I was fortunate enough to attend Michael Warfield’s talk on DNS security this past Monday. If you don’t know Mike, he is a crazy smart dude who gives spectacular presentations. Can’t recommend him enough! Mike has been at the forefront of the IPv6 movement, and has given a number of IPv6 presentations in the past few months. The video from one of those presentations (Brave New World of IPv6 ) was just posted to the Internet, and I thought I would pass on the link. Mike is an incredible presenter, and you will definitely take away a boatload of information from each and every chat of his you attend. We are now officially out of IPv4 addresses, so I would be willing to bet that IPv6 will get a lot of attention this year. Get you learn on now!
I had to debug an interesting network problem a few weeks back, and wanted to see when new hosts appeared on my network. While debugging the issue, I needed to find a way to get notified when a new host appeared (I didn’t want to sit at a terminal reviewing the output from snoop and tcpdump). Enter arpwatch, which can be used to send alerts the first time a client issues an ARP request. This is actually quite handy, and the alerts you get my e-mail are rather useful:
$ arpwatch -i br0
From: root (Arpwatch) To: root Subject: new station hostname: foo.bar.com ip address: 192.168.1.18 ethernet address: 0:1c:b3:c2:80:2f ethernet vendor:
timestamp: Friday, April 30, 2010 23:07:32 -0400
There are a slew of options to control who gets the e-mail, whether to use a saved packet capture instead of an active network connection, etc. Arpwatch is a pretty cool tool, and saved me a lot of time and hassle!
My good friend and fellow blogging partner Mike Svoboda told me about dd-wrt a few weeks ago. Once Mike showed me what dd-wrt was capable of, I knew I needed to deploy it somewhere. I didn’t have a spare access point or router to test dd-wrt, so I decided to pick up a WRT54GL on NewEgg (I got mine for $25 off list price). As a long time OpenBSD and Soekris fan, I was very skeptical that dd-wrt would be able to stack up to what I currently had running (Soekris net4501+OpenBSD+PF) at home.
To get dd-wrt working, I used the installation guide provided on the dd-wrt wiki. Once the standard image was flashed and operational, I logged into the dd-wrt web interface and configured the router to meet my needs. Not only was I amazed with the breadth of features that are available in dd-wrt, but I was totally amazed at the monitoring capabilities that are available out of the box. Here is a screenshot from the bandwidth monitoring tab:
dd-wrt has everything I need and more, and I have now completely replaced by OpenBSD router. Here are my favorite dd-wrt features sorted in a top ten list:
1. Super stable (it runs a Linux kernel, which is an added bonus)!
2. Lots of performance graphs and statistics.
3. Support for wireless A/B/G/N + wired Ethernet.
4. Incredible support through the forums (I have yet to use this, but the replies I’ve seen are killer).
5. Built-in support for various wireless security protocols (WPA, WPA2, 802.1X, etc.).
6. Functional DHCP server.
7. NAT and QOS support.
8. Built in DNS caching.
9. Bridging and VLAN support.
10. ipkg, which allows you to add numerous 3rd party packages (samba, upnp servers, etc.) to the router.
This is only a subset of what dd-rt can do, and I can’t speak highly enough of the product! Mike rocks for recommending this, and I am stoked that I have such a reliable device acting as my access point / Internet router (my previous APs were rather flakey, so hopefully you can see why I am so excited about having a stable device routing packets from my wireless and wired host to the Internet).
Network Address translation (NAT) has become an essential part of the Internet, and is one of the reasons we still have IPv4 address space available. All NAT devices are not created equal though, and several NAT variations are prevalent (per RFC 3489):
Full Cone: A full cone NAT is one where all requests from the same internal IP address and port are mapped to the same external IP address and port. Furthermore, any external host can send a packet to the internal host, by sending a packet to the mapped external address. Restricted Cone: A restricted cone NAT is one where all requests from the same internal IP address and port are mapped to the same external IP address and port. Unlike a full cone NAT, an external host (with IP address X) can send a packet to the internal host only if the internal host had previously sent a packet to IP address X. Port Restricted Cone: A port restricted cone NAT is like a restricted cone NAT, but the restriction includes port numbers. Specifically, an external host can send a packet, with source IP address X and source port P, to the internal host only if the internal host had previously sent a packet to IP address X and port P. Symmetric: A symmetric NAT is one where all requests from the same internal IP address and port, to a specific destination IP address and port, are mapped to the same external IP address and port. If the same host sends a packet with the same source address and port, but to a different destination, a different mapping is used. Furthermore, only the external host that receives a packet can send a UDP packet back to the internal host.