Friday, December 28, 2012

OSSEC error 'remote_commands'...

While upgrading one of the agents from ossec version 2.6 to 2.7, I was testing agent configuration and I got the following error message:
ossec-logcollector(2301): ERROR: Definition not found for: 'logcollector.remote_commands'.
It didn't appear before, and more importantly, I haven't had a slightest idea what's the problem! So, I decided to dig a bit further to find out. BTW, I removed timestamp column from the log entry as it is not important here.

So, what I found is that this is a new configuration variable introduced in 2.7 version of OSSEC. It is expected to be defined in internal_options.conf file. The reason I got it is that my internal_options.conf was from 2.6.

This variable is a boolean flag (accepted values are 0 and 1) and its purpose is to allow administrator to control whether the agent will accept commands from the manger, or not. This value is used when configuration is loaded, here. If it is set to 0 then any command configurations will be ignored, e.g. the ones like the following one:
<command>
    <name>host-deny</name>
    <executable>host-deny.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
</command>
For each ignored configuration entry, there will be appropriate notification message in the log file, something like the following message:
Remote commands are not accepted from the manager. Ignoring it on the agent.conf

Thursday, December 27, 2012

UDP Lite...

Many people know for TCP and UDP, at least those that work in the field of networking or are learning computer networks in some course. But, the truth is that there are others too, e.g. SCTP, DCCP, UDP Lite. And all of those are actually implemented in Linux kernel. What I'm going to do is describe each one of those in the following few posts and give examples of their use. In this post, I'm going to talk about UDP Lite. I'll assume that you know UDP and also that you know how to use socket API to write UDP application.

UDP Lite is specified in RFC3828: The Lightweight User Datagram Protocol (UDP-Lite) . The basic motivation for the introduction of a new variant of UDP is that certain applications (primarily multimedia ones) want to receive packets even if they are damaged. The reason is that codecs used can recover and mask errors. UDP itself has a checksum field that covers the whole packet and if there is an error in the packet, it is silently dropped. It should be noted that this checksum is quite weak actually and doesn't catch a lot of errors, but nevertheless it is problematic for such applications. So, UDP lite changes standard UDP behavior in that it allows only part of the packet to be covered with a checksum. And, because it is now different protocol, new protocol ID is assigned to it, i.e. 136.

So, how to use UDP Lite in you applications? Actually, very easy. First, when creating socket you have to specify that you want UDP Lite, and not (default) UDP:
s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDPLITE);
Next, you need to define what part of the packet will be protected by a checksum. This is achieved with socket options, i.e. setsockopt(2) system call. Here is the function that will set how many octets of the packet has to be protected:
void setoption(int sockfd, int option, int value)
{
    if (setsockopt(sockfd, IPPROTO_UDPLITE, option,
            (void *)&value, sizeof(value)) == -1) {
        perror("setsockopt");
        exit(1);
    }
}
It receives socket handle (sockfd) created with socket function, option that should be set (option) and the option's value (value). There are two options, UDPLITE_SEND_CSCOV and UDPLITE_RECV_CSCOV. Option UDPLITE_SEND_CSCOV sets the number of protected octets for outgoing packets, and UDPLITE_RECV_CSCOV sets at least how many octets have to be protected in the inbound packets in order to be passed to the application.

You can also obtain values using the following function:
int getoption(int sockfd, int option)
{
  int cov;
  socklen_t len = sizeof(int);
  if (getsockopt(sockfd, IPPROTO_UDPLITE, option,
  (void *)&cov, &len) == -1) {
  perror("getsockopt");
exit(1);
}
return cov;
}
This function accepts socket (sockfd) and option it should retrieve (i.e. UDPLITE_SEND_CSCOV or UDPLITE_RECV_CSCOV) and returns the option's value. Note that the two constants, UDPLITE_SEND_CSCOV or UDPLITE_RECV_CSCOV, should be explicitly defined in your source because it is possible that glibc doesn't (yet) define them.

I wrote fully functional client and server applications you can download and test. To compile them you don't need any special options. So that should be easy. Only change you'll probably need is the IP address that clients sends packets to. This is a constant SERVER_IPADDR which contains server's IP address hex encoded. For example, IP address 127.0.0.1 is 0x7f000001.

Finally, I have to say that UDP Lite will probably have problems traversing NATs. For example, I tried  it on my ADSL connection and it didn't pass through the NAT. What I did is that I just started client with IP address of one of my servers on the Internet, and on that server I sniffed packets. Nothing came to the server. This will probably be a big problem for the adoption of UDP Lite, but the time will tell...

You can read more about this subject on the Wikipedia page and in the Linux manual page udplite(7).

RSA parameters in PEM file...

If you've ever read anything about how RSA works you most probably know that RSA is based on arithmetic modulo some large integer. First, let N be a product of two, very large, primes p and q. N is n-bit number, those days minimally 1024 bits, and thus p and q are half that size, so that after multiplication we get required number of bits. Next, there are two numbers e and d that satisfy relation , where . is encryption key - or what's frequently referred to as a public key, while is decryption key, or a private key. The question now is: Given a PEM file with private key, how to find out those parameters for a specific public/private keys? In this post I'll show three ways to do it. The first two are using tools that are a standard part of OpenSSL/GnuTLS libraries. The third one is using Python.

OpenSSL/GnuTLS

Those two, especially OpenSSL, are very popular and complex cryptograhpic libraries. Both of them come with a very capable command line tools. In the case of OpenSSL the there is a single binary, openssl, that performs its function depending on the second argument. In this post, I'll use arguments rsa and genrsa that manipulate and generate, respectively, RSA keys. GnuTLS, on the other hand, has a several tools, of which we'll use certtool.

Now, first thing is to create RSA public/private key. You can do this using the following commands:
openssl genrsa -out key.pem 512
or, if you use GnuTLS, then:
certtool --generate-privkey --bits 512 --outfile key.pem
In both cases the generated RSA modulus (N) will have 512 bits, and the keys will be written into output file key.pem. You should note few things here:
  1. The output file contains both private and public keys!
  2. We didn't encrypt output file, which is recommended to do.
  3. 512 bits these days is a way insecure. Use minimally 1024 bits.
Ok, now we can request information about this RSA keys. Again, you can do that using openssl in the following way:
openssl rsa -in key.pem -noout -text
or, using GnuTLS:
certtool -k --infile key.pem
In both cases you'll receive the following output (GnuTLS is a bit more verbose):
Private-Key: (512 bit)
modulus:
    00:ba:b6:78:3b:1c:15:f1:d9:e3:48:16:5e:e7:8e:
    fd:a0:9d:2f:ee:1b:b8:9b:3d:d3:ea:f4:ad:fb:1b:
    6e:ef:b2:b5:cd:ee:38:e9:f8:6d:64:c9:ea:95:ae:
    87:13:5a:23:8b:2f:0b:e8:bb:c6:f8:c6:c4:ee:64:
    3c:d4:97:bd:a3
publicExponent: 65537 (0x10001)
privateExponent:
    39:6b:07:ca:55:b6:c1:eb:59:a3:bf:8d:6b:f4:63:
    36:d3:5f:fb:ff:76:63:f7:3d:86:51:bc:77:2e:56:
    8d:4b:87:73:e0:53:bd:17:e8:4a:e8:df:f5:86:14:
    65:60:f2:4f:03:02:3b:e9:23:c6:d3:ce:b3:1d:e9:
    13:1a:0f:b1
prime1:
    00:d6:b1:f9:53:8c:56:96:79:c0:bd:68:6c:b9:07:
    e7:9c:70:de:f5:61:ed:bb:51:12:1d:24:37:0f:cc:
    bf:8a:95
prime2:
    00:de:a2:52:be:a1:a4:eb:d7:48:24:95:c5:2c:05:
    bd:5f:7f:74:d5:12:bd:7c:5f:f1:8e:45:a2:50:26:
    ec:d1:57
exponent1:
    66:61:30:58:1b:10:1f:69:a7:f3:aa:9c:4e:0f:ea:
    ee:bb:14:57:47:7f:aa:57:9a:9f:b2:e9:5e:eb:70:
    5b:91
exponent2:
    22:2d:8f:40:5e:b6:5f:d2:5b:eb:e9:e6:2c:1c:f1:
    76:90:ad:91:ec:5f:94:91:72:16:e2:4f:c9:b8:40:
    10:df
coefficient:
    22:9c:f3:1f:85:68:a3:36:ab:07:87:ed:a4:c0:e5:
    ef:13:a8:28:02:55:35:c1:76:96:86:97:58:08:90:
    6e:70
In this output we see parameters N (modulus), e (publicExponent), d (privateExponent), p (prime1), and q (prime2). Also, what's written in there are values d mod (p-1) (exponent1),  d mod (q-1) (exponent2) and q-1 mod p (coefficient).

The interesting thing to note is the value of publicExponent, it is 65537. Namely, the size of public exponent isn't so important and by having such a low value it is relatively easy to encrypt messages (rising to this exponent requires 17 multiplications). This is very frequent value for encryption key, i.e. public exponent. privateExponent, on the other hand, has to be large and random, so that it isn't easy to guess.

Python

The recommended library to use to manipulate RSA keys is m2crypto which is a wrapper to OpenSSL library. There are many other libraries, of course, and you can find an older comparison here. Unfortunately, I was unable to find downloadable version on the Internet.

Anyway, to be able to manipulate RSA keys you have to import RSA module from M2Crypto, i.e.:
from M2Crypto import RSA
Then, to load RSA private/public key from a file use the following line:
rsa=RSA.load_key('key.pem')
You can also generate new RSA private key as follows:
rsa=RSA.gen_key(512, 65537)
In this case you are generating private key based on public key 65537 (we saw that this is very frequently used public key) and we require 512 bit modulus. You can find out modulus length using Python's len() function, i.e.:
>>> len(rsa)
512
To obtain N, you can inquire attribute n of the object holding RSA key, i.e.:
>>> rsa.n
To obtain pair (e,d), or public key, you can use the following method:
>>> RSA.pub()
Alternatively, you can find out only e in the following way:
>>> rsa.e
As far as I could see, there is no way to find other parameters besides N, e and bit length.

Tuesday, December 25, 2012

Controlling which congestion control algorithm is used in Linux

Linux kernel has a quite advanced networking stack, and that's also true for congestion control. It is a very advanced implementation who's primary characteristics are modular structure and flexibility. All the specific congestion control algorithms are separated into loadable modules. The following congestion control mechanisms are available in the mainline kernel tree:
Default, system wide, congestion control algorithm is Cubic. You can check that by inspecting the content of the file /proc/sys/net/ipv4/tcp_congestion_control:
$ cat /proc/sys/net/ipv4/tcp_congestion_control 
cubic
So, to change system-wide default you only have to write a name of congestion control algorithm to the same file. For example, to change it to reno you would do it this way:
# echo reno > /proc/sys/net/ipv4/tcp_congestion_control
# cat /proc/sys/net/ipv4/tcp_congestion_control
reno
Note that, to change the value, you have to be the root user. As the root you can specify any available congestion algorithm you wish. In the case the algorithm you specified isn't loaded into the kernel, via standard kernel module mechanism, it will be automatically loaded. To see what congestion control algorithms are currently loaded take a look into the content of the file /proc/sys/net/ipv4/tcp_available_congestion_control:
$ cat /proc/sys/net/ipv4/tcp_available_congestion_control
vegas lp reno cubic
It is also possible to change congestion control algorithm on a per-socket basis using setsockopt(2) system call. Here is the essential part of the code to do that:
...
int s, ns, optlen;
char optval[TCP_CA_NAME_MAX];
...
s = socket(AF_INET, SOCK_STREAM, 0);
...
ns = accept(s, ...);
...
strcpy(optval, "reno");
optlen = strlen(optval);
if (setsockopt(ns, IPPROTO_TCP, TCP_CONGESTION, optval, optlen) < 0) {
    perror("setsockopt");
    return 1;
}
In this fragment we are setting congestion control algorithm to reno. Note that that the constant TCP_CA_NAME_MAX (value 16) isn't defined in system include files so they have to be explicitly defined in your sources.

When you are using this way of defining congestion control algorithm, you should be aware of few things:
  1. You can change congestion control algorithm as an ordinary user.
  2. If you are not root user, then you are only allowed to use congestion control algorithms specified in the file /proc/sys/net/ipv4/tcp_allowed_congestion_control. For all the other you'll receive error message.
  3. No congestion control algorithm is bound to socket until it is in the connected state.
You can also obtain current control congestion algorithm using the following snippet of the code:
optlen = TCP_CA_NAME_MAX;
if (getsockopt(ns, IPPROTO_TCP, TCP_CONGESTION, optval, &optlen) < 0) {
    perror("getsockopt");
    return 1;
}
Here you can download a code you can compile and run. To compile it just run gcc on it without any special options. This code will start server (it will listen on port 10000). Connect to it using telnet (telnet localhost 10000) in another terminal and the moment you do that you'll see that the example code printed default congestion control algorithm and then it changed it to reno. It will then close connection.

Instead of the conclusion I'll warn you that this congestion control algorithm manipulation isn't portable to other systems and if you use this in your code you are bound to Linux kernel.

Monday, December 24, 2012

Pretjerivanje na temu genijalaca, nadarenosti i ostalih gluposti...


Svima nam je poznato proglašavanje genijalaca u osnovnim i srednjim školama, kao dijete se sjećam toga, a vjerujem da ni danas nije drugačije. Taj kult genijalaca se dovodi do te mjere da se svima ostalima, indirektno, govori kako su glupi i da je bolje da ne pokušavaju jer neće uspjeti, nisu genijalci! Istovremeno, "genijalcima" se kaže kako ne moraju ništa raditi i da će im sve ići lako. Taj način razmišljanja počeo se provlačiti i na fakultetima (da ne spomenem kojima) i to me je počelo izuzetno jako uzrujavati, i to je povod ovog posta.

Ali prvo, jedna zanimljivost. Za početak, genijalnost, odnosno nadarenost, po nekakvom uvriježenom mišljenju je genetska karakteristika, nešto što se dobija rođenjem i više se ne može promijeniti. Nadalje, genijalnost i nadarenost se na različite načine institucionalizira, primjerice nekakvim posebnim programima i slično. Da li je nekome palo na pamet da se na taj način na mala vrata u društvo uvodi sistem sličan indijskim kastama? A još zanimljivije, koliko se sjećam, Ustav jamči jednakost svima! Da li je jednakost ako se kaže da je nešto za nekog tko je nadaren, a za ostale nije i zbog svoje genetike oni to ne mogu?!

Ali dobro, idemo na bit, jer mene sve to proglašavanje genijalaca i slično, jako iritira. Mislim da je to jako štetno za društvo, a i za pojedince.

Relativno puno ljudi shvaća da vrhunski sportaš ne nastaje preko noći i također dosta ljudi sluti kako se radi o velikim odricanjima, iako, mislim da su rijetki svjesni o kolikima se radi i o tome bi se mogao pisati poseban post. Međutim, ja vjerujem da ista stvar vrijedi i za intelekt, naime, ne postaje se stručnjak preko noći već je potreban rad, upornost i odricanje. To mnogi ne shvaćaju! I onda misle da ako je netko nešto pokušavao tjedan, dva, mjesec, pa možda i godinu, i nije uspio, da je onda glup. A ne znaju da su potrebne godine rada. Koliko godina? Pa ovisi što ste prije toga radili, i kako!

Vrhunski stručnjak ne postaje se preko noći već su za to potrebne godine predanog rada! Ne vjerujete? Preporučam onda da pročitate članak  The Expert Mind iz Scientific Americana (ovdje imate besplatnu verziju). U tom članku se opisuje istraživanje kako nastaju šahovski velemajstori. Razlog zašto baš šahovski velemajstori je zbog toga što je relativno lako pratiti (mjeriti!) napredak. Rezultati tog istraživanja su fascinantni. Ja se sjećam od malena kako su oni koji igraju vrhunski šah proglašavani genijalcima! I igranje šaha je uvijek bilo identificirano s inteligencijom, odnosno, nadarenošću i genijalnosti. E pa, zaključak tog istraživanja je da šahovski velemajstori, kao i eksperti za druga područja, nastaju učenjem a ne rođenjem! Osim toga, danas imate šahovske programe koji su razine velemajstora, a neki su uspjeli potući i svjetskog prvaka. Da li su ti programi genijalci? Mislim da ćemo se svi složiti da nisu!

Sada se pitate zašto to uopće spominjem? Pa zato što je jedna od stvari koja me neopisivo uzrujava spominjanje nekakvih genijalaca, nadarenih i sličnih gluposti (namjerno kažem gluposti!). To kreće već negdje u osnovnoj školi i onda se provlači kroz cijelo školovanje. Samo po sebi to ne bi bilo loše da se na temelju toga onda ne radi diskriminacija, a i da se na neki način uništavaju ljudi, i one koji se proglašavaju genijalnima i one koje se ne proglašava genijalnima, odnosno, smatra ih se ispod prosječnim ili prosječnim! Neću ni spominjati tendenciju roditelja da svoju djecu proglašavaju novim genijalcima! Dakle, želite li da ponovim još jednom što tvrdim? Ovaj puta puno jasnije? Može, evo:
Proglašavanje ljudi genijalcima nema veze sa stvarnošću, a istovremeno uništava te ljude isto kao što uništava i omalovažava ljude koji se ne proglašavaju genijalcima. O onima koje se smatra nesposobnima, a pogotovo oni koji sebe smatraju nesposobnima, neću ni pričati! Taj isti pristup štetan je i za društvo u cjelini jer ono ne iskorištava sav potencijal koji ima na raspolaganju, a koji je vrlo dragocjen.
Sad već vas čujem kako vičete: Pa djeca se međusobno razlikuju, neki su bolji, neki lošiji! Da, to stoji, doista su različiti. I ja uopće ne tvrdim da su isti i u tome se slažemo! Međutim, ono u čemu se ne slažemo je što je uzrok tome! Naime, popularno mišljenje je da su genijalci u pitanju, a ja tvrdim da to nije istina! Naime, iz tih riječi, genijalac, nadareni i slično slijedi kako se radi o nečemu što je stečeno rođenjem (genetikom) te da se na to ne može utjecati, odnosno, da se može samo minorno korigirati.

Ja tvrdim da su značajne razlike u sljedećem:
  • motivacija i interes - nisu svi jednako motivirani za nešto, niti sve zanima sve. Ovo dvoje mislim da je vrlo isprepleteno, odnosno, može djelovati jedno na drugo.
  • rad i upornost - biti motiviran i zainteresiran nije dovoljno, treba rada i upornosti da se nešto postigne i to kroz dulji vremenski period.
  • napredak kroz rad - raditi samo po sebi nije dovoljno. Primjerice, ako se učenje stranog jezika obavlja ponavljanjem jedne te ista rečenica tisuću puta na dan, svaki dan, tko god tako radio koliko god motiviran i uporan bio, neće puno postići.
  • dostupnost potrebnih materijala - kakva korist od volje i svega, ako nema materijala iz kojih će se učiti i s pomoću kojih će se učiti. Tu bi još uvrstio pitanje kakav smo tip osobe i da li materijali odgovaraju tom tipu, primjerice, neki su više auditivni tipovi dok drugi vizualni.
  • pomoć stručnjaka - ako imate nekoga stručnjaka pri ruci, to može izuzetno puno pomoći, ali na žalost i isto toliko odmoći ako se tome ne pristupa na pravi način.
  • reakcija na pogreške i rezultate - većina ljudi pokušava što prije riješiti neki problem i pri tome uopće ne pokušavaju naučiti iz pogrešaka, već ih samo što prije ukloniti, dok kada se dobije rezultat zadovoljni su bez obzira što vide da bi moglo i bolje!
Tu se naravno, prikriveno u svim tim točkama, nalazi i poticaj okoline. U stvari, kada mi kao djeca stičemo prve navike od roditelja, oni se reflektiraju na sve te razlike i u konačnici nas oblikuju kao osobe u inicijalnoj - i vrlo bitnoj - fazi našeg života.

Kad se samo sjetim svoje osnovne i srednje škole, skoro da mi je zlo! Nekompetentni i nezainteresirani učitelji/nastavnici/profesori, koji su i sami gajili kult genijalaca i nisu pokušavali nama, meni, kao djeci, objasniti zablude koje smo imali. A kako i bi, kad su i oni sami vjerovali u te zablude. No, moram reći da je sustav tako napravljen da ih nije ni poticao da budu drugačiji, a osim toga ponekad nisu ni znali što mi mislimo - iako je to škakljiv argumnet jer može se reći da im je posao da to znaju. No bez obzira na sve, u konačnici, nekako mi se čini da je moje trenutno stanje posljedica djelovanja roditelja (moraš učiti, to ti je kruh!) i velike sreće, s čim se mnogi drugi ne mogu pohvaliti.

Zaključit ću tako što ću reći da je vjerojatno istina, kao i obično, negdje na sredini. Međutim, mislim da društvo pretjeruje s veličanjem IQ testova i genijalaca, i u tom smislu uništava mnoge ljude te šteti samome sebi.

Za kraj, evo Vam još tekstova za čitanje ako ste zainteresirani:
Sljedeće poveznice dodavane su dosta kasnije u odnosu na vrijeme nastanka ovog posta:

Sunday, December 9, 2012

Few remarks on CS144...

I'm teaching computer networks for the past 10 or so years, and during that time I got used to a certain approach in teaching this subject. But as I already noted in the post about e2e design principle and middleboxes, I'm watching course Introduction to Computer Networks (CS144), given on Stanford university. The main reason being that I wanted to see how others are doing it. While I was watching the part of the first lecture, What is Internet - 4 layers, I had some comments, so I decided to write a post about it. But then, I decided to comment on the whole course, not just a single lecture. At least that is my intention at this moment.

One very important thing before I start. Note that every course has to simplify things and remove as much details as possible in order to make things "learnable". So, sometimes lecturers don't tell complete truth, or even they say something that isn't truth. This is acceptable as long as they correct themselves eventually. But because of this it means that there are many approaches to teach something, potentially very different, and I'm looking from the viewpoint of one specific approach, namely the one I'm using. This, in turn, might mean that some, or even majority, will not agree with my comments on CS144 in this post. That's perfectly OK, but anyone reading this post should bear that in mind and not take things for granted!

What is Internet - 4 Layers

The purpose of this lecture is to teach you about layering in the networks. This is a very important concept that is a mandatory knowledge for anyone doing anything that touches networking.

But there are few things that I don't like in the approach taken by CS144. First, more correctness problem than something major, is when the lecturer notes where particular layers are implemented. He doesn't give a complete information in this case because he says that everything below application layer is implemented in the operating system. But, the truth is that parts of "link layer" are implemented in hardware, which definitely isn't an operating system, and within firmware which also isn't part of an operating system. Also, where is the line between hardware/firmware and operating system greatly varies. There are, for example, hardware accelerators for TCP, and in that case hardware/firmware reaches almost up to application layer.

Next, ISO/OSI RM is mentioned only briefly, and the comment was "... that was widely used." It was introduced because network layer is frequently called Layer 3, while in model used in this course it is in layer 2. Before continuing, let me just note that Layer 2 is also frequently used, and Layer 7 (L7) isn't so rarely used, either. Anyway, first ISO/OSI has never been widely used for the purpose it was created, unless you count bureaucratic work done within OSI, which is a lot of (bureaucratic) work! On the other hand, it is widely used as a reference model, i.e. it is used to compare different networks. And also it is widely used when we try to be a general, not tied to a specific network. After all, Internet is only one instance of many other networks, past and future. Now, I agree that it is good policy these days to stick to the Internet when teaching basics of networking. But it should be clear that Internet isn't the only network around. If OSI did something right (well, truth to be told, they did several things right), than it is the stuff around network model (or architecture). Note that there are some things that are not right (e.g. number of layers), but in general it is very well thought subject. By the way, physical layer has much more to do than only wires and connectors, if nothing else because there are three main ways of communication (wireless, wired and optical) and then there are countless number of variations within each of those.

Now, when the lecturer compares the 4 layer model he uses with ISO, he says that TCP covers transport and session layers of ISO/OSI RM. This is the first time ever that I heard that TCP covers session layer. This is based on his premise that the purpose of session layer is connection establishment. But, that's simply not true. The purpose of session layer is management of multiple connections, which can degrade into a single connection and in that case session layer is very thin - in terms of the functionality. On the other hand, connection establishment for a single connection is part of the specific protocol within transport layer (there are of course those that don't have connection establishment). Take for example OSI transport protocol TP4 which has connection establishment, transfer and disconnect phases, just like TCP and OSI definitely places it in transport layer, not session layer!

Finally, the lecture implies that layers are the same thing as protocols, i.e. that transport layer is TCP. But, the layer is just a concept, while TCP is an entity, implementation, that logically belongs to a certain layer.

What is Internet - IP Service Model

This lecture is about IP service, which, as the lecturer says at the beginning is what IP offers to layer above and what it expects from layer below. But I think that this lecture actually mixes services expected from layers below and above, with the inner workings of the IP that are invisible to higher/lower layers:
  • Packet fragmenting isn't visible outside of the IP protocol because it is the task of the IP itself to defragment fragmented packets before handing data to the protocol in the layer above. Also, when IP fragmets packets the protocols in lower layers don't know, neither they care, if those are fragments or not. They are treated as opaque data by the lower layer protocols.
  • Feature to prevent packets from looping forever is also internal mechanism to IP protocol, and not something that higher or lower layers should know or care about. True, there is ICMP message that informs sender that this happened, but as I said, it is not intended for other layers. If nothing else, because those layers don't determine the value of TTL field. It is a sole discretion of IP protocol itself.
  • Checksum in the IP packet isn't used to prevent IP packet to be delivered to wrong destination. Let me cite RFC791 which says that:
    This checksum at the internet level is intended to protect the internet header fields from transmission errors.
    So it is intended to protect header from errors, not to prevent deliver of IP packet to wrong destination. True, it might happen that the error occurs in destination address and that, in that case, delivery is prevented but this is only a special case, a consequence, not something specifically targeted.
    Furthermore, while I'm at checksum, it uses simple addition and thus it is a very weak protection mechanism. Actually, it was so useless, and also it was slowing routers, so it was removed in IPv6. By the way, the same version of checksum is equally useful in TCP.
  • Options within IPv4 are, again, specific to IPv4 protocol and not something offered as a service to higher layers.
I have to admit that the bullet "Allows for a new versions of IP" totally confused me?

Next, the definition of connectionless service is that no state is established in the network. That is true, but the point is that it is not the feature of a service but of the protocol operation, and thus protocols above (i.e. in higher layers) simply don't care about that. It is possible for some protocol to offer connection oriented service while operating over connectionless "subnetwork" (e.g. TCP over IP) as it is possible to offer connectionless service over connection oriented "subnetwork (e.g. IP over ATM). More about connectionless vs. connestion oriented you can read in my other post.

Note, the term IP layer is somewhat wrong, or at least discussable  Namely, there is no IP layer but network layer in which one of the protocols is IP protocol. Now, I'm aware that many say IP layer so, if we assume that the majority is right, then I'm wrong. :)

Also, for the end of this part it was interesting to see the mixed use of the terms datagram and a packet. I'm almost always using the term packet, rarely datagram, but I'll have to take a look at this more closely.

Anyway, could be that the lectures of this course and I have different view on what "service model" is, but I didn't notice that they defined what they mean by it, they just started to explain service model of different protocols.

Now, while solving quizzes the following questions surprised me:
  • An Internet router is allowed to drop packets when it has insufficient resources -- this is the idea of "best effort" service. There can also be cases when resources are available (e.g., link capacity) but the router drops the packet anyways. Which of the following are examples of scenarios where a router drops a packet even when it has sufficient resources?

    I thought that the answer was a, c and d (corrupted packet). But, d was rejected.
  • In an alternative to the Internet Protocol called "ATM" proposed in the 1990s, the source and destination address is replaced by a unique "flow" identifier that is dynamically created for each new end-to-end communication. Before the communication starts, the flow identifier is added to each router along the path, to indicate the next hop, and then removed when the communication is over. What are the consequences of this design choice?

    Here, I thought that the answers are a and c. But apparently, a and d were accepted. Now, c says that  there is a need for control entity to manage flow labels. Might be that I misunderstood "control entity", that it actually means something centralized. In that case probably I'm wrong. And d says there is no more need for transport layer. I would like to hear some arguments for that. Anyway, I'll have to read a bit more details about ATM, after all.

What is internet - TCP UDP

This video starts with the introduction in which the following sentence is stated: ... two different transport layer services, one of them is TCP and the other is UDP. The problem is that TCP and UDP are not services but protocols that offer some service.

"TCP is an example of transport layer". As I said, TCP is protocol, not a layer!

I wouldn't say that the property "stream of bytes" means that the bytes will be delivered in order. That's more the property of reliability. What "stream of bytes" means, in the case of TCP, is that there is no concept of the message and message boundaries. So, if the application sends two times 500 octets, it can be delivered on the other end in one go of 1000 octets, in three rounds, etc.

Source port isn't only used so that TCP knows where to send back data, but also for receiving entity to know how to demultiplex incoming TCP segment. Namely, every connection is uniquely identified by a four tuple (IP src addr, src port, IP dst addr, dst addr) and so source port is used for demultiplexing.

Checksum in TCP is quite weak, as I already argued, so it is not particularly good mechanism for detecting errors.

It is possible that TCP connection is closed in three exchanges, but could be that this will be explained later.

What is the Internet - ICMP

I have to admit that placing ICMP in transport layer is quite a novel approach to layering Internet protocols. The lecturer says that strictly speaking it uses IP and thus it belongs to transport layer. The truth is that it is far from clear where this protocol is, but the point is that when you place protocols in different layers it is not only what the protocol uses, but also what it offers and for what it is used - with respect to layer functionality. So, when we talk about ICMP, it doesn't offer services to layer above, that would be application layer, but it doesn't offer services to transport layer, either. Also, transport layer offers end-to-end communication services to application layer. Note that ICMP, on the other hand, allows communication of network layer entities (IP protocols) between any two nodes within the network. It is produced and consumed by IP protocol implemenations.

Two additional things have to be clarified that someone might take out now and counter argument me. First, there are applications that use ICMP, ping and traceroute. The truth is that ICMP actually was never designed to be used by applications, neither ping nor traceroute (especially not traceroute, search for the word "jelaous" on this page, its an interesting story). It just turned out that something can be used for the purpose not intended initially and so we now have those applications. But, I think that ping and traceroute access directly network layer, that is ICMP.

The second thing that someone might use to say that ICMP isn't in the network layer is OSPF. Namely, OSPF uses directly IP for a transfer service, not UDP nor TCP. So, someone might say that by placing ICMP into the network layer I'm placing OSPF to network layer too. There are those that think that OSPF is there. But, I think that OSPF is in application layer, along with other routing protocols. And that is for two reasons:
  1. Routing protocols communicate from end-to-end. It doesn't matter that "end" in this case might be, and is, a network router somewhere within the network, the point is that OSPF application treats that as intended destionations, ends. With ICMP, any node might - for example - drop a packet and generate Time Exceeded message. Note that the node generating error message isn't an end point of the communication!
  2. The functionality of the protocols is vastly different. And not only that, but also who is consuming the packets. ICMP is consumed, and generated, by IP protocol. (minus ping/traceroute for whom I already said that they are a special cases). OSPF on the other hand, is quite a complex protocol and IP protocol directly hands data to OSPF application process. IP doesn't consume those messages, neither it produces them.
So, I think OSPF is in application layer, while ICMP is in top part of the network layer.

Additionally, let me return to the lecture slides. Slide number 3 shows data for ICMP coming from the application. It's not true, data comes from the network layer itself, and ping and traceroute are misusing layering.

On slide 5 ICMP is treated as a network protocol in a sense like IP is. But I think that it's misleading. This actually leads me to one more argument why ICMP belongs to the network layer. Namely, ICMP doesn't have any separate implementation, there is no ICMP module within an operating system. There is IP module (protocol implementation) that produces and consumes ICMP messages.

Ok, so much about that lecture. Finally, when I was trying to solve quizzes, I had a problem with a first question: Which of the following statements are true about the ICMP service model? The offered answers were:
  1. ICMP messages are typically used to diagnose network problems. This is true, but it's not service model.
  2. Some routers would prioritize ICMP messages over other packets. This one isn' true. The routers treat ICMP messages as any other message (unless specifically configured to do so).
  3. ICMP messages are useless, since they do not transport actual data. ICMP is definitely not useless.
  4. ICMP messages can be maliciously used to scan a network and identify network devices. Yes, they can, but it's not a service model what this question asks.
  5. ICMP messages are reliably transmitted over the Internet. They are transferred in IP which is unreliable.
After trial and error it turned out that b is also true!? But then again, I can say that I made mistake because I didn't read that "some would" prioritize, which could be true, and "would" doesn't mean it is necessarily so. Huh, I hate when someone plays with words.

Ok, I'll stop here because this post is brewing for too long, and as I'm having much other work to do, it will take time until I watch all the lectures. Not to mention that it becomes quite large. So, I decided to publish this, and expect new posts eventually...

Thursday, December 6, 2012

Biser naših neukih novinara 8...

Dakle, evo novog bisera u kojima naši neuki novinari prenose (neću reći pišu!) s nerazumijevanjem o stvarima o kojima ništa ne znaju. Povod ovaj puta je pokušaj ITU-a da uvede kontrolu nad Internetom, i o tome sam već pisao, a i još ću kako stvari stoje. Nego, vratimo se temi ovog posta, a to je način na koji su naši novinari pisali o tom događaju.

Prvo što sam vidio bila je vijest na Monitoru o tome, i kao i uvijek na Monitoru su stavili linkove na druge novine koji pišu o toj temi detaljnije. Ali, pogledajmo prvo što su na Monitoru napisali. Evo ovdje c/p za referencu:
Članovi UN-ove Međunarodne telekomunikacijske unije dogovorili su usvojiti novi internet standard koji će omogućiti telekomunikacijskim kompanijama lakši nadzor podataka na internetu. Osnovat će se posebna inspekcija DPI koja će, prema tvrdnjama UN-a, štititi autorska prava. No stručnjaci upozoravaju da će inspekcija kopanjem po podacima kršiti privatnost korisnika.
Dakle, prva nebuloza koju su napisali je ITU usvaja novi internet standard! Ajmo' sada svi zajedno: ITU ne usvaja Internet standarde! I ako nije jasno, predlažem da se ponovi to još nekoliko puta, a novinaru predlažem da to i napiše nekoliko puta! Internet standarde može jedino predložiti IETF i odobriti RFC Editor, i nitko više!

Drugi gaf je još bolji: "Osnovat će se posebna inspekcija DPI...". Ovdje sam se odvalio od smijeha! Dobro, ajde, prvo nisam mogao vjerovati da su to napisali, a onda sam se odvalio od smijeha! Naime, DPI znači Deep Packet Inspection i označava pregledavanje svega što paketi nose. Nekakav Hrvatski prijevod bio bi "Dubinska analiza paketa", "Detaljna analiza paketa", ili tako nešto. Sam postupak ne zvuči kao nešto posebno, međutim, potrebno je poznavati neke osnove računalnih mreža kako bi se shvatilo koliko to odudara od standardnog postupanja s paketima tijekom njihova prijenosa kroz mrežu. Konačno, i najbitnije za ovaj post, radi se o tehnici ili metodi, kako god hoćete, a ne o nekakvom tijelu koje se osniva. Dakle, novinar je englesku riječ "inspection" shvatio u stilu Državnog inspektorata/inspekcije, a ne kao opću riječ "ispitivanje/provjera". Konačno, to je potvrdio i zadnjom rečenicom: "No stručnjaci upozoravaju da će inspekcija kopanjem po podacima kršiti privatnost korisnika!" Hahahaha... da mi je samo vidjeti tu inspekciju koja bi bila u stanju pratiti sav promet na internetu!

Ok, odlučih onda kliknuti na stranicu Večernjeg lista da provjerim što su oni napisali. Dakle, i oni lupetaju o "standardu za Internet!". Mislim, taj izraz je toliko besmislen da i uz najbolju volju ne mogu doći do nekog smislenog objašnjenja! Nadalje, i oni izgleda kao i Monitor (ili je obratno) tretiraju da se radi o nekakvoj inspekciji, kako drugačije protumačiti sljedeću rečenicu: "Iz UN-a tvrde da će uvođenje inspekcije zvane DPI..".

E da, potom je tu izjava tipa: Britanski računalni stručnjak kojega se naziva i "ocem interneta" Tim Berners-Lee... Ajmo mi sada jednu stvar utvrditi: Internet postoji od cca. 70-tih godina prošlog stoljeća, a dotični gospodin je smislio Web 1992. Dakle, kako on može biti "otac interneta" ako je internet postojao prije njega jedno 20-tak godina?

Ok, potom novinar nastavlja s:
To je ozbiljno kršenje privatnosti. Netko provede široku inspekciju na vašem priključku te pročita sve podatke i sve internetske stranice, pohrani ih na vaše ime te može dati adresu i telefonski broj Vladi kada ga pitaju u vezi s prodajom najboljem ponuđaču – rekao je Berners-Lee.
I za parsiranje ovoga mi je trebalo, i nisam uspio! Prvo, što znači "široku inspekciju"? I ako postoji "široka inspekcija", postoji li "uska inspekcija"? I koja bi bila razlika? Dalje kaže da netko pročita "sve podatke" i "sve internetske stranice", a ja ne mogu shvatiti po čemu su "sve internetske stranice" različite od podataka? Ali dobro, ajmo reć da se htjelo istaknuti zbog širokih narodnih masa da su tu i internetske stranice uključene. No, onda slijedi prava nebuloza "...pohrani ih na vaše ime..." koju također ne mogu nikako shvatiti, i totalno besmisleni šlag na kraju "...te može dati adresu i telefonski broj Vladi kada ga pitaju u vezi s prodajom najboljem ponuđaču".

Potom malo dramaturgije u vidu naslova "SAD gubi kontrolu nad internetom". I nastavak u revijalnom tonu:
Glavni tajnik ITU-a odbacio je kritike te dodao da takav prijedlog ne predstavlja "prijetnju slobodi govora". – Ovo nam je šansa da nacrtamo svjetsku kartu i spojimo ono što trenutačno nije spojeno dok osiguravamo da je to investicija za kreiranje infrastrukture potrebne za eksponencijalni rast u glasovnom, video i prometu podacima – kazao je Hamadoun I. Toure te dodao da je "zlatna prilika da se omogući dostupan pristup internetu za sve, uključujući i milijarde ljudi diljem svijeta koji danas ne mogu na internet".
Ovo prvo što sam označio masnim slovima nikako da shvatim. No, u ovom paragrafu vjerojatno ima istine u smislu da je to Toure izjavio jer vjerujem da je ovo zadnje otisnuto masnim slovima mogao izgovoriti neki birokrat iz ITU-a.

Ostale postove iz ove "serije" možete pronaći ovdje.

Wednesday, December 5, 2012

Privjesci, pokloni, GPS, Rumunji i ostale budalaštine...

Dakle, već drugi put čujem nekoga kako spominje da je primio elektroničku poruku sljedećeg sadržaja:
Ovih dana na mnogim mjestima- benzinskim pumpama ili parkiralištima dijele se besplatno privjesci za auto ili mali nakit za vas auto.

Te stvari ne uzimajte! U tome je ugrađen čip- kriminalci vas prate sa benzinskih crpki sve do kuće i na taj način prate kada ste kod kuće. Kada ste odsutni koriste priliku da provale u vaš stan/kuću.

Radi se o rumunjskim kriminalcima koji su izmislili novi način provale.

Obavijestite svoje prijatelje!
Ako želite mišljenje, kratko rečeno: NE NASJEDAJTE NA OVE GLUPOSTI! Jednostavno izbrišite tu poruku i nastavite kao da se ništa nije desilo.

Ok, a sad malo opširnije. Ovdje se radi o bezveznom ulančanom pismu. Drugim riječima, ta poruka se nekontrolirano širi i pri tome zbunjuje ljude (zbog čega se i širi), a istovremeno troši mrežne resurse i vrijeme onih koji ju primaju. Dakle, šteta je indirektna, ali nije zanemariva.

Ali, evo argumenata koji dovode u pitanje ovu konkretnu poruku:
  1. Prvo i osnovno, MUP ili neka nadležna institucija treba izdati priopćenje, i to ne na bilo kakav način, kao što je primjerice slanje elektroničke poruke poznanicima, već na nekom mjestu koje bi se moglo tretirati kao "službeno". Primjerice, priopćenje za javnost, Web stranice policije, ili nešto slično.
  2. Čim u nekoj poruci vidim nastavak "... obavijestite sve svoje prijatelje jer" i onda nekakva prijetnja da ćete patiti do kraja života, još sam uvjereniji da je lažna obavijest.
  3. Kako uopće kriminalci znaju što ćete napravili s privjeskom? Ili alternativno, kako znaju da ga nosite i/ili ga niste poklonili nekome drugome i/ili negdje zametnuli ili jednostavno bacili?
  4. Zatim, zašto bi vas pratili s GPS-om, kad vas mogu pratiti i ovako?
  5. Kako znaju da ste na putu doma? Kako znaju kad stanete da li vam je to doma? I da, ako netko kaže da znaju  da ste doma jer su, primjerice, koordinate na kojima ste stali u nekoj zgradi, ja mogu odgovoriti s protupitanjem: kako uopće znaju na temelju koordinate da je to vaš dom? I tu je još dodatno pitanje, ako je koordinata na mjestu velike - gusto naseljene zgrade - kako znaju koji je stan u pitanju?
  6. Ako netko ima namjeru provaliti i pokrasti, što nije bolje upikirati kvart/kuću/stan na temelju nekih drugih parametara (recimo, koliko je prometno, zaklonjeno od prolaznika i slično), a ne hvatati nekog slučajnog prolaznika?
  7. I da, što ako živite 100km ili više dalje od benzinske gdje vam daju privjesak, a eto slučajno ste se zatekli tu u prolaz? Mislim, na temelju čega znaju gdje otprilike živite kako bi znali da li ste blizu? Registracija ZG ne govori puno, a ZG je velik! I pogotovo kako bi to znali stranci, u ovom slučaju rumunji?
  8. I otkud znaju da doma nemate čopor djece, djeda, babu, nezaposlenu ženu (muža) ne znam koga tko je stalno doma?
  9. I koliko uopće košta ta oprema koju bi vam dali? I u stvari, putem čega taj "daljinski" šalje signal i kako daleko? Više od par km sigurno ne može "dobaciti" pa kako će ga oni hvatati? Jel' tako što će vas slijediti? Zašto su vam onda to dali ako vas slijede? Mislite da šalju UTMS-om? Pa to znači da moraju kupiti Tele2/Simpa paket za svaki taj odašiljač. Uglavnom, ovo razmišljanje ne vodi nikuda.
  10. Što uopće znači "novi način provaljivanja"? Da li vam možda stvari odnose teleportacijom? To bi bilo nešto novo...
  11. Brzi google prve rečenice pokazuje da je dotični mail - u identičnom obliku - raširen na sve strane po cijeloj ex. Yu, ali, nigdje ne piše da je netko to doista i vidio, o slici neću ni pričati! I niti jedan od tih "hitova" nije nešto što bi se bar približno moglo nazvati "službenim".
Uglavnom, mislim da više ne treba o tome uopće razmišljati, a kamo li raspravljati...

About Me

scientist, consultant, security specialist, networking guy, system administrator, philosopher ;)

Blog Archive