Categories
Internet

The effect of soccer on the IXPs

This years soccer Word Cup seems to be the first one for which streaming video is widely available on the Internet. The Austrian public TV (ORF) is offering a decent livestream (or in the case of parallel games, two streams). So what do the public traffic statistics of the Internet Exchange Points show?

This graph is from the Vienna Internet Exchange. Some notable points:

  • Gametime means traffic-peaks. The World Cup schedule is clearly visible in the graphs. Up to the 21th, there were three games per day, two close after each other, then a two hour break and then another game. Starting with the 22nd, there were four games a day, with two running in parallel. (the times in the graph are UTC!)
  • Weekend have smaller spikes than workdays: On the 19th and 20th, the games are less visible than on the other days. It looks like watching the stream over the Internet is more popular in offices than at home. This makes sense as at home the TV screen is most likely the better place to watch soccer.
  • Regarding traffic levels: from looking at the graphs, the biggest spikes seem to be around 8 Gbit/s. Assuming that this is mostly ORF streams for the Austrian public, one can assume that ORF/APA is pushing more than 10 Gbit/s during Word Cup games.
Categories
Internet

Talking about DNSSEC

The Austrian ISP Association (ISPA) had asked me to hold a workshop on DNSSEC as part of their “ISPA Academy” series of events. And as they had complaints that all their events are in Vienna, I agreed to hold it in Salzburg, where I had logistical support from the nic.at headquarter.

I thus spent the Wednesday traveling to Salzburg (actually: I’m usually quite productive in trains, and a good part of the presentation was prepared on the way in), then holding the workshop and riding the train back. Six hours of train for 4 hours of workshop isn’t that bad.

If anyone is interested, here are my slides. My aim was to explain the motivation for DNSSEC, the technical implementation and, most importantly, what introducing DNSSEC means for an ISP. I only touched very briefly on the commercial aspect.

In the end, this room full of techies were not exactly cheering for the adoption of dnssec.

Postscript: Just two days later, we have this: doc.gov, the entity that still has a hand in approving changes to the root zone, messed up their DNSSEC signatures. From http://dnsviz.net/d/doc.gov/dnssec/:

Categories
Internet

Random Link collection

I’ve kept these pages open as tabs in Firefox, meaning to blog about them.

So before I really have to reset Firefox, here are they lest I forget about them:

Categories
Internet

Mail an den ORF Kundendienst

Hallo,

heute hab ich mal versucht, die Entscheidung des Riesentorlaufes via Livestream auf ORF.at anzusehen, aber bekam die “geht nur in Österreich”-Fehlermeldung.

Ich bin in Österreich, und auch mein Netz ist eindeutig auf Österreich registriert:

inet6num: 2001:858:5:900::/56
netname: SIL-LENDL
descr: SILVER SERVER GmbH
descr: Otmar Lendl #1219171
country: AT

bzw

inet6num: 2001:858::/32
netname: AT-SIL-20020725
descr: SILVER SERVER GmbH
country: AT

Ist halt IPv6 und nicht das klassische IPv4.

Kann es sein, dass dort die Ländererkennung nicht richtig funktioniert?

Wenn ich bei mir v6 abdrehe und via v4 komme, dann geht der livestream auch problemlos.

mfg,

otmar lendl

Update: jetzt bekam ich eine Antwort vom ORF:

Sehr geehrter Herr Lendl!

Ich bedanke mich für Ihre E-Mail und Ihr Interesse an unserem Programm. Manchmal kann es vorkommen, dass Sie obige Meldung angezeigt bekommen, obwohl sie sich in Österreich befinden. Dieser Fehler passiert vor allem bei international tätigen Internetprovidern, deren Firmensitze sich im Ausland befinden. Wenn der Server ihre IP-Adresse nicht als österreichisch erkennt, müssen Sie ihren ISP (Internet Service Provider) kontaktieren.

Auf folgenden Internetseiten können Sie herausfinden, welchem Land ihre IP-Adresse zugeordnet ist.

http://www.wieistmeineip.at
http://www.countryipblocks.net

Sollte sich das von Ihnen beschriebene Problem damit nicht erklären lassen, so geben Sie bitte Bescheid, ich leite Ihre Anfrage dann gerne an die Technik weiter.

Ich verbleibe mit freundlichen Grüßen
Stefanie Steinwender

Seufz.

Update 2 (17.2.2010):

Innerhalb des ORF wurde das entsprechend weitergeleitet und auch prompt gefixt. Wirklich verifizieren konnte ich das aber erst jetzt: Vor Olympia war einfach fast kein Skifahren im Fernsehen.

Categories
CERT Internet

MasterCard SecureCode: Just say no.

Sometime the timing is just too perfect.

Yesterday I was trying to book a flight on Brussel Airlines and when I was trying to pay via credit card, they insisted on an on-the-fly enrollment to MasterCard SecureCode. I refused and booked via the AMEX Business Service.

Today a security analysis of the whole scheme was published by British scientists, confirming my reservations.

Money quotes:

“Merchants who use it push liability for fraud back to banks, who in turn push it on to cardholders.”

“So this is yet another case where security economics trumps security engineering, but in a predatory way that leaves cardholders less secure.”

Categories
Internet

Google DNS resolution service

In their endless quest for world domination Google recently unveiled their public DNS resolver setup. Such a service is nothing new per se, OpenDNS is doing something similar for some time. Based on the FAQ, Google seems to do this right: A sensible privacy policy and no NXDOMAIN rewriting. They even seem to implement some state-of-the-art (except DNSSEC) tricks to harden their system against forgery attempts.

(Quick aside: one of their tricks to speed up the resolution is to pre-fetch records due to expire from the cache. I’ve proposed exactly the same to the BIND folks at the DNS-OARC meeting in Chicago, 2007.)

On one mailing list, the question was raised how widespread use of Google DNS would affect the Content Distribution Networks (CDNs) like Akamai. After all, they take the source IP of the DNS query as “close to the client, network-wise” and return the best CDN node for that IP address. If now an Austrian User ask the Google DNS servers in the US, then the CDN’s nameserver will return the address of an American CDN node leading to a suboptimal choice.

That effect might become less pronounced (but does not go away) once Google deploys their DNS service in a massive anycast infrastructure. Akamai will then see the request coming from at least the same region as where the end-user is.

Actually, the best move Akamai could do is start a rival DNS resolving infrastructure. If they use anycasted recursors at each of their CDN nodes, that would really simplify their CDN algorithm as the node that gets the DNS request is very likely to be the optimal one for the actual content delivery, too.

Categories
Internet

Kook Alert

Recently, two mails of a conspiracy theorist sneaked past my spam-filter. Pure flashback to the heyday of the good old Usenet kooks. Consider this quote:

The Jewish nazis also continued to send ‘messages’ and ‘feedback’ to me through the media and internet and through the EBL – Electronic Brain Link – whereby, among other things, they ‘invited’and sucked me in to directing my attention and using my amazing power on images in magazines, the internet, TV and other media

I mean, if that doesn’t trigger your kook-detector, nothing will.

Categories
CERT Internet

Free SSL/TLS certificates

CAcert has tried for some time to provide free X.509 certificates based on automatic checks and a web of trust. They never managed to get the root certificate included in the default installations of the major browsers. As I read it, they’ve given up on Mozilla for now.

Aaron forwarded me a link to a blog post by StartCom where they announce that their CA will be included in IE soon. As they are already recognized by Mozilla and Safari, their certs are pretty much as good as any other commercial x.509 cert for servers.

In that respect, they are not unique, you can buy commercial grade certs from various sources, the most popular being Thawte, Equifax, Usertrust, Comodo, and Verisign.

What makes StartCom special is the fact that they give away free certificates similar to what CAcert is doing. Their enrollment at http://www.startssl.com/ is pretty much straight forward and getting certificates (both by uploading CSRs or by letting them generate a key) is painless.

Furthermore, they impressed me by:

  • Adding priv.at as a valid domain suffix within a few hour after I mailed them.
  • Checking the server for which you requested a cert and giving you hints if you made a configuration mistake.

Recommended.

Categories
Internet Pet Peeves

Zeger reitet wieder

Um sein Geschäft mit X.509 Zertifikaten anzukurbeln, schreibt er eine Pressemeldung, die auch prompt von der Fuzo übernommen wird.

Es scheint um X.509 Zertifikate für SMTP/STARTTLS zu gehen, also die Verschlüsselung des Transportweges beim Mailversand.

Was ist da dran alles falsch?

Categories
IETF Internet

DNSSEC and large packets

In the wake of .org going signed, we finally have good data what that means for the authoritative nameservers. Duane gave a good talk at the recent NANOG event, showing the increase of TCP connections.

So what is the problem?

In a nutshell: Packet sizes. DNS responses containing the DNSSEC specific RRSETs are larger, and setting the DO bit that triggers their inclusion is almost default these days. So we’re now routinely exceeding the 512 bytes that the original DNS spec required. Over the years, the IETF defined EDNS0 which allowed clients to announce their support for larger responses via UDP. Not this is finally really put to the test and we can see how fallback to TCP we still observe.