On 06/07/2012 03:50 AM, Johnny Billquist wrote:
Yes I understand, but while not in promiscuous mode, the filtering is
done by the network interface chip, rather than by one of my cores which
are typically pretty busy doing other things. I have a very fast
machine on my desk, but that doesn't mean I want to waste the cycles...I
use those cycles for lots of stuff. ;)
Your machine is most likely wasting lots of cycles. You probably don't
even want to know... ;-)
Networks are slow, compared to CPUs.
A friend of mine wrote his PhD about the concept that you basically can
increase network bandwidth by just compressing data you want to send as
much as humanly possible for this simple reason. The CPU will wait on
data anyway, so why not use that time to compress the data to send,
which means you get more data through on the same network bandwidth.
In nearly all cases, yes I agree. Desktop OSs, even the "lean" ones,
are becoming fatter with each release though. And I do actually keep my
CPUs pretty busy, doing large compiles and PCB routing.
But, see my other mail, it is perfectionism more than fear of actual
visible impact. But on the other hand, this is my NEW desktop system,
less than a year old, and I used my last one for about seven years with
only minor upgrades...I get a lot of mileage out of my hardware.
I agree, but it is a bigger concern for me as above. There is also a
"purist" aspect...I also eschew things like "winprinters" (if you
remember those!)...my main CPU cores have other work to be doing.
On 06/07/2012 04:40 AM, Mark Benson wrote:
Traffic. My main desktop machine sits on a busy network, and I am
uncomfortable with the notion of it sitting in promiscuous mode.
Remember that I also do all of my work (meaning "make money for food"
work) on this system.
Hence my proposal to use a dedicated low-cost platform to perform the
work instead.
I like you feel uncomfortable having my main computers wide open so I
don't run it on my Mac Pro, MacBook or games PC. I have an old dual
PIII for Windows stuff and a HP Microserver and (soon to be numerous)
Raspberry Pi for Linux and a Atom D410 for NetBSD.
Ahh, we are talking about different things. I'm using a Cisco 7206VXR
as my DECnet router, but when I'm at my desk, I'm sitting in front of
this computer right here, and I ssh/telnet/dnlogin/llogin from here.
I'm talking about having direct DECnet support from here.
Of course I could just bring up a virtual machine on the VMware host
down in the racks, but then I'd have to hop through that...not difficult
at all, but still very "unclean" to me.
It's just anal-retentive perfectionism, nothing more, no REAL impact,
no REAL casualties...but it makes me sleep better at night, and I can
usually achieve it pretty much everywhere else. :)
-Dave
--
Dave McGuire, AK4HZ
New Kensington, PA
On 7 Jun 2012, at 08:33, Dave McGuire <mcguire at neurotica.com>
Traffic. My main desktop machine sits on a busy network, and I am
uncomfortable with the notion of it sitting in promiscuous mode.
Remember that I also do all of my work (meaning "make money for food"
work) on this system.
Hence my proposal to use a dedicated low-cost platform to perform the
work instead.
I like you feel uncomfortable having my main computers wide open so I
don't run it on my Mac Pro, MacBook or games PC. I have an old dual
PIII for Windows stuff and a HP Microserver and (soon to be numerous)
Raspberry Pi for Linux and a Atom D410 for NetBSD.
--
Mark Benson
http://markbenson.org/bloghttp://twitter.com/MDBenson
On 2012-06-07 10:30, Mark Benson wrote:
On 7 Jun 2012, at 08:28, Johnny Billquist<bqt at softjar.se> wrote:
Dangerous in which way?
Promiscuous mode is considered a security risk because it can be used
to expose other packets not intended for viewing, which is why it's
restricted to root. BUT I, at least, am intending to use such a
service on a dedicated single purpose box, so that's not a big issue
for me.
Well, if you intend to run a bridge, router or whatever, you need to be root anyway, so from a security point of view, this is a non-issue.
Changing the MAC address also requires you to be root... :-)
But yes, normal users are not allowed to sniff the network, and even less so allowed to change the interface setup.
It will create a larger load on the system, but that's about it. And todays machines are fast enough that you really need a lot of traffic before it will become a serious problem from that point of view.
I run both my Linux boxes with SimH running 24/7 and the interface in
promiscuous mode as a result. They are behind a gigabit switch Netgear
switch. The resulting extra network traffic as a result is... well non
existant. My network isn't exactly busy but there are other machines
on the switch that have constant traffic.
The main reason in the past for changing the MAC address has been that you want to control the source MAC address. However, most systems now allows you to spoof the source MAC when outputting packets on the ethernet, so that problem is solved.
This also occured to me. MAC address spoofing is pretty easy in most
UNIX variants unless it is strictly disallowed.
Right. And it's hard to disallow, since you need to be root to even inject an ethernet packet to begin with. At that point trying to prevent source spoofing is pointless.
The one environment where this is not possible is when you have hardware that enforce the source address. Such as the DEC ethernet controllers for PDP-11s... You cannot spoof the source MAC on those, as that is a piece of data that is inserted by the controller at the time of transmission...
Load is the one remaining reason to even worry, and that is a rather small worry for most people.
It's a risk anyone using DECnet via libpcap already accepts, anyway.
Yes. But load is the only real worry anyway. Security is not, in this case.
Johnny
On 7 Jun 2012, at 08:28, Johnny Billquist <bqt at softjar.se> wrote:
Dangerous in which way?
Promiscuous mode is considered a security risk because it can be used
to expose other packets not intended for viewing, which is why it's
restricted to root. BUT I, at least, am intending to use such a
service on a dedicated single purpose box, so that's not a big issue
for me.
It will create a larger load on the system, but that's about it. And todays machines are fast enough that you really need a lot of traffic before it will become a serious problem from that point of view.
I run both my Linux boxes with SimH running 24/7 and the interface in
promiscuous mode as a result. They are behind a gigabit switch Netgear
switch. The resulting extra network traffic as a result is... well non
existant. My network isn't exactly busy but there are other machines
on the switch that have constant traffic.
The main reason in the past for changing the MAC address has been that you want to control the source MAC address. However, most systems now allows you to spoof the source MAC when outputting packets on the ethernet, so that problem is solved.
This also occured to me. MAC address spoofing is pretty easy in most
UNIX variants unless it is strictly disallowed.
Load is the one remaining reason to even worry, and that is a rather small worry for most people.
It's a risk anyone using DECnet via libpcap already accepts, anyway.
--
Mark Benson
http://markbenson.org/bloghttp://twitter.com/MDBenson
On 2012-06-07 09:42, Johnny Billquist wrote:
Hi, Alastair. Thanks for the feedback. Interesting... Care to help me
figure some things out...?
On 2012-06-07 08:33, Boyanich, Alastair wrote:
cc-1171 cc: WARNING File = bridge.c, Line = 684
The indicated expression has no effect.
if (port == 0) port == DPORT;
^
Blech! Well, DPORT is by default set to 0. See the documentation of the
define in the sources... This one will stay.
Oh well. I made a conditional around this, so that if people don't change DPORT, it will not even be compiled. Warning gone...
Cleaned up the code some, based on inspiration fallout here. New version available. No functional changes...
Johnny
On 2012-06-07 09:33, Dave McGuire wrote:
On 06/07/2012 03:28 AM, Johnny Billquist wrote:
SIMH uses libpcap and implements networking for emulated machines by
kicking the interface into promiscuous mode. That's a bit dangerous
from a traffic perspective; I'm not certain that'd be a good idea for
anything other than the most casual use on a quiet network.
Dangerous in which way?
Traffic. My main desktop machine sits on a busy network, and I am
uncomfortable with the notion of it sitting in promiscuous mode.
Remember that I also do all of my work (meaning "make money for food"
work) on this system.
Ok. Good. We're on the same page about where the potential problem lies then.
It will create a larger load on the system, but that's about it. And
todays machines are fast enough that you really need a lot of traffic
before it will become a serious problem from that point of view.
Remember that most of the filtering out of unwanted packets are done in
the kernel anyway, and not in user space. That's what the bpf interface
and filter programs do for you.
Yes I understand, but while not in promiscuous mode, the filtering is
done by the network interface chip, rather than by one of my cores which
are typically pretty busy doing other things. I have a very fast
machine on my desk, but that doesn't mean I want to waste the cycles...I
use those cycles for lots of stuff. ;)
Your machine is most likely wasting lots of cycles. You probably don't even want to know... ;-)
Networks are slow, compared to CPUs.
A friend of mine wrote his PhD about the concept that you basically can increase network bandwidth by just compressing data you want to send as much as humanly possible for this simple reason. The CPU will wait on data anyway, so why not use that time to compress the data to send, which means you get more data through on the same network bandwidth.
The main reason in the past for changing the MAC address has been that
you want to control the source MAC address. However, most systems now
allows you to spoof the source MAC when outputting packets on the
ethernet, so that problem is solved.
Well, and to receive those packets!
Right.
Load is the one remaining reason to even worry, and that is a rather
small worry for most people.
I agree, but it is a bigger concern for me as above. There is also a
"purist" aspect...I also eschew things like "winprinters" (if you
remember those!)...my main CPU cores have other work to be doing.
Hi, Alastair. Thanks for the feedback. Interesting... Care to help me figure some things out...?
On 2012-06-07 08:33, Boyanich, Alastair wrote:
Hi Johnny. New bridge.c compiled. Seems fine in GCC, MIPSpro is still
too strict. Build output and config are as follows:
jazz:~/src/HECnet[97]%cc -O2 -o bridge bridge.c -I/opt/skunkware/include
-L/opt/skunkware/lib -lpcap
cc-1515 cc: ERROR File = bridge.c, Line = 229
A value of type "int" cannot be assigned to an entity of type "char
*".
p = index(dst,':');
^
Eh... So your compiler thinks that index() returns an int?
Is there another include file needed to get the right index() function prototype? What does your documentation (or man-page) say about index() ?
Either it has a different (and strange) definition of index(), or else this is the default assumption in C that unknown functions return an int. But in that case, it might also have been nice if it complained about the unknown function. Either way, there is nothing wrong in the code, with the possible exception that some file needs to be included to fix this.
cc-1185 cc: WARNING File = bridge.c, Line = 578
An enumerated type is mixed with another type.
d->type = classify_packet(d);
^
Ah. Thanks. Fixed. Silly of me. I moved to the enums several years ago, but didn't do it proper all the way.
cc-1171 cc: WARNING File = bridge.c, Line = 684
The indicated expression has no effect.
if (port == 0) port == DPORT;
^
Blech! Well, DPORT is by default set to 0. See the documentation of the define in the sources... This one will stay.
1 error detected in the compilation of "bridge.c".
gmake: *** [bridge] Error 2
I've added -Wall to my Makefile now (that checks a lot), and the only warning I get here is about this last one... (which was expected)
jazz:~/src/HECnet[98]%gcc -O2 -o bridge bridge.c
-I/opt/skunkware/include -L/opt/skunkware/lib -lpcap
bridge.c: In function 'add_bridge':
bridge.c:218: warning: incompatible implicit declaration of built-in
function 'bzero'
bridge.c:229: warning: incompatible implicit declaration of built-in
function 'index'
It would definitely appear that some include file is needed to make the compilation happy on your system. Care to find out which file defines bzero() and index()?
jazz:~/src/HECnet[99]%file bridge;ls -l bridge
bridge: ELF N32 MSB mips-4 dynamic executable MIPS - version 1
-rwxr-xr-x 1 uridium clowns 302060 Jun 7 16:25 bridge
jazz:~/src/HECnet[100]%cat bridge.conf
[bridge]
local ec0
update tempo.update.uu.se:4711
[decnet]
local
update
[lat]
local
update
####
Looks like some casting might be in order. I think I'm ready to go with
the port forwarding and bridge setup on this end. Spotted a nice guide a
while ago as to how to configure the decnet side of things. I'll follow
that guide once the bridge is up. :)
Looks good, yes...
Johnny
On 06/07/2012 03:28 AM, Johnny Billquist wrote:
SIMH uses libpcap and implements networking for emulated machines by
kicking the interface into promiscuous mode. That's a bit dangerous
from a traffic perspective; I'm not certain that'd be a good idea for
anything other than the most casual use on a quiet network.
Dangerous in which way?
Traffic. My main desktop machine sits on a busy network, and I am
uncomfortable with the notion of it sitting in promiscuous mode.
Remember that I also do all of my work (meaning "make money for food"
work) on this system.
It will create a larger load on the system, but that's about it. And
todays machines are fast enough that you really need a lot of traffic
before it will become a serious problem from that point of view.
Remember that most of the filtering out of unwanted packets are done in
the kernel anyway, and not in user space. That's what the bpf interface
and filter programs do for you.
Yes I understand, but while not in promiscuous mode, the filtering is
done by the network interface chip, rather than by one of my cores which
are typically pretty busy doing other things. I have a very fast
machine on my desk, but that doesn't mean I want to waste the cycles...I
use those cycles for lots of stuff. ;)
The main reason in the past for changing the MAC address has been that
you want to control the source MAC address. However, most systems now
allows you to spoof the source MAC when outputting packets on the
ethernet, so that problem is solved.
Well, and to receive those packets!
Load is the one remaining reason to even worry, and that is a rather
small worry for most people.
I agree, but it is a bigger concern for me as above. There is also a
"purist" aspect...I also eschew things like "winprinters" (if you
remember those!)...my main CPU cores have other work to be doing.
With todays network gear, you will not get most packets to your machine
anyway, the switches are already doing the filtering for you, so
promiscuous mode don't hurt much from that point either.
...and this is the only thing that makes me more comfortable with the
idea. The switch will just have more than one entry in its MAC table
for this port.
But I still don't like it. ;)
-Dave
--
Dave McGuire, AK4HZ
New Kensington, PA
On 2012-06-07 08:39, Dave McGuire wrote:
On 06/07/2012 02:26 AM, Mark Benson wrote:
Now, you have due permission to beat me with a dried haddock if I'm
being naive (I'm not a programmer, just a user observing a
conversation that's 50% over my head) but...
Wouldn't a kernel-agnostic DECnet implementation be a better shot? I
mean if you can skim DECnet packets using libpcap (which is kernel
agnostic as far as I can tell, hell it even works on Windows :)) and
use that to handle DECnet for the bridge or SimH what's stopping it
being used for a full DECnet comms package? It might not be very
*fast* and it's sure as hell not secure but it'd work, right?
With the fast pace of kernel change and the dropping of kernel
support (and OSs like Ubuntu update the kernel regularly which will
break things) for DECnet in the 3.x kernel it may be that
kernel-based support is no longer practicable on modern Linux.
Just a thought...
It's a good idea, but I'm not sure it can be done. We need to change
the MAC address on the interface...can that be done outside the kernel?
No need. See below.
SIMH uses libpcap and implements networking for emulated machines by
kicking the interface into promiscuous mode. That's a bit dangerous
from a traffic perspective; I'm not certain that'd be a good idea for
anything other than the most casual use on a quiet network.
Dangerous in which way?
It will create a larger load on the system, but that's about it. And todays machines are fast enough that you really need a lot of traffic before it will become a serious problem from that point of view.
Remember that most of the filtering out of unwanted packets are done in the kernel anyway, and not in user space. That's what the bpf interface and filter programs do for you.
The main reason in the past for changing the MAC address has been that you want to control the source MAC address. However, most systems now allows you to spoof the source MAC when outputting packets on the ethernet, so that problem is solved.
Load is the one remaining reason to even worry, and that is a rather small worry for most people.
With todays network gear, you will not get most packets to your machine anyway, the switches are already doing the filtering for you, so promiscuous mode don't hurt much from that point either.
Johnny
