Slashdot needs a "-1: Generalising and dismissing others on irrelevant physical attributes" modifier.

“Shocking revelations have come out today that the NSA is using the same kind of computers and Internet technologies as hackers, criminals and even paedophiles! The NSA are known to use PCs and operating systems such as Microsoft Windows - a paeophiles favourite - and even Linux - beloved by hackers. The NSA even has spent money on making Linux more secure, which may help thwart law enforcement from investigating computers used by criminals. Further reports suggest the NSA also regularly use TCP in a variety of ways. TCP is known to be heavily deployed by many criminals worldwide. We contacted the NSA and asked them to comment, but their spokesperson responded only with a sneering "Oh for fucks sake" before hanging up the phone.”

THAT SEEMS LIKE A GOOD IDEA. I'M VERY HAPPY WITH MY NEW CAPS LOCK KEY. OH WAIT, DID YOU MEAN A SHIFT KEY?

the one problem with using my new caps lock key is that the slashdot filter complains that it's like yelling and refuses to post my comment. maybe these sentences will mollify it. haha it worked.

Looking at the map, it seems like the direction to look from Connecticut will be south/southeast (but mostly south). It first has to rise above the Earth's curvature far enough to be visible from CT, and by that time it's already quite far out to sea to the east. Looks like a similar situation in NJ - it's not going to appear to the southwest.

Haha, you first have to convince NASA there's a problem. Last I heard (as of 2009), NASA is still using imperial units for development of the future replacement for the Space Shuttle.

I like to eat people who insert a possessive apostrophe when they mean to use a plural. Yes, that's right - I'm a grammar cannibal.

Do you have some remedy for the desire to claw out my own eyeballs that comes from being forced to use Windows?

As the parent pointed out, use of CGI is basically "an existing hole."

You don't need a test. Check if you allow bash to be invoked remotely by untrusted users, ever, directly or indirectly. If you do, find the responsible architect, pour a cup of soda over his head, demote him to level 1 support, and fix your systems.

Yeah, this is what bothers me about this whole thing. People are acting like this is a terrible security hole outside of anyone's control, but if you're running an environment which allows for remote execution of anything via bash, I feel like Agent Smith said it best: "your men are already dead." That hasn't been a plausible architecture for public-facing applications for at least a decade. I remember working hard to get away from CGI-style approaches in the late '90s - back then, it was more for performance than security, but the security was an added bonus that became more apparent later.

Well, not just software costs. You may have to update the CAM more often. E.g. a change of nexthop for one prefix might demand that a compressed CAM entry has to be split up into several entries. Alternatively, it might mean several CAM entries can be consolidated into one. Next, you don't know how often that will happen - a prefix that just got compressed might get split quickly, and vice versa, or it might go back and forth a lot. So you could be doing a lot more updates to the CAM than otherwise. Whether that matters, I really don't know. :)

Ah, yes, of course, for the CAMs (or any other relevant longest-match index) you need to only store 64 bits at worst. Still, it's not the 5 fold saving.

The Cowen algorithm: Her original paper encodes landmark output ports in the label. That's not practical because of updating. However, with some added restrictions and at the cost of a slight amount of generality (e.g. not being able to work for every posssible graph, like pure star/hub-spoke graphs), you can eliminate that and have the addresses just be (landmark,node). You can do this by having nodes not build local clusters that are overly large, and so you can allow landmarks to also maintain local cluster routing tables - eliminating the output-port hack.

The (landmark,node) association need not change too often. Outages of links in the region between landmark and destination can be dealt with as they are today with routing - the scheme has full shortest-path routing in a region around each node. No need for the label to change. Outages that affect the path between the source and the landmark also similarly are dealt with like normal routing today. The one issue would be if there is a complete loss of a local cluster shortest-path route from the landmark to the destination. Then packets would disappear.

The end-node can at least be informed of this quite quickly, through the local cluster routing protocol (which can be a slightly modified BGP). Which is better than BGP today. Dealing with such issues of landmark redundancy, i.e., having associations with multiple landmarks, are perhaps better solved at a layer above the network layer. The theory shows that it is impossible to have both sub-linear routing tables AND full, global, shortest-path routing for /everyone/. If super-linear routing state is a problem you want to have solved, you have to give up something else.

Practice suggests that those who require redundancy at scale already seek to do so above the network layer. I.e. it is already good practice to locate redundant services on different prefixes precisely to guard against routing fsck-ups and failures. That suggests multi-homing in the "global prefix for one prefix" sense is not something that you should make too many other compromises for in any new routing architecture. Even with IPv4 which does do multi-homing for all to all, BGP multi-homing is not reliable enough to rely on. So it's probably better solved at the transport layer or higher, mediated at end nodes, and not complicate or compromise routing for it, as networks will still go and implement higher-layer redundancy anyway.

Indeed, by providing 2-way signalling in the routing layer, we can make the higher-layer redundancy solutions much better. Today if you advertise a prefix, you have no idea who has and has not received it, beyond your immediate neighbours. Even for your immediate neighbours, you still don't know if they have accepted the route. You can't really improve this in a routing system where all prefixes have global visibility, the communication and state costs would likely be unacceptable. However, in a Cowen Landmark routing scheme, we could at least provide an advertising node knowledge of which landmark nodes have working local cluster connectivity back to it. That's made possible because the scope is restricted, no longer global.

Note that the routing isn't source routing. Just because the address contains (landmark,node) doesn't mean the packet goes via the landmark. As a packet gets near to a landmark it may hit a node that already has the destination in its local cluster routing region, and so the packet goes shortest-path from there to the destination - potentially skipping the landmark. It's more two-stage routing, but each stage is shortest-path, per-hop routing. The 1st stage is routing the packet towards the landmark, the 2nd is when it hits a node with the destination in its local cluster (which, in the worst case, is the landmark).

On address sizes, that's a very interesting point about Teredo and 6to4. Yet another reason why IPv6 is too small. :) You should leave a comment on my blog!

If you're interested in this stuff, I'm trying (desperately ;) ) to finish writing up my PhD thesis on (slightly more) practical Cowen Landmark routing. Hopefully done really soon. I havn't considered the issues of source routing for Internet, but that could be very interesting too to consider, along with contrasting it with Cowen Landmark Routing. Designing a network layer to replace IPv6, in case IPv6 should fail at some point, would be interesting too! (Personally, where previously I laughed, now I think ISO OSI was right: addresses should be variable length, indeed maybe the solution is the ISO CLNS protocol ;) ). I can try ping you when I'm done with the thesis if you want. A comment on my blog would be easier for me to find back later. ;)

I don't know if there are vendors who use this kind of compression to save CAM memory to be honest. On the one hand it saves memory, on the other it adds complexity.

On the last point, yes, be good to see more work on this.

Well, let's agree to disagree to on point 1. I do agree with you though, IPv6 will be less fragmented than IPv4, though I do also think there are processes besides de-aggregation in the face of address space pressures that cause fragmentation, and I think IPv6 will face those pressures too. IPv6 needs to be seriously used first, and it may also require time.

Next, IPv6 addresses are of course 4 times larger than IPv4 addresses. Even if your IPv6 routing table has 5 times fewer entries, you're not getting a 5 times saving in memory. You're only getting a 5/4 times saving or tables that are 80% of the IPv4 - nowhere near as dramatic.

I'd contend 2 is the real underlying problem. Routing tables growing with the size of the network, in terms of # of entries - even if not at all fragmented. In terms of overall size, it's O(NlogN), however given we're using a fixed-length address label, that logN factor makes itself known in quite big jumps, as illustrated in the previous paragraph. That 20% saving will be eaten extremely quickly if the Internet keeps growing at super-linear pace. Given so much of the world's population isn't yet online, there's every reason to think the Internet still has plenty left to grow. Even in the developed world, there's no reason to think the amount of address space used per person will not grow dramatically. The amount of network enabled devices each of us own just keeps growing. The "Internet of Things" is the current buzzword, looking at network-enabling many small devices. Granted, that won't directly increase pressure on routable bits where a site upgrades to v6 from an existing v4 connection, e.g. a person's home, however there are surely many use-cases that involve new distinct locations coming online (e.g. cars?).

IPv6 is just neutral on the routing scalability question. Reduced fragmentation seems a trivial saving, at least to me.

Worse, it is possible that IPv6 is actually too small to be able to solve routing scalability.

IPv4 has been around a lot longer, and has had a lot more real use and legacy concerns. Even if you got that 5× fold reduction in routing table sizes by switching everyone over to IPv6, then:

1. You won't *keep* that nice clean space. The same processes that led to IPv4 fragmentation, ex space, will start to affect IPv6: Mergers; ASes eventually running out of bits in their prefix, given enough time (and remember, we're talking routable bits - that's only 16 in a /48, a lot but not impossible to exhaust either, a /56 would be even easier to exhaust) and neighbouring prefixes no longer being available to allocate.

2. Say 1 is wrong, and v6 stays clean. Ok, you've got a 5 fold linear reduction compared to IPv4. However it still doesn't fix the problem that current Internet routing leads to O(N) routing tables at each AS in terms of number of entries (O(NlogN) in terms of total size), where N is the size of the Internet and N keeps growing at a fast rate - even if measured in # of ASes rather than # of prefixes. Certainly supra-linear, potentially exponential Internet growth to date, and we've still got much of Africa, China and India still to become rich enough to start using address space like we do in the developed world. That 5x linear reduction is, ultimately, a barely noticeable blip in the face of continued supra-linear, perhaps exponential growth of the Internet.

IPv6 doesn't fix routing table growth problems, at least not in terms of providing a mode change in how routing table sizes grow with respect to the overall network, because IPv6 does not fundamentally do anything to change how routing is done, in a way that could slow the mode of routing table growth.