com)
• I’m already hating the IPv6 (erratasec.blogspot.com)
• Tech giants to enable IPv6 on “World IPv6 Day” in June (arstechnica.com)
• How To Enable IPv6 On Windows XP (ghacks.net)
• IPv6 Basics I (marienfeldt.wordpress.com)

Related Posts

• Getting Closer To IPv6?
• Why We Need To Go To IPv6. Now.
• Speaking IPv6–Privately
• Speaking IPv6
• I am the IT department

This work originally came from The PhoneBoy Blog and is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Fingerprint: e37ac627f3d973694c212ff9430d215a

Turns out they did: RFC4193. The prefix FC00::/7 has been set aside as Unique Local IPv6 Unicast Addresses. This accounts for roughly 0.781% of the total available IPv6 address space, which is still a lot of addresses. In fact, it works out to roughly 2.2 trillion /48 networks, each of which could be used to allocate 65,356 /64 networks (the smallest recommended network size in IPv6), on which each network can have more than 18 quintillion individual addresses (or the square of the entire IPv4 address space)!

That’s a lot of addresses. Not that anyone will come anywhere near putting that many hosts on a single subnet, but it does leave a lot of room to solve a common problem when interconnecting private networks with a VPN–address collisions.

After the first 8 bits of a private IPv6 address, the next 40 bits are designed as a global ID. Even though each site will generate this independently, assuming they generate their global ID randomly, the odds that any two sites who might interconnect will have the same global ID is roughly 1 in 1.81 trillion. Even if 100 sites connect together, the odds of any two sites colliding is roughly 1 in 4.5 billion.

The next 16 bits of the IP are the subnet ID, so within a particular global ID, you have 65,536 subnets. That’s a lot of networks!

Of course, you still have the same challenge in IPv6 that you have with IPv4 when it comes to private addresses: if privately addressed machines need to talk to the Internet, you will still need to employ NAT. I don’t know that NAT is inherently more difficult in IPv6 than IPv4, but it does require more resources–the IP addresses are a lot bigger. However, despite having more than enough addresses for everyone to have a public, Internet routable IP, NAT will never completely go away.

Comments

• 3 February 2011, Aaron Huslage writes: Why do you want/need to NAT with IPv6? There's simply no reason. I have a /64 AND a /48 at home...and there are plenty of addresses. This applies similarly to businesses. NAT is obsolete. It's not a valid security apparatus (networks can be mapped externally with pretty straightforward techniques). It's not needed in IPv6 because there are simply enough public addresses.
• 3 February 2011, PhoneBoy writes: Even with more than enough IPs, I fully expect NAT will continue to be a reality in IPv6 networks. Perhaps not as prevalently as they are in IPv4, but it will still exist. Especially if consumer ISPs like Comcast decide not to route a subnet to us (even though there are more than enough addresses to do this).
• 3 February 2011, Atlanta Roofing HQ writes: Yeah like they said, this has been talked about many times in the past, this just makes it a bit more urgent than before.No need to panic, IPv6 is FULLY supported and ready for adoption by all modern devices.. besides which this is Internet routing, it will NOT affect Workstations, home routers, and ability to get on the Internet with phones anyway. this only applies to websites.
• 3 February 2011, Lindsay Hill writes: Yeah, I agree that NAT will continue to exist. I've worked in some fairly large networks, where everything was publicly addressed, but you still did NAT because you wanted certain traffic to route in certain ways. Sometimes this was for technical reasons, sometimes it was for political reasons. It wasn't for reasons of security. A lot will depend on how the ISPs handle things too - e.g. Comcast is only giving end users a /64 in its trials. What about home users that want to run multiple VLANs internally?
• 3 February 2011, PhoneBoy writes: They can always charge for another /64 like they currently do with static IPs. :)
• 4 February 2011, Tweets that mention Speaking IPv6–Privately -- Topsy.com writes: [...] This post was mentioned on Twitter by PhoneBoy/Dameon, mpgcomp. mpgcomp said: RT @PhoneBoy: Speaking IPv6–Privately http://dlvr.it/FlThG [...]
• 7 February 2011, EtherealMind writes: This RFC has been 'canned'. Although it shows as being standards track, I'm told that the current voting is against it and none of the vendors are supporting it. At this time, the use of NAT66 is deprecated.
• 7 February 2011, PhoneBoy writes: We both know that clients often do "non-recommended" things. NAT is one of those things. It's always been a kludge of sorts, but given the limited address space for IPv4, necessary. Given the current state of IPv6 address space, I don't see it being necessary for quite some time. That said, it won't prevent customers from wanting to do it for various reasons, despite what the IETF might officially think about it :)
• 7 February 2011, EtherealMind writes: Customers might want to do it, but the vendors aren't currently implementing it. And people who think they should do it, need a good spanking. NAT is not and never was a security feature, it's technology override for limited public address space. IPv6 has 294 untillion addresses and doesn't need the limitations of NAT which prevents source validation, end to end user authentication and the return of protocols that have meaning in the payload. Much easier to build and operate firewalls that do not use NAT. Really.
• 7 February 2011, PhoneBoy writes: No arguments from me on any of this, though I will argue that NAT does provide some level of security (specifically the NAT-PT done in most home routers). It does so at the expense of end-to-end connectivity, of course. You can get the same security that NAT-PT provides by a properly configured firewall, which is much simpler when NAT isn't involved, for sure. Unfortunately, configuring a firewall is beyond the capabilities of most end users :)
• 7 February 2011, EtherealMind writes: Not really. NAT provides no security at all other than to obfuscate the source IP address of the host - which is no security at all. A firewall performs the security functions of preventing inbound/reverse connections. Once firewalls no longer have NAT software, we can hope that vendors will add better security features such as malware scanning, protocol inspection etc. That's the win.
• 7 February 2011, PhoneBoy writes: If I am using private address space behind my router and that router is hiding all outbound traffic behind a single public address, there isn't a way for something outside my network to initiate a connection inside without my explicitly configuring, say, a mapped port or DMZ. That's admittedly not total security, but it's something. Of course, with the threat models evolving the way they are, it's nowhere near enough And let's be clear: I'd love to get rid of NAT. I'm just less optimistic it will go away.
• 7 February 2011, EtherealMind writes: The mapping process is a requirement of NAT or more correctly PAT. It's the firewall that prevents inbound connections not the NAT process. Once upon a time you could reverse a NAT connection to attack the source (when NAT / PAT was a feature on Routers). After that we always implemented NAT on firewalls to provide security. It's important to understand that NAT isn't part of the security even though it looks like it is. Its the firewall software that also has NAT in it.
• 7 February 2011, PhoneBoy writes: I guess you're right, it's not the NAT itself but it's the topologies that require NAT and the basic "don't allow anything in" rule that creates the security. NAT just makes sure everyone can talk to each other, it's not security. :)

Related Posts

• Getting Closer To IPv6?
• Why We Need To Go To IPv6. Now.
• Speaking IPv6
• Your ISP May be Trialing IPv6 Already!
• CPshared and CPUG: A Couple of Observations

This work originally came from The PhoneBoy Blog and is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Fingerprint: e37ac627f3d973694c212ff9430d215a

The first thing I noticed was the packaging. A complete lack of technical jargon or marketing about how this router compares to the others they sell. There most technical things on the box are in small print and are just basically a list of system requirements and a warning that, due to a number of factors, your wireless speeds and range may vary.

When I did the initial setup, I used my Mac–usually a stumbling block for these so-called “easy setup” programs. The Easy Set Up key is little more than a Flash drive that contains some documentation and the Cisco Connect application. Launching the Cisco Connect gives you a screen that tells you to do do three things:

• Plug the router into your Internet connection
• Plug the router into your power
• Click next

In less than the five minutes it tells you it could take, I had a screen that told me my router was set up and I was connected to it. Sweet! You could, of course, do some additional configuration of the router. A very simple interface is presented for doing this (click image for larger view):

The add device option gives you the settings you need to configure a device. Obviously, it’s going to vary by device manufacturer. Once it has detected the device has connected, you can then “name” the device for later. Handy!

I didn’t mess with the parental controls–I almost never find them granular enough for my tastes. However, it appears they do some category-based URL filtering and allow you to blacklist sites. The problem is the restrictions are per-host, meaning you have to select the individual hosts that you wish to restrict. You also can’t whitelist sites or create a default URL filtering policy that applies to all connected hosts. That said, it’s more functionality than I’ve seen in a typical consumer router.

The guest access feature is quite handy as well. Cisco Valet creates a second (open) SSID that your guests can use to access the Internet. It is segmented off from your regular wireless network and presents a captive portal to your guests, whom must enter a password before they are allowed access to the Internet:

Of course, you can disable this feature as well.

When the router is first configured, the SSID is set to a random adjective-noun word combination and the password is set to a 10 character random string. In the Valet Settings, you can change these things to something. You can also save this to the Easy Setup Key (or create a new one using any standard USB thumb drive) that will allow you easily configure other Mac or Windows computers in your house with the correct wireless settings.

And, of course, there’s the Advanced Settings, which fires up a web browser with a typical Linksys-style web interface for configuring the router (though it is entirely Cisco-branded now). This is where the geek settings are, of course, and are, “advanced.” I’m sure given the relatively ease through which computers can be added and the basic settings can be configured, there will rarely be a reason for most people to ever visit the advanced settings.

But Is It Secure?

Most reviews stop here. They are quite happy that someone has finally come up with a wireless router that almost anyone with even rudimentary computer knowledge could configure and use. That is a feat worthy of praise, no doubt.

I am not most people. I wonder, in the back of my mind, does Cisco make this device easy to use, yet actually make it secure? The answer is not surprising–to me at least.

First, it’s probably worth pointing out that I work for a competitor to Cisco: Check Point Software Technologies. We don’t compete in the consumer market, really, but we certainly in the enterprise network security market. That doesn’t affect my opinions here, but I figure I should disclose that since some might consider it a conflict of interest.

Prior to proceeding with the setup wizard, I saw what the router was broadcasting by default–a WPA-protected access point named CiscoXXXXX (where XXXXX corresponded to the last 5 digits of the device serial number). My guess is the router is preconfigured with some default WPA password that the Cisco Connect software then changes to something else, which it then tells you after the setup is complete.

Cisco gets props on a number of things security related:

• Choosing a random network name (SSID)–most manufacturers use a known default
• Configuring WPA as a default
• Choosing a random password that contains numbers, upper and lower case letters, and special symbols

All three of these things are good. By choosing a random SSID and a random password, it makes it harder for someone to brute-force (i.e. guess every possible password) access to the wireless access point.

While these are far better than what I’ve seen from others, it’s, unfortunately, not enough. To be relatively safe from a brute-force attempt, the passphrase needs to be at least 20 characters–random ones at that. Also, it defaults to WPA/WPA2 mixed mode, which allows you to use the TKIP, which may be needed for some legacy hardware, is not the most secure. You can change to WPA2, which only supports AES. It would be nice if you could change the rekey interval, but I don’t see a way to do that from the advanced settings.

There are a couple of other dangerous settings enabled by default:

• Universal Plug and Play is enabled by default (which, when paired with malware, could easily make your computers more vulnerable to attacks)
• WMM Support (in the QoS section) which, when enabled, makes your network a little more susceptible to hacking when WPA (not WPA2) is enabled.

The Nintendo DS Factor

One rather common WiFi-enabled device in any household with children is the Nintendo DS. This device does not support WPA at all. Even the newer DSi, which does support WPA, doesn’t support it for DS games. This means, if you want your kids to be able to use the WiFi features of their DS games, they won’t be able to use them unless you use WEP for your wireless security, which is not recommended.

This is, in my opinion, one big disappointment with the Cisco Valet. There is no way to allow a Nintendo DS to use the Guest wireless without using WEP. They could very easily allow the whitelisting of certain MAC addresses to be allowed to access the Guest wireless (which is open, unencrypted, and will work with the DS) without requiring web-based captive portal authentication.

Other Minor Gripes

The Cisco Connect software allows you to configure items that cannot be configured with the Advanced Settings interface, namely the Guest wireless access. I would like to be able to change the default IP range used for the Guest wireless and, possibly, whitelist certain machines as I described above.

By default, the router administration password the same as the WPA password. This does make it easier for end users, but I think you should be able to set them independently in the Cisco Connect software.

I also do not see a way through the Cisco Connect software to upgrade the firmware for my router. This is a necessary, sometimes daunting task, especially given the number of hardware variations that can exist even with the same model. There’s no reason Cisco couldn’t have made this process as simple as they’ve made everything else–push a button and it takes care of the rest.

And, of, course, my security gripes above. While they went a lot farther than I’ve seen other manufacturers go, they could have gone just a little farther in choosing more secure defaults, possibly with an optional “security settings” page so you don’t have to hunt in the Advanced Settings interface to make the wireless connectivity more secure.

All in all, though, I am very impressed with the product. I could easily see myself recommending this product to my non-technical friends and family as a dirt simple way to share their Internet connection and create their own personal wireless hotspot.

The only people I cannot recommend this product to are Linux users who lack a Windows or Mac machine on which to run the Cisco Connect software. Since the initial setup of this router cannot happen without the Cisco Connect software, which does not run on Linux, your “out of the box” experience will be less than fulfilling. You only need the software the first time, of course, but you might be better off with a Linksys-branded router.

So yes, Cisco did it. They made WiFi easy for normal people to set up. Using the Easy Setup Key, I set up four different Windows computers with my Cisco Valet settings in a matter of minutes. It was drop-dead simple. I wish they spent a little more time on the security side of things, but this is a tough one to do without making things more inconvenient for users. Given what Cisco was aiming for here, I think they nailed it.

Comments

• 13 February 2011, The Cisco Valet: Easy Setup, but is it Secure? - Wireless Network News writes: [...] Cisco Valet: Easy Setup, but is it Secure? The PhoneBoy Blog / 29th Jan 2011 Nintendo [...]

Related Posts

• Wait, Doesn’t Cisco Have the iPhone Trademark?
• Cisco’s Trademark Case Against Apple “Silly”
• Sipura gets acquired by Linksys, er Cisco
• Cisco Sues Apple over iPhone Trademark!
• Is Security Holding VoIP Back?

This work originally came from The PhoneBoy Blog and is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Fingerprint: e37ac627f3d973694c212ff9430d215a

To put it in perspective, as I write this, there is still a few /8 addresses unallocated by the IANA, which are distributed to regional registries, which are then responsible for distributing the IPs to ISPs, whom in turn distribute them to you. A /8, in IPv4, is 16,777,216 IP addresses. That seems like a lot of addresses, until you realize that, depending on how those IPs are allocated, the number of usable IPs ends up being a bit less.

Even so, once IANA runs out of /8s, the individual registries and ISPs still likely have caches of IPv4 addresses. The problem of address space exhaustion probably won’t show any acute symptoms immediately, but the lack of IPv4 addresses (and the lack of wide deployment of IPv6) will start causing problems soon, creating pockets of servers that can only be accessed by one protocol or another.

We’ve actually been working around the problem of address exhaustion in the IPv4 space for some time now using network address translation. That router you get from your local consumer electronics store has been masquerading all of your computers behind a single, public IP address, providing you both a level of protection and connectivity.

Enterprises do much the same thing, except their boxes are significantly larger and they also might provide services accessible on the Internet, which means: they need more than one public IP. Also, some enterprises have so many connected systems that they have, quite literally, run out of available private IP addresses (some IPs in the IPv4 space are set aside explicitly for private, non-Internet connected use).

In any case, the pressure is mounting to switch to IPv6. Given that some of my customers are asking about IPv6, I figured I’d get myself educated. I happen to have access to one of the people who helped define the IPv6 standards in the IETF (he works at Check Point), but there’s really no better way to learn about it than to just get it set up.

Of course, part of the problem right now is that my ISPs at home (Comcast, CenturyLink) are still serving me IPv4 addresses. Fortunately, there are ways of tunneling over IPv4 to the IPv6 networks. One such service is TunnelBroker, run by the folks at Hurricane Electric. They tunnel IPv6 packets inside of IPv4 packets (more specifically using IP Protocol 41, designed for this purpose).

I had it working on an old Linksys router I had flashed with TomatoUSB and hacked a bit. I had IPv6 flowing through my network and was able to reach a few sites over IPv6. Then I had the realization that I was no longer protected by my router. I was now directly reachable–without a firewall! While I could fix that, I think that’s enough experimentation for now.

I guess the point is: I can make it work today. However, few people are going to want to do what I had to go through to make it work. Every hop in the network has to be IPv6 friendly and IPv6 enabled. For the home user, it’s going to have to be as simple as plugging in a router. We’ll get there, but it’s going to be a bumpy ride for the next few years.

Comments

• 20 February 2011, A. T. writes: when I noticed Hurricane Electric mentioned, immediately I recalled "Running IPv6 in practice" http://www.debian-administration.org/article/Running_IPv6_in_practice ... could be great if you tag all your IPv6 posts with particular tag ;)
• 20 February 2011, PhoneBoy writes: I was thinking about doing that anyway, thanks for reminding me!

Related Posts

• Getting Closer To IPv6?
• Speaking IPv6–Privately
• Why We Need To Go To IPv6. Now.
• Your ISP May be Trialing IPv6 Already!
• Innovate Or Get Out Of The Way

This work originally came from The PhoneBoy Blog and is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Fingerprint: e37ac627f3d973694c212ff9430d215a

While this 3G travel router from Aluratek (sent to me for review) does not have everything I’d want to see in a router–I’ll get into the shortcomings later–it has enough features and is stable enough that I’m recommending it. It’s a cross between your typical travel router and a MiFi–actually more like a Cradlepoint device. You have to provide the 3G or 4G dongle. The good news is you can use it with any provider you can get a USB dongle for, assuming the modem is on the compatibility list. A large list of modems is supported, so it’s pretty likely yours is.

Like the MiFi, it’s battery powered. Unlike the MiFi and similar routers, it charges with a wall wort. I asked the PR firm that sent me this router for review about charging over USB, this is not supported. It does allow you to use the device plugged in, though, which is handy.

The router comes with a setup disk for Windows, which being a Mac user I ignored. Of course, the router works with a Mac just fine (it speaks IP, after all), there were no instructions provided in the box for how to configure the router for a Mac. I was able to figure it out pretty easily, being someone quite familiar with networking.

As I stated before, the router supports 3G/4G dongles from the major vendors. Unfortunately, unless you know the dial string and username/password from your 3G/4G provider, you will have a difficult time getting this working. Having done this numerous times on AT&T for various devices, I remembered the magic incantations needed (namely the APN to use, dial string, account and password). It would be nice if they provided the information for the most common providers or, better yet, let you choose from a menu in the firmware of known provider configurations.

The router itself can be used for making your 3G/4G dongle accessible from multiple computers (of course), but the device also has a LAN port. This LAN port can either be used to provide a wired host access to your 3G OR you can use it as a WAN port, allowing you to make a wired hotel connection wireless.

The router also has a removable battery, which means it can be used like a MiFi. The battery gets roughly 4 hours of battery life. I did not test that claim, but I did keep it in my bag for several weeks and didn’t bother to charge it. I used it periodically and did not run out of power during that time.

To field test this router, I took an AT&T 3G card I had, took out my SIM card from my iPhone and put it in. I used it in a few unusual places to test how well the device works. This includes: a Starbucks, a Virgin Mobile airplane (on the ground of course), a hotel room in the middle of Silicon Valley, and of course here at home. All of these places had their own WiFi that was suboptimal. (Starbucks usually has ok WiFi, but the day I tested this, it was particularly problematic)

I’m not sure if the router is to blame for this or not, but sometimes when I power on the router with the 3G dongle attached, it does not connect to the Internet properly. I find if I power cycle the router again and restart, the 3G connection comes up in roughly a minute. Once connected, I have relatively fast Internet through AT&T’s 3G network.

The router itself has fairly typical configuration options: DHCP Server (can set static DHCP reservations and/or disable), Port Forwarding (for allowing connections inbound on specific services to specific hosts), outbound packet, domain, and URL Filtering (manual), MAC-level filtering, Dynamic DNS support, routing (including support for RIPv1 and RIPv2), SNMP and even “scheduled rules” (rules enabled at specific times). The web interface is not terribly cluttered, provides context sensitive help, and is easy to use.

The router along with a short Ethernet cable is provided in a travel bag. It would be nice if the wall wort also fit into this bag. Either the wall wort needs to be a little smaller or the bag needs to be a little bigger. Bonus points if it can also fit a typical 3G dongle as well.

All in all, there’s a lot to like about this router. It provides an above-average set of functionality out-of-the-box. The documentation needs to be better for non-Windows users and they need to provide information on how to configure the router to work with different 3G networks. If you can get past those hurdles, it’s a good deal at ~$80 on amazon.com.

Related articles by Zemanta

• Cisco Tries to Make Wi-Fi Drop-Dead Easy (technologizer.com)
• iPad Hits a Bump: Wi-Fi Woes Point to Apple Bug (readwriteweb.com)
• Netflix Reviewed: The iPad’s First “Killer App?” (gigaom.com)
• Franklin Wireless intros U600 WiMAX modem, R526 and R536 mobile routers (engadget.com)
• Sprint 4G: going into Overdrive (blogs.chron.com)

Related Posts

• Why Troubleshooting VoIP Issues is Hard
• Frankenrouters and Rethinking the WDS Mesh
• Power Is Hard to Find in ORD
• A SatNav From the 1920s!
• Darla Mack Giving Away a Nokia N76!

This work originally came from The PhoneBoy Blog and is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Fingerprint: e37ac627f3d973694c212ff9430d215a

This is my network. There are many like it, but this one is mine. My network is my best friend. It is my life. I must master it as I master my life. My network, without me, is useless. Without my network, I am useless. I must send my packets true. I must block packets faster than my enemy who is trying to pwn me. I must pwn him before he pwns me. I will….

My network is human, even as I, because it is my life. Thus, I will learn it as a brother. I will learn its weakness, its strength, its clients, its servers, its switches, its routers and firewalls. I will keep my network clean and ready, even as I am clean and ready. We will become part of each other. We will…

Before God I swear this creed. My network and myself are the defenders of the world. We are the masters of our enemy. We are the saviors of my life. So be it, until there is no enemy, but Peace.

Amen.

Related Posts

• The Finland Backlog Post

This work originally came from The PhoneBoy Blog and is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Fingerprint: e37ac627f3d973694c212ff9430d215a

The debate was about 90 minutes and could be summed up in a couple of sentences. Gigi Sohn, Public Knowledge’s President & Co-founder, basically took the position that while the wireless does have unique challenges, and should be given a little more latitude in terms of applying reasonable network management principles, they should adhere to the same basic guidelines as is being proposed for wireline-based Internet services. Chris Guttman-McCabe suggested that wireless is far more competitive, it’s not clear that net neutrality principles need to be applied to wireless, and that applying the same principles the same way may, in fact, cause unintended harm to both consumers and the industry.

Net neutrality advocates would prefer that service providers, be they wireless, wireline, fiber, or whatever, would prefer that the service provider “just serve bits.” Don’t differentiate, don’t prioritize. Just serve them as they come. Seems reasonable and even supportable.

Remember that a mobile phone has two functions: as a telephone that you can make and receive voice calls on, and as a data device. While people like myself tend to think of a mobile phone primarily as a data device now, the vast majority of the world still views it as a voice device. However, both travel over the same radio spectrum and the same backhaul connection. That “last mile” connection to your mobile handset, however, is constrained by radio spectrum–spectrum which is in both short supply and high demand.

Let’s say a wireless operator experiences network congestion in a particular area, say around Moscone Center in San Francisco during a high-tech trade show even. If you’re been to a high-tech trade show at Moscone Center in San Francisco and tried to use your iPhone (or any other phone) on AT&T while there, you’d see the result–nobody could use the service at all. Taking the pro-net neutrality argument to it’s logical conclusion, where one bit of data is no more important than another, how do you device what bits make it through in a congested environment? Is a traditional call using GSM or CDMA more important than other bits? What if that voice call happens over data (e.g. with Skype)? If an operator prioritized more traditional forms of telephony over the newer, TCP/IP based methods of telephony, would that be a violation of net neutrality principles?

Unlike the other “wired” access methods, where one can upgrade the infrastructure to provide more bandwidth to end users in the last mile, or even lay more cable, mobile network operators cannot do this without more wireless spectrum–spectrum assigned and allocated by the FCC to both government, commercial, consumer, and amateur use. The spectrum allocated by the 700 Mhz spectrum auctions from a couple years back are now assigned to the mobile operators, but the previous “users” of that spectrum have not cleared out yet. Operators are chomping at the bit to start using this spectrum to roll out 4G wireless services.

Given the bandwidth crunch and net neutrality mandates, how is a mobile network operator going to solve congestion issues? What is “reasonable” network management practices? Who decides what is fair? Can anyone point me to a document that describes what constitutes reasonable network management practices?

At the end of the day, I have to side with CTIA. This issue is incredibly complex and needs more discussion, specifically around what constitutes “reasonable network management principles” and how to handle traditional voice calling and SMS in a truly “net neutral” world. What do you think?

Comments

• 16 December 2009, tom writes: most of what i have been reading lately is actually saying that it is the back-haul connections between the towers that are limiting the capacity not the radio interface. i often read reports that cell towers in major cities are connected via 1.5 mbps t1 lines. at least for right now faster back haul links should be a priority over spectrum increases. as far as the long term answer we need lots of very small low power cell all over the place. lately i read a lot about a future where things roam seamlessly between 3g/4g and private funded wifi spots in homes. i do not see this a viable in the long term. as the masses subscribe to mobile broadband they will be expected to be able to cut off there home connections. i think what is needed(and will eventually prevail) is something i used read a lot about but never see written anymore. we need radio transceiver on every lamppost(or on many of them) that are controlled by the carriers not individual users. as the world cuts out its land line phones perhaps much of that wiring can be reused to light up very small hot spots outside of peoples houses. it does not really matter if the technology is wifi or 3g/4g as long as the users do not know the difference. they just want phones, devices, and laptops that work every place they go.
• 16 December 2009, Aaron Huslage writes: It appears that you might have colluded QoS with other Net Neutrality provisions. Last I worked on this issue, a couple of years ago, it was completely allowable for an operator to prioritize voice traffic over other traffic (standard QoS). It was not, however, allowable for that provider to prioritize voice traffic to/from any one provider (including themselves) and not any other. QoS remained a service differentiator, but one provider was not able to discriminate based on source/destination of the packets.
• 16 December 2009, PhoneBoy writes: Backhaul is a problem, @tom, but it is far from the only problem. What you describe is something similar to what I'm told MetroPCS is doing: deploying a lot of smaller towers in neighborhoods. @Aaron it's not just about QoS. It's the fact that by nature of what the operators already do (prioritize their own non-IP voice traffic over all data), they potentially run astray of net neutrality rules.
• 18 December 2009, Bob writes: I have never had the problems as you mention near Moscone Center when in Europe. It's like all the "bars" are painted on the phone, calls don't get dropped, etc. This leads me to think a lot of the problem is that the US operators like AT&T just haven't make the same kind of investment in infrastructure as the European operators. It's not a problem with radio spectrum in as much as it can be solved by using a smaller cell sizes. If the cell size is too large for the number of active customers in it, then there will be problems. People know how to solve this problem. It doesn't need additional radio spectrum. Just more radios. I think the underlying question regarding "network neutrality" is should an operator be able to give preference to services it make more money on than lower revenue services. Should, for example, Comcast now that it is buying NBC, give better service to NBC shows than an other content provider. Can they use their monopoly position to squeeze out the competition? The stakes in this debate are significant. One of the bad outcomes will be that there won't be one Internet. An end customer will have to subscribe to multiple providers to get all content. IMHO, this is what will happen if we don't have some reasonable regulations in place. Given the pubic statements from providers like AT&T, I don't trust them to do the right thing. They seem to consistently saying they will do what everyone fears.

Related Posts

• A Third Way on the Net Neutrality Debate
• Is Net Neutrality a Diversion?
• Net Neutrality and CTIA Straw Men
• PhoneBoy’s Thoughts on Net Neutrality
• The Complex, Multi-faceted Net Neutrality Debate

This work originally came from The PhoneBoy Blog and is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Fingerprint: e37ac627f3d973694c212ff9430d215a

Over the past couple of days, I was out at VMworld 2009 at Moscone Center in San Francisco, which is a trade show put out by the fine folks at VMware. While it was not my “official” job,  I did do a bit of booth duty at Check Point‘s booth. It’s been a while since I’ve done that.

While there, I met a couple people I’ve been meaning to meet for years: Randy Bias, the guy behind Cloudscaling, and Chris Hoff (a.k.a. Beaker). I also got to experience first-hand at the show was the absolutely spectacular epic fail that is AT&T’s wireless network during a trade show at Moscone Center. Full signal, yet calls were dropping like flies. Data might as well have been GPRS for all the speed I wasn’t getting. It was horrible. Why AT&T doesn’t have several microcells inside Moscone with either a fiber link or several DS3s for backhaul is absolutely beyond me.

Meanwhile, back to VMworld and why Check Point was there. We were demonstrating Security Gateway R70 Virtual Edition (or R70 VE for short). The main difference between the R65 VE we ship today and R70 VE, aside from the new Software Blades architecture, is the level of integration with the VMware environment. Specifically, we use the VMsafe APIs provided by VMware, which give us a whole new level of visibility into the networking that goes on inside a VMware ESX server.

If you wanted to see what was going through every port in a physical switch, you might have some trouble either setting up mirror ports for everything or network taps. In VMware with the new VMsafe APIs, applications like R70 VE can see everything going through the virtual switch and can block it as appropriate.

In our demo, we show a couple of virtual machines hooked up to a virtual switch along with a separate VM for R70 VE. One of the VMs is compromised and starts “attacking” the other. These VMs and the R70 VE VM are on the same logical subnet, hooked to the same virtual switch. R70 VE is able to successfully block the attacking traffic using the IPS blade.

The good news for the firewall administrator is that this virtual gateway is managed with the same set of tools you use today: SmartCenter and all of the SmartConsole apps. It feels just like a gateway on a physical appliance, except it is running inside a virtual machine.

R70 VE is not shipping today. The code shown at VMworld is of alpha quality. We are expecting a Q4 2009 release timeframe, but that is not final and is subject to change.If you’re looking for more details, let me know and I’ll hook you up.

Related articles by Zemanta

• VMware unwraps virtualization management tools (infoworld.com)
• VMWorld Spoilers: vCloud Express And VMware Go (cloudave.com)
• VMware in quest to marry internal, external clouds (theregister.co.uk)
• VMworld 2009 (thetechscoop.net)
• Parallels unfurls desktop virt for Windows, Linux (theregister.co.uk)

Related Posts

• Check Point’s New Multi-Core Pricing
• You Know More Than I Do
• Where Does The IPS Go?
• ZTE BAVO™ Home Gateway Mobile Router (EVDO/HSDPA)
• How PhoneGnome and SoftGnome Work

This work originally came from The PhoneBoy Blog and is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Fingerprint: e37ac627f3d973694c212ff9430d215a

When I first set this up, I spent roughly two weeks diddling with it and finally got something stable. It generally stayed that way, though periodically, I’d experience random dropouts and other weirdness. The past several days, the WDS mesh would simply fail for no reason and despite my best efforts, I could not bring it up again.

I replaced my Linksys in my office with a UTM-1 EDGE W device I picked up from the office. This is an industrial strength firewall with WiFi, anti-virus at the gateway, and a lot of other cool security features in something about the size of a typical Linksys/D-Link router. I’m sure costs more than what most people want to spend on a router, given enterprises buy hundreds of them and manage them centrally. Home users can get a lot of the same functionality in the ZoneAlarm Z100G Secure Wireless Router for $150 shipped to your door (sorry, US and Canada only).

Unfortunately, this didn’t solve my WDS problem since the EDGE gateway does WDS differently than the Linksys boxes. I set both Linksys routers downstairs into Client Bridge mode temporarily, which allowed the Internet to work, albeit a little more slowly. Unfortunately, this is still not reliable as the WiFi periodically cuts out downstairs.

Today, I trekked over to Frys Electronics and picked up some HomePlug AV gear from TRENDnet (specifically the TRENDnet Tpl-302E2K 200Mbps Powerline Av Ethernet Adapter Kit and TRENDnet Tpl-302E 200Mbps Powerline Av Ethernet Adapter B Class). D-Link, Belkin, and Netgear also make this equipment, but I opted for the TRENDnet gear for one simple reason: I could buy a single TRENDNet HomePlug AV receiver. I needed 3 of them and the price for a pair was, at minimum, $120.

Setup was pretty easy, if you follow the included QuickStart guide. The TRENDnet software tool for configuring these devices (which, unfortunately, requires Windows) was able to find all three of my devices right away. It took me almost no time to get the devices connected together and passing traffic. One of the devices is plugged in near my router upstairs, the other two are downstairs in different rooms.

There are, of course, some limitations with these devices:

• The device–which is much larger than our typical wall-wort–partially blocks the other outlet. I found it worked if I used the top outlet and had the “bottom” facing upward.
• The device absolutely must be plugged in directly to the wall for it to work (i.e. no powerstrips).
• A maximum of 16 devices is supported.
• All devices must be on the same circuit breaker. This basically means you can only use these devices within a single dwelling.

While the TRENDnet Utility shows my devices not getting anywhere near the stated 200mb/s maximum throughput–the spec says the max data throughput is actually 150mb/s–I am getting anywhere from 10mb to 30mb/s to and from my locations. It’s at least as good as the WiFi link if not better as it’s more stable. I wish the price would come down a bit, but it’s still cheaper than cutting up drywall and adding in the necessary outlets.

Comments

• 1 May 2009, TRENDnet TPL-302E2K Powerline AV Ethernet Adapter Kit at Joy of Gadgets writes: [...] (Crossposted from http://phoneboy.com/3013/ditching-the-wds-mesh-and-going-homeplug-av) [...]
• 2 May 2009, Kyle Jones writes: PSST: http://www.dd-wrt.com/dd-wrtv2/down.php?path=downloads%2Fothers%2Feko%2FBrainSlayer-V24-preSP2/ Fixes a lot of WDS and Client Bridge issues. Love CP, not a fan of EDGE boxes, especially the licensing issues they've always had and how their support is completely different from CP support. Oh, forgot to mention how you have to manually put files on the SCS for new versions of EDGE software. Check this out: http://d-link.com/products/?sec=2&pid=480 No, it doesn't work with SCS. Been there, done that. GUI is even the same, just with silver, blue, and green instead of orange, white, and blue of CP.
• 2 May 2009, PhoneBoy writes: I was having other issues with the WiFi unrelated to WDS. Personally, I think one of my Linksys routers was going a little funny. Getting the Linksys boxes entirely out of the WiFi equation makes me feel better (though one is doing DHCP and DNS duties, sans WiFi of course). And the EDGE box with the high gain antennas originally on one of my Linksys routers covers my house just as well as the WDS mesh was doing with less dropouts. That D-Link box is similar to the IP60 we sold independently of Check Point: basically the same box with a different color scheme and different UI.

Related Posts

• WDS Mesh Revisited
• Rethinking Frankenrouters
• Frankenrouters and Rethinking the WDS Mesh
• Linksys WRE54G
• WRE54G as an Access Point?

This work originally came from The PhoneBoy Blog and is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Fingerprint: e37ac627f3d973694c212ff9430d215a

One of the phrases I heard when I worked at Nokia right before they announced the divestiture of the Security Appliance Business (where I worked) was “more wood behind fewer arrows.” In other words, Nokia was wanting to focus more of their resources behind fewer initiatives, products, services, whatever. Seems reasonable.

It should, therefore, be no surprise given Nokia’s huge fall in profits and the general state of the economy that Nokia is, once again, putting more wood behind fewer arrows by, according to the press release, “[focusing] investments on fewer initiatives and [increasing] the use of common enablers across certain services.”

The press release gives scant details, as press releases often do. However, they do mention a couple of interesting tidbits:

• A variety of third-party partners will be added to the image capture and sharing features on devices. Presumably, only newer devices. Those of us with Nokia devices today likely won’t benefit. And seriously, how long did it take for Nokia to realize there’s a thriving ecosystem of services that they simply don’t participate in?
• When Nokia says employees will be impacted by a strategy change, as this press release says, it means only one thing: layoffs. 450 of them, or at least 450 people will have to substantially change their job. At least Nokia gives decent severance packages, but I still feels sorry for those impacted.

Given how long it seems to take for Nokia to make any serious changes, based on having worked for them for 10 years, I have to wonder if these changes can be implemented in time to reverse the downward slide of market share and mind share.

Based on what I saw in Redwood City when I was at the Check Point office last week, I’d say the fight is over and Nokia lost. Many former Nokia employees are now proudly carrying iPhones along with many long-time Check Point employees. Me? I’d love to get an iPhone now, but I can’t justify spending money on a new phone when I’ve got a drawer full of them. Maybe after Apple releases the next generation iPhone

Related articles by Zemanta

• Nokia Asking For Volunteers To Trim The Fat (phoneboy.com)
• Nokia cuts a further 1,700 jobs worldwide as demand falls! (ceoworld.biz)
• Too many brands – variety stymies smartphone viruses: study (cbc.ca)
• Nokia to extend S60 usage, new smartphone defintion (allaboutsymbian.com)
• Nokia Targets the U.S. Market (businessweek.com)

Comments

• 30 April 2009, Kellman writes: PhoneBoy using an iPhone? Isn't that one of the seven signs of the apocalypse? Let's see, had earthquakes, floods, nasty flu brewing. . . . if I see you walking around with an iPhone, I'm moving further north and hiding ;)
• 1 May 2009, PhoneBoy writes: Don't you already live pretty far north? :)

Related Posts

• Nokia N75 in April? And the N95 in North America?
• Testing Think Outside Keyboard With Nokia N95
• Nokia’s Latest AdSense Buy
• Pownce and GrandCentral Invites
• Creebies: Nokia’s Version of Tamagotchi

This work originally came from The PhoneBoy Blog and is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Fingerprint: e37ac627f3d973694c212ff9430d215a

One of the features Chris demonstrated was something called Direct Access. It is essentially a “transparent” VPN that is activated automatically when the user tries to access a resource in the corporate network. There is no indication or icon that the user is connecting via some sort of encrypted tunnel, it “just happens,” assuming the action is allowed.

While I have to admit, this is pretty slick from an end user perspective, it will take large businesses years to get corporate desktops, laptops, and servers upgraded to the necessary levels in order to take advantage of this feature–Windows 7 and Windows Server 2008 R2. In the meantime, more conventional VPN solutions, such as provided by my employer Check Point Software, provide solutions today. The end user experience may not be as “transparent” as Microsoft is demonstrating, but it is not the hurdle Microsoft is making it out to be, either.

It’s also clear to note that this solution is really going after the client-to-site VPN. The conventional site-to-site VPNs aren’t going anywhere anytime soon. Do you really want to run separate VPN solutions for site-to-site and client-to-site? What does Microsoft’s solution do with respect to ensuring that endpoint remains secure and uncompromised?

Related articles by Zemanta

• Windows 7: Enterprise Features Explained (infoworld.com)
• Get Your Windows 7 Updates from Microsoft Connect (on10.net)
• Windows 7 Starter Edition: ‘No, you can’t’ is a deterrent (blogs.chron.com)

Comments

• 24 April 2009, Aaron Huslage writes: This isn't a new feature in Win7. It's a new name for NAP...and it works really nicely. http://technet.microsoft.com/en-us/network/cc984252.aspx
• 24 April 2009, PhoneBoy writes: It looks nice, but I don't think I've ever seen or heard anyone use this feature outside of Microsoft employees ;)
• 25 April 2009, Kyle Jones writes: Microsoft has always made a half-assed attempt at client-to-site VPNs. Mostly because most VPN solutions out there prefer that people use their own VPN client software to handle other things like policies, software version and patch checking, and client-side firewall to take load off the VPN device. Of course, if you just want a wide-open VPN without any propreitary control, you can use Microsoft's VPN client, but FW admins prefer to NOT make their lives hell by having to make a policy for every client out there. Nice try Microsoft, but I think you'll have to try much harder to get vendors and admins to allow your client to be used.

Related Posts

• Blogging and Watching TV at 29,000 feet
• Netraverse Win4Lin
• Walking Down Memory Lane
• InspiAir’s Solution Works
• When will the snow end, and the art of STFU

This work originally came from The PhoneBoy Blog and is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Fingerprint: e37ac627f3d973694c212ff9430d215a

Despite being less visible in recent years, I have still been contributing, albeit indirectly. I have been maintaining Nokia’s knowledge base, which of course contains many articles that relate to Check Point. I haven’t written many Check Point-related articles in recent years, but I do work to make sure that the articles other folks in support write are readable. I also help our team out in various, sundry capacities, with the goal being to get customer issues resolved quickly.

In the course of this work, and my presence on many a social network, I run across the occasional person who thanks me for the contribution I made to the betterment of the Check Point community many years ago. As I re-engage in the community, the accolades have noticeably increased.

Meanwhile, Kellman Meghu, a SE manager for Check Point Software in Canada, recently gave a troubleshooting presentation for CPX 2009 in Las Vegas (CPX, or Check Point Experience, is their annual trade show). In the presentation, he apparently decided to use a picture of me to represent when things got hairy and you needed expert advice from support.

Kellman tweeted the following yesterday:

Used a picture of @PhoneBoy in his presentation. The crowd cheered; no one has forgotten the help he has provided to CP users.

To say I was touched and humbled is an understatement.

So what now? Hard to make any grand plans under the circumstances, but I’m keeping busy. I’m still running the FireWall-1 Gurus mailing list and participating on the CPUG Forums, helping out where I can. It’s not much, but until the deal between Nokia and Check Point closes, it’s difficult to do much else.

This work originally came from The PhoneBoy Blog and is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Fingerprint: e37ac627f3d973694c212ff9430d215a

Instead of going to a typical Authorized Training Center and taking the tests later, I am taking the classes offered by my friend Barry Stiefel in San Francisco. His classes, listed on cpug.org , offer you the ability to get trained–and CCSA/CCSE certified–in 6 days. He has his own courseware and is an authorized testing facility.

The price for his 6 day course is an excellent deal. You get the classes, lunch and dinner each day, and the testing vouchers both the CCSA and CCSE for $3995 USD. This makes it both cost-effective and an efficient use of time.

Granted, even having not touched the product in any serious way in a few years, I could probably still pass the CCSA cold and the CCSE with a bit of prep. However, the one thing I haven’t played with at all is Secure Platform (lovingly called SPLAT by customers and support engineers alike). I figure a class can’t hurt.

I’ll keep you all posted how the class goes.

Posted by Wordmobi

This work originally came from The PhoneBoy Blog and is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Fingerprint: e37ac627f3d973694c212ff9430d215a

Needless to say, I’ve maintained email servers as part of my duties, where I’ve had plenty of access to look at people’s private emails. I also ran a computer bulletin board in the late 1980s, where I had the same privilege. In college, I did a term paper where I wrote about the Electronic Communications Privacy Act of 1986, which protects people’s personal email, but does little to protect corporate email. Provisions in the law allow business to monitor their networks for business purposes, which means they can see everything going on–including potentially non-business related communications.

While generally speaking, all an employer in the U.S. has to do is disclose that use of the corporate network is subject to monitoring, that is not the case in many European countries, where there are strict data privacy laws forbidding the practice. That would make it difficult for, let’s say, Nokia, to find out if a Finland-based employee was leaking secrets about upcoming handsets. It’s so difficult, in fact, that there was a reported rumor that Nokia was threatening to leave Finland if they couldn’t get a law passed that would allow employee email monitoring.

While Nokia spokespeople are officially denying this rumor, it doesn’t change the fact that the passing of such a law would be extremely beneficial to Nokia. Many companies, including Nokia, have a similar problem: how can evidence of corporate wrongdoing be found when you can’t look where evidence of wrongdoing would easily be found? In Europe, obviously, there are strict laws regulating who can see or do what with “private” electronic communications like email.

Even if monitoring workplace communications is legal, let’s assume the communication is somehow encrypted. How would you determine something inappropriate is going on? One school of thought is that the very use of encryption implies you have something to hide–something the company might not like.

Even if a communication is encrypted, some things about the communication usually aren’t: who it’s coming from, where it’s going to, and how much data or how long it is. One can certainly make some inferences based on that information, but one cannot conclusively prove that wrongdoing is taking place. However, you might find out enough just from that information alone to suspect something.

Of course, if you’re going to leak any company secrets, it’s probably best not to do it using the corporate network

Comments

• 4 February 2009, Dave Michels writes: I got into a weird situation years ago. I was managing the IT function when one of the engineers approached me about another engineer he suspected was reading private mail through his admin rights. Mostly his command chain, which included me. The engineer reporting the deed did not want to go on the record and asked us to leave him out of it. It was a very odd situation. Of course we had to urgently determine what to do, but could not use email to discuss it. We had my boss and HR involved and were trying to figure out our rights and his rights - remember it was only an accusation at this point. I honestly don't remember all the steps, but it did result with me firing him. I think it was my only termination where we had the (former) employee actually escorted out of the building. We also had to go thru a complete system password change-out and he not only had admin rights, but knew way too many passwords (early Microsoft). So while your post talks about the laws governing corporate snooping, there is an even murkier area around completely unauthorized snooping based on admin rights - when as an admin snooping and when is an admin doing their job. In most systems now, admins can't get to all the data without changing the password - but that isn't always the case.

Related Posts

• Pain Free Injections Coming To A Doctor Near You
• The Joys of Knowledge Management
• Finding Check Point Needles in the Twitter Haystack
• Technorati Catching Up
• Garage Band Demo Podcast

This work originally came from The PhoneBoy Blog and is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Fingerprint: e37ac627f3d973694c212ff9430d215a

With the disclaimer that these are “forward looking statements” and may not reflect the true reality that happens, here’s what I took away from this:

• Check Point expects the vast majority of employees from Nokia’s Security Appliance business to join Check Point. This thread came up in several questions asked by the analysts.
• Customers can expect full availability and support for all Nokia’s current Security Appliance products.
• The acquisition will be accretive to Check Point’s bottom line in 2009.
• From Check Point CEO Gil Shwed: “The major lessons which we’ve learned [with respect to acquisitions is] we will need to be very sensitive to the channel needs and to the customer needs. We know all of that and we’ll keep that in our mind.”
• Q4 2008 was on-target and Q1 2009 looks promising, despite the economic situation.
• The security industry overall seems less affected overall by the economic conditions. Enterprises still need a secure network and don’t tend to rip out gateways and other security products to save money.

I recommend reading the transcript, typos and all, or listening to the webcast. Lots of good stuff there.

Related Posts

• Coverage of Check Point Acquisition of Nokia’s Security Appliance Business
• Nokia Spinning Off Security Appliance Division
• Gil Shwed: “The [security] industry needs to change a little bit”
• And The Buyer Was…
• Job Change Dead Ahead

This work originally came from The PhoneBoy Blog and is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Fingerprint: e37ac627f3d973694c212ff9430d215a