IETF Internet

Comcast’s congestion managment

A few years ago, Comcast generated a lot of negative PR based on their RST–injecting P2P throttling scheme.

This lead them to adopt a new strategy which is protocol and destination-agnostic and is designed to shift inevitable packet-loss to those users that stress the network.

Comcast has now published their strategy in an informational RFC. It’s longer than it needs to be, but still: recommended reading.

CERT Internet

Attacking PalPay, Visa, and Mastercard

The story so far: WikiLeaks posted some secrets, the US governments throws a hissy fit and some spineless companies see it as their “patriotic duty” to withheld service from WikiLeaks. This doesn’t especially endear them to the 4chan/Anonymous crowd which then starts to DDoS the pushovers.

So how is a Civil Libertarian and Network Security guy supposed to react to that?

Two bads don’t make a right. There are better ways to show disgust of and punish those electronic money movers. Attacking their operation cannot be the right answer.

But: I’ve been arguing for years now that one of the few ways to actually shut down some of the real menaces (not the imagined ones like WikiLeadks) of the Internet like Spammers, Fake AV Software scams, Viagra/… sellers, and other frauds would be to deny them the credit card payment option.

Thus, MasterCard and Visa: If you are so eager to distance yourself from WikiLeaks, when nobody can even tell you what actual laws they are supposed to have violated, why are you not able to deny service to the frauds when it is absolutely clear that they violate laws and cost the worldwide economy huge sums of money to clean up their crap?


The privacy of fonts on the web

Today, heise wrote about Linotype’s offer in the “fonts for webpages” market.

If I’m not mistaken, that’s not the first commercial offering of licensing fonts for the new HTML/CSS font feature. On one hand, this a really good offer, as it allows amateur sites to use professional fonts for free and commercial, high-traffic sites can use these fonts for a reasonable price.

But one thing bugs me about these offers: In order to enforce the pay-per-pagehit business model, these services need to serve the fonts from their own servers. That means:

  • On the plus side, potentially better caching between different sites.
  • But: the font-servers implicitly track all visitors to the website using these fonts.

Given all the privacy implications that embedded ads and social media gizmos (“click here if you like this”) are starting to raise, fonts seem to be the next thing you need to be careful about if you’re conscious about the traces you leave in third-party access-logs.

Internet Pet Peeves

Name them and Shame them: paypal edition

c’t magazine runs a biweekly column shining some light on the most egregious customer experiences with IT companies. To no-one’s surprise, thing start to get resolved if the company is facing public outrage and public shaming.

So, in the same spirtit: paypal is worst company in the world.

Further opportunities at Naming and Shaming are the Big Brother Awards.

CERT Internet Pet Peeves

Da hat wer was falsch verstanden

Laut FuZo baut die Türkei ein Zentrum für IP-Verfolgung. Gut für sie.

Aber könnten die bitte statt Zensur für die eigene Bevölkerung was zum Schutz des restlichen Internets vor Spam und script-kiddies mit Testosteron-Überproduktion aus dem türkischen Internet tun?



/dev/otmar is now IPv6-enabled

At work, we’ve been running IPv6 for a while and back home I’ve also got v6 on my DSL connection (not native, though, silverserver implemented that with a tunnel). My root-server also got v6 connectivity via a Tunnel from the network (easy enough to do if you’re the router-admin :-), but I never used that for serious stuff.

Now that Hetzner finally provides native IPv6 connectivity, I made the necessary changes to the configuration of my server and now this blog is reachable via IPv6, too.

Next task: Get cacti to graph how many visitors use v4 versus v6.


The effect of soccer on the IXPs

This years soccer Word Cup seems to be the first one for which streaming video is widely available on the Internet. The Austrian public TV (ORF) is offering a decent livestream (or in the case of parallel games, two streams). So what do the public traffic statistics of the Internet Exchange Points show?

This graph is from the Vienna Internet Exchange. Some notable points:

  • Gametime means traffic-peaks. The World Cup schedule is clearly visible in the graphs. Up to the 21th, there were three games per day, two close after each other, then a two hour break and then another game. Starting with the 22nd, there were four games a day, with two running in parallel. (the times in the graph are UTC!)
  • Weekend have smaller spikes than workdays: On the 19th and 20th, the games are less visible than on the other days. It looks like watching the stream over the Internet is more popular in offices than at home. This makes sense as at home the TV screen is most likely the better place to watch soccer.
  • Regarding traffic levels: from looking at the graphs, the biggest spikes seem to be around 8 Gbit/s. Assuming that this is mostly ORF streams for the Austrian public, one can assume that ORF/APA is pushing more than 10 Gbit/s during Word Cup games.

Talking about DNSSEC

The Austrian ISP Association (ISPA) had asked me to hold a workshop on DNSSEC as part of their “ISPA Academy” series of events. And as they had complaints that all their events are in Vienna, I agreed to hold it in Salzburg, where I had logistical support from the headquarter.

I thus spent the Wednesday traveling to Salzburg (actually: I’m usually quite productive in trains, and a good part of the presentation was prepared on the way in), then holding the workshop and riding the train back. Six hours of train for 4 hours of workshop isn’t that bad.

If anyone is interested, here are my slides. My aim was to explain the motivation for DNSSEC, the technical implementation and, most importantly, what introducing DNSSEC means for an ISP. I only touched very briefly on the commercial aspect.

In the end, this room full of techies were not exactly cheering for the adoption of dnssec.

Postscript: Just two days later, we have this:, the entity that still has a hand in approving changes to the root zone, messed up their DNSSEC signatures. From


Random Link collection

I’ve kept these pages open as tabs in Firefox, meaning to blog about them.

So before I really have to reset Firefox, here are they lest I forget about them:


Mail an den ORF Kundendienst


heute hab ich mal versucht, die Entscheidung des Riesentorlaufes via Livestream auf anzusehen, aber bekam die “geht nur in Österreich”-Fehlermeldung.

Ich bin in Österreich, und auch mein Netz ist eindeutig auf Österreich registriert:

inet6num: 2001:858:5:900::/56
netname: SIL-LENDL
descr: Otmar Lendl #1219171
country: AT


inet6num: 2001:858::/32
netname: AT-SIL-20020725
country: AT

Ist halt IPv6 und nicht das klassische IPv4.

Kann es sein, dass dort die Ländererkennung nicht richtig funktioniert?

Wenn ich bei mir v6 abdrehe und via v4 komme, dann geht der livestream auch problemlos.


otmar lendl

Update: jetzt bekam ich eine Antwort vom ORF:

Sehr geehrter Herr Lendl!

Ich bedanke mich für Ihre E-Mail und Ihr Interesse an unserem Programm. Manchmal kann es vorkommen, dass Sie obige Meldung angezeigt bekommen, obwohl sie sich in Österreich befinden. Dieser Fehler passiert vor allem bei international tätigen Internetprovidern, deren Firmensitze sich im Ausland befinden. Wenn der Server ihre IP-Adresse nicht als österreichisch erkennt, müssen Sie ihren ISP (Internet Service Provider) kontaktieren.

Auf folgenden Internetseiten können Sie herausfinden, welchem Land ihre IP-Adresse zugeordnet ist.

Sollte sich das von Ihnen beschriebene Problem damit nicht erklären lassen, so geben Sie bitte Bescheid, ich leite Ihre Anfrage dann gerne an die Technik weiter.

Ich verbleibe mit freundlichen Grüßen
Stefanie Steinwender


Update 2 (17.2.2010):

Innerhalb des ORF wurde das entsprechend weitergeleitet und auch prompt gefixt. Wirklich verifizieren konnte ich das aber erst jetzt: Vor Olympia war einfach fast kein Skifahren im Fernsehen.