dsiegel's blog

NEWS FLASH: Virtual Reality not as good as Reality

Thu, 31 Jan 2008 00:47:18 +0000

We've all been there. Travel expenses have to be cut, and yet your work centers are geographically separated, work groups are forged from different work centers, and your management suggests you increase your use of video conferencing. You grudgingly submit to the idea but hope that you still have enough money to do the necessary amount of travel, and you might even try some video conferencing. But will it work?

Corporations have learned a lot since this 2004 Norwegian study that indicated that video conferencing affected corporate travel from 2.5-3.5%. Part of the following study suggests that it's merely a matter of implementing the right culture with the right technology and you can start saving, but what might the long term impacts be of reducing personal interaction amongst employees.

In the online Q&A for Patrick Lencioni's book Death by Meeting, Patrick states:

Q: As technology continues to make life and business more and more virtual, do you think this has positive or negative effects on meetings?

A: I think that the promises of the virtual workplace have not panned out to the extent that everyone expected. The fact is human beings need to be in the same room, face to face, in order to engage in the kind of discourse that leads to good decisions. When we try to circumvent that reality by using audio and video conferencing, we dilute the quality of our conversations, and ultimately, the decisions that we make. Of course, there are certain types of conversations that are fine for virtualcommunication - customer service, basic information sharing, and tactical updates. But trust andconflict and commitment and accountability are not easily nurtured over a network, even a high speed one.

� Copyright 2007 The Table Group, Inc. w 3640 Mt. Diablo Blvd., Suite 202 w Lafayette, CA 94549 w www.tablegroup.com

After having read a few of Patrick's books, I believe this theories are fairly sound. I can see how it would be difficult to mine for conflict on an audio bridge if you can't read body language of everyone simultaneously, although I do seem to find the sore subjects on my own even without video, it just takes a few more questions. I also wonder if Patrick tried using a true telepresence setup if he might change his mind. In this recent post from our own Thomas Hobika, Tom covers telepresence and what is involved. If you can truly create an experience where it is almost as good as being there, wouldn't it be almost as good as being there?

Of course, you still can't get the satisfaction of going to lunch together after the meeting is over. At least not yet. :-)

by Dave Siegel

The path of least resistance

Fri, 04 Jan 2008 18:56:08 +0000

In response to the article How Feds are dropping the ball on IPv6 over at Network World, Rich Fisk writes:

Quoted from http://blogs.globalcrossing.com/ipv6-eternal-wait-pt2#comment-928
I just attended the Network World Live Road show here in DC and the chairman of ARIN seemed to have an opposing view to the [statement] that you made in NW.

1. Somewhere in 2010 the IP address space will run out as emerging markets grow.

2. His organization is telling ISP to make plans for IPv6 as there will be a day soon where ARIN will not be handing out more IPv4 space.

3. After #2 happens (no pun intended) there will be the beginnings of two Internets. One IPv4 and one IPv6. While all sites will be reachable with IPv4 clients at first there will come a time where there will be IPv6 only sites.

Yes, we know that IPv4 address will run very low some day, but the sky has been falling for 12, maybe 13 years now. People are tired of hearing it, in large part because you can still get IPv4 address space today. Even if an organization starts to run low on addresses they can resort to NAT and RFC1918 (private address space, e.g. 10.x.x.x).

The way I see it, getting denied for a new IPv4 address and being given an IPv6 address block may be the only catalyst for IPv6 deployment in the LAN. Early IPv6 deployments in the LAN that are forced due to unavailability of IPv4 addresses only will employ a NAT with external IPv4 addresses (or address), but they will function more or less identically as the use of RFC1918 space would. IT Network Managers will have decide if they go with an IPv6 implementation over the more familiar private address space. They will have to use a NAT, because they are going to get stuck in this situation long before the Internetv6 is here.

As of today, finding popular sites that have deployed v6 to their web sites is extremely rare. I did a little experiment with top of mind web sites. As one would hope, ipv6.org resovles to an IPv6 address. From there, I had a little more trouble. By the way,"traceroute6: Non-recoverable failure in name resolution" means that no AAAA record was found, or in laymans terms, the site is NOT IPv6 ready. The results are below.

dsiegel@terra:~ >traceroute6 www.ipv6.org traceroute6 to shake.stacken.kth.se (2001:6b0:1:ea:202:a5ff:fecd:13a6) from 2001:450:1:1001::1e, 64 hops max, 12 byte packets 1 2001:450:1:1001::1d 39.711 ms 39.317 ms 40.010 ms 2 sl-bb1v6-rly-t-96.sprintv6.net 113.674 ms 113.480 ms 113.673 ms 3 sl-bb1v6-nyc-t-1000.sprintv6.net 126.309 ms 126.216 ms 126.633 ms 4 sl-bb1v6-sto-t-102.sprintv6.net 218.384 ms 215.206 ms 214.051 ms 5 2001:7f8:d:fb::24 342.243 ms 342.473 ms 342.180 ms 6 se-tug.nordu.net 343.023 ms 341.761 ms 341.059 ms 7 c2sth-so-6-0-0.sunet.se 342.812 ms 343.377 ms 344.655 ms 8 2001:6b0:dead:beef:2::2c6 342.023 ms 342.605 ms 341.990 ms 9 2001:6b0:1:1200::1 342.148 ms 342.206 ms 343.006 ms 10 clubroom-gw.stacken.kth.se 342.221 ms 342.900 ms 342.158 ms 11 igloo.stacken.kth.se 342.637 ms 344.114 ms 343.147 ms dsiegel@terra:~ >traceroute6 www.google.com traceroute6: Non-recoverable failure in name resolution dsiegel@terra:~ >traceroute6 www.yahoo.com traceroute6: Non-recoverable failure in name resolution dsiegel@terra:~ >traceroute6 www.ask.com traceroute6: hostname nor servname provided, or not known dsiegel@terra:~ >traceroute6 www.msn.com traceroute6: Non-recoverable failure in name resolution dsiegel@terra:~ >traceroute6 www.globalcrossing.com traceroute6: hostname nor servname provided, or not known dsiegel@terra:~ >traceroute6 www.verio.net traceroute6: hostname nor servname provided, or not known dsiegel@terra:~ >traceroute6 www.sprint.net traceroute6: hostname nor servname provided, or not known dsiegel@terra:~ >traceroute6 www.att.net traceroute6: hostname nor servname provided, or not known dsiegel@terra:~ >traceroute6 www.sprintv6.net traceroute6 to www.sprintv6.net (2001:440:1239:4::2) from 2001:450:1:1001::1e, 64 hops max, 12 byte packets 1 2001:450:1:1001::1d 40.637 ms 41.133 ms 41.545 ms 2 sl-bb1v6-rly-t-96.sprintv6.net 113.473 ms 113.064 ms 112.476 ms 3 sl-bb1v6-nyc-t-1000.sprintv6.net 125.839 ms 125.544 ms 126.679 ms 4 sl-s1v6-nyc-t-1004.sprintv6.net 127.108 ms 132.845 ms 128.818 ms 5 www.sprintv6.net 127.799 ms 127.502 ms 127.634 ms

Good going Sprint! You win a prize! Granted, it's not their main corporate web site and it does little more than check if you are v6 enabled and give you some helpful v6 related links, so it's not a true datapoint for an ordinary site.

In reality, I think that there will be a gap between #2 and #3, or when we run out of IPv4 addresses to assign and when all web sites and other servers have both IPv4 and IPv6 addresses. Enterprises will deploy NAT to maintain connectivity to the Internetv4 rather than contact every web site admin to request they enable for IPv6, and the Federal networks will satisfy the mandate by being able to run IPv6 rather than take the giant step of actually turning off IPv4. That, my friends, is the path of least resistance.

i hax0red your b33mer... i haz ur cookie k thx bye

Tue, 04 Dec 2007 18:04:10 +0000

Imagine starting your car and seeing that message on your dash.

If this happens, it's not outside of the realm of possibility. BMW labs is experimenting with the use of IP sub-systems for internal communications, which is a pretty interesting idea! One of the draw backs of using standard protocols and components is the availability of knowledge around said commonly available technology, but IP can be secured pretty well, so if it's done properly hacking shouldn't be a big concern.

The author didn't mention the possibility for 3rd party after market add-ons, but one would think they'd be possible if the car has IP packets flowing through it's veins, but then that would reopen the possibility of security threats too, so it might be in BMW's best interest to try and prevent any sort of external tampering with the system.

I think the author of the article is a little confused about IPv6, though. He says:

Costs drop because fewer specialized components are needed, and the new
version of IPv6 is even better than the more than fine performance from
IPv4.

I would love to know how the new version of IP is even better than the performance of IPv4, especially given that it doesn't perform as well as IPv4, which I noted in a previous post. In some discussions with members of the IT community from various government agencies, they are leery of deploying IPv6 for security reasons (not because of known issues but more because of the unknown issues that have yet to be discovered because IPv6 is not widely adopted yet). As a result of these factors as well as overall adoption rate, IPv6 support might actually cost a bit more than IPv4 for several more years.

Despite the erroneous implication of improved performance, if this just a proof of concept and 3rd party after-market add-ons are not a priority, why not design it around IPv6? IPv6 might even help insure that the system stays a somewhat closed
one...or it might be the killer app that drives further development and
investment in IPv6. Furthermore, you could do crazy stuff like putting an RFID tag on every nut and bolt in the car, build an RFID-to-IPv6 proxy server, ping every last component on the car, and triangulate their position to make sure they're all where they are supposed to be. Then when your mechanic ends up with those extra parts and throws them to the side like he did before, you can run the diagnostic before leaving the shop and call him on it.

Better make sure there's an on-board DNS system too, just so we don't have to see the following error message 'Communication Failed with device 2001:450:1999:900:0:670:1708:1920'. :-)

posted by Dave Siegel

Using QoS for evil

Fri, 26 Oct 2007 19:07:50 +0000

We usually think of QoS as a way of making sure that our applications work the way they are intended. That is the whole point, right? Case in point, in my my last post QoS and your PC, we discussed how to implement QoS to provide a better user experience for desktop video conferencing.

But it doesn't always work out that way.

Some years ago now, a company called Caspian Networks created a carrier-class routing platform that analyzed flows in real-time, and it could restrict throughput on that flow based on configuration information. The impact of this capability is rather interesting...rather than limiting the throughput of a type of application on a general level (a la the Diffserv model), say limiting P2P traffic to 15% of the overall backbone capacity, it can limit the throughput of each application individually, regardless of whether there is congestion in the network or not!

Just imagine the havoc this could cause from a net neutrality perspective. Are you an RBOC or cable company worried about Skype? Just limit the throughput on any Skype flow to the point where it'll sound horrible, but not so bad that it won't work at all. In fact, you can do the same for any application that competes with something you sell yourself.

I first learned of Caspian Networks many years ago through an "economics of the Internet" mailing list hosted by Gordon Cook, and there was a gentleman participating by the name of Dr. Larry Roberts who believed that the economics of the Internet could be radically improved through restricting traffic that was deemed to detract value from the network rather than add to it. As one of the founders of Caspian, he took this belief and created a product around it. Caspian folded last year, but Larry started a new company in 2004 called Anagran, and it does pretty much the same thing that Caspian did. Looking at Anagran's web site, they're clearly focusing on the improved quality that they can give to applications, and yet at the lower right hand corner of the web site, it still mentions "controls P2P and optimizes capacity."

I was reminded of Dr. Roberts and Anagran recently upon reading the following article about Comcast and some technology they have implemented that slows down P2P applications such as BitTorrent, eDonkey and Gnutella, which you can read about in the Associated Press article Comcast blocks Some Internet Traffic. I don't know if Comcast is using Anagran, but I would guess that they have used something very similar.

QoS is like a gun. It's not the thing that is evil, it's how it's used. It does, however, highlight some of the problems with the economic model of the Internet (which was the main topic of the conversation on the previously mentioned mailing list). As prices on bandwidth have decreased over the years and the basic job of transferring bits has become a commodity, the industry analysts and business strategists have told the carrier to "move up the stack" into applications in order to reach profit margin salvation, and in response carriers have invested what must amount to hundreds of billions of dollars in development only to deploy an application that some else now makes available for free or for profit right on their commodity pipe. While I believe that the only solution for the carrier to build a better application rather than try to break the competitions, it does pose a risk. If carriers cannot get the margins they are looking through by selling applications, there will be little choice but to "un-commoditize" basic connectivity and raise prices. Whether you believe Metcalfe's law or Andrew Odlyzko's more conservative version, maybe the applications are nothing more than fodder for connecting people and are the driver for selling bigger and more profitable pipes just like the latest Microsoft product drives computer upgrades?

Either way, I think the realization of these truths has been a contributor to the stabilization in bandwidth pricing over the past year, and might suggest that this stabilization will at least continue for some time.

Hat tip to Norm for the Comcast article reference.

by Dave Siegel

QoS and your PC

Tue, 16 Oct 2007 01:08:50 +0000

In a comment on this post from one of our readers, Christopher Wacker writes:

To me, it sounds like you A/V issues lie with your networking. I work for a MPLS consulting firm (if you don't know what MPLS is, you can take a look at http://mpls-experts.com/default.asp?page=pages/whatismpls.asp&v=nontech for a brief overview of what MPLS is) and have noticed this problem quiet often with companies. Are you currently using ATM/Frame Relay?

I am somewhat familiar with MPLS. :-)

I was an IP Engineer at Frontier Globalcenter when we were doing our rollout of MPLS back in Q1 1999, which coincidentally was the first deployment of MPLS in any production IP network anywhere. We deployed the mesh nationally in Q2 of 1999, and according to our primary core vendor at the time (Cisco), we were the first carrier with a nationwide deployment of MPLS. With the acquisition of Frontier by Global Crossing, we began building new POPs internationally in Europe and Latin America over the first half of 2000, and our US domestic MPLS core became an international one..

It was a tough time for us to deploy MPLS. The standard was so new it wasn't even a standard yet, it was still in draft. There were lots of bugs in our vendors' routing code. Deploying Juniper created additional complexities because each vendor interpreted the RFC's and Internet Drafts (pre-RFC's) differently, which occasionally led to some very interesting network behavior.

But I digress.

Towards your question around the use of ATM/FR, I am not directly connected to our corporate network with ATM/FR or MPLS, which is the root of my problem and a common plague of the telecommuter. I use a local ISP who buys transit from someone other than Global Crossing, and the performance is often less than desirable.

For the sake of argument, let's say that I was connected directly to the corporate MPLS network, would my QoS problems be solved? Would I be able to set different ToS bits on the video packets coming from communicator compared with the voice? As near as I can tell, there are no such settings in MS Communicator 07, and if that is true, then all packets originating from my computer will look like any other data packets and will not get any special treatment on the network.

QoS on MPLS works great, but if you can't differentiate packets in some way (IP address range, port range, or ToS bits) you won't be able to take advantage of it. Usually, differentiating packets within the same application (say OCS) is impossible to anywhere other than the application itself. I say usually because it is possible that if the application uses different ports on seperate rtp streams, and you can tell which one will always be video and which will always be voice, you can probably work something out on the CPE router to classify the packet, but it would certainly be easier to just set the parameters in the application.

Perhaps one of our readers knows if it is possible to set the ToS packets within OCS?

Microsoft OCS at Global Crossing

Mon, 20 Aug 2007 15:16:28 +0000

If you're like me, when one of your internal IT guys gives you a call and asks you if you want to trial some new software, the answer is almost nearly always a resounding YES. Last week Steve Schafer gave me a call and asked if I wanted to try out the new 2007 version of MS Communicator based on the OCS platform. I got set up with it on Monday and wanted to share some of my experiences with it.

There are several new features that I find very attractive:

All conversations are kept and stored in a mailbox. This can be the text of an IM conversation, or if it's a phone call, then the number, name of person you called (if available) and the length of call is recorded.
The IDLE status doesn't obfuscate any other status, but shares the button color so that you know if the person is idle at their keyboard while in a meeting, on the phone, or available. You get a little bit of credit this way for behaving yourself and not multitasking while on a conference call. It might also eliminate a few yt?'s
Multi-party video calls, Ohhhh yeah! Create a multi-person IM conversation and then fire up Video. Whoever is talking at the time is broadcast to all other parties. It works reasonably well for me in spite of the fact that I am a tele-worker with a lousy Internet connection.
Quasi-FMC/UC capabilities that include a DID for your computer, simultaneous ring to another number of yours, voice-mail delivered to your inbox as a .wav file, as well as the ability to call a voice access number and access your calendar and email. I don't suspect I'll ever use that last feature, but it is nice to know that if I was ever having trouble falling asleep that I could have a pleasant female-timbered computer voice read my email inbox to me, which I shall hence forth dub Femail. Copyright! :-)

And there are several things that I predict will be very evil.

All those great mailing lists in the outlook exchange address book now come up on searches with an auto-complete function in the communicator search window. Just when email got so crazy that you had to turn to IM for productivity gains, here come the mass IM broadcasts! Broadcast IM's are bad, mmmkay??? Just say No!
The new color scheme is a bit harsh. The charcoal title bar is fine, but the new 3D shading on the buttons and the traffic-light red/yellow/green availability scheme is kind of hard on the eyes. The other issue here is the connotation associated with red. The previous version showed a pleasant shade of blue when someone was busy, but now it's red. Since I tend to be booked in meetings most of the day, I am always an angry shade of red. That's evil.

Stuff that still doesn't work quite right:

Softphones still suck. I have a reasonably fast laptop and a gig of RAM, but somehow I still have issues coding/decoding when my computer gets busy for a few seconds. Give this program more priority by default. I have a Microsoft IP phone on the way that should resolve this problem, but I'm still pretty shocked that computer telephony doesn't work better than it does.
Video/audio sync in video calls. I've noticed that I receive the video frames before the audio. What gives? Audio should have priority over video. Always! If Video is falling behind, drop the frames. If the audio is falling a second or two behind, wipe the whole buffer and start over or something so it doesn't feel like I'm having a conversation with someone half-way to the moon.

All in all, the new features are pretty cool, and I'm looking forward to the rest of the company getting upgraded to this release.

Why PS Home matters

Mon, 14 May 2007 17:54:18 +0000

In my last post about the PS Home, I spoke about the Sony announcement of PS Home and how I found the technology interesting.

Unfortunately, I broke one of the cardinal rules of good blogging by completely failing to tie it back into Global Crossing's business. A Hat Tip goes out to Matt Sewell from our Phoenix office for pointing this disconnect out to me.

Immersive, Virtual Reality environments are important to me and to Global Crossing because it points the way to the future of collaboration, which is currently one of our best value-add product areas. Much like the way that pr0n addicts drove early bandwidth usage on the Internet (and were therefore one of the key investors!), Second Life addicts are driving innovation in collaboration technologies, particularly the immersive variety (and are therefore investors in it!).

What we learn from these evolving technologies and how they are adopted can give us clues (but not necessarily direct evidence) as to how the technology may be adopted by the business world.

But before I start thanking SL Addicts for helping realize the dream of virtual reality....

...lets look at what we have learned so far.

Users can get so immersed in the virtual world that they lose track of the real world
The virtual world rarely incorporates the real world and its utilities, further enforcing a separation of virtual and real worlds.
Goals are self-created and revolve around "in-game" needs as opposed to real-world needs, and addicts have difficulty putting "in-game" goals into the proper context in their every day life

These issues are going to present a huge problem for people that want to see immersive VR become part of the corporate world because the corporate world will never support immersive VR with the kinds of risks associated with the statements above. The only avenue that offers a solution is a higher level of integration between the real world and VR. This step requires a great deal of additional investment in technology development beyond what exists today. To seamlessly integrate all of the information on your desktop computer with the virtual environment and to create a work environment that mimicks your real one for the purposes of collaborating across great distances is where you can start to draw the eye of the corporation.

This idea, while tantalizing for the corporation, will be wholly rejected by large portions of the current VR population that use their immersion to escape the realities of their physical existence. Remember that they are the ones investing the most in the platforms right now. That is starting to change with corporations like IBM and Sun beginning their investments in second life, but we will need to see much more corporate involvement if we are to see these emerging technologies one day become useful to the every day business.

So, thank you SL addicts. Thank you for paving the way. Please pardon the dust.

Why Web 2.0 and Web 3.0 will co-exist

Thu, 15 Mar 2007 01:21:43 +0000

Or why Secondlife and similar metaverses will never formally be coined Web 3.0, the next-generation Web.

My friend Rawn covered the recent announcement from Sony on their Playstion Home environment, lauded as a secondlife killer.

Rawn asks:

Is this the death knell for SecondLife or MySpace? Let me know what you think.

Although I cannot properly review something that isn't released, I will say no on both counts. As far as I can tell from the movie (various clips available in the links above)...it looks totally sick. The graphics make secondlife look like crayola-doodled cartoon drawings by comparison. That's where the advantage ends. There are two comparisons to touch on: the comparison between SecondLife and PS-Home, and the comparison between 3D systems and social-networking systems.

The worst part of PS Home is that it only runs on the PS3 and it will probably be a closed system...closed in several ways.

Not only will the client be proprietary, but you have to run it on proprietary hardware (the PS3). The world will logically only provide access to Sony multiplayer-games since the PS3 would not run a game for Xbox or the PeeCee). It also appears that while the environment itself will be free, Sony will charge for various virtual "upgrades" like special clothing. If Sony themselves is the only source of "objects" in-game and must be purchased from them rather than created by the playerbase, the 3D world will likely stagnate fairly quickly and it won't be much better than a simple GameSpy client for connecting players to servers. The only reason to be there will be because of the multiplayer games that Sony ties to it.

So no, it won't kill Second Life, but it might happily coexist with it.

Another MMOG, EVE Online is planning to offer a 3D environment in a future game expansion release. Video here MMOG game designers strive to create games that encourage the userbase to collaborate in order to achieve difficult goals, but because all of the necessary tools don't exist in-game, a need has arisen to collaborate out-of-game. I have read stories of various guilds inside an MMOG using secondlife to hold their guild meetings...and since game designers don't want their userbase to leave "their" system, they try to incorporate the tools into their their gaming platform.

What would be great is if there was a truly open system that could encompass the needs for socialization, collaboration, as well enabling transition into proprietary game environments. Even Sony could accomplish this by providing a PC and Xbox client to their 3D world and using more of a second life model. These 3D worlds are not the end-all be-all of the next generation web, though. It is just too cumbersome to share certain things from real life in these 3D environments, so I think web 2.0 and the 2-D browser will rule the roost in the area of sharing photos and networking. Another difference between the Web 3.0 3D environment and the Web 2.0 Myspace environment is that the 3D is real-time online and Myspace is more static...I would liken it to the difference between a chatroom and a Bulletin Board System. In the BBS there is a log of all activity that you can review if you were there or not at the time it was posted, and in a chatroom, if you aren't there you miss it. Each model serves a purpose and I doubt one will ever displace the other. If you want to read an interesting conversation on the "is second life the web 3.0" check out the following post and the comments over at zephoria.org.

Technorati Tags: Playstation Home, web 2.0, secondlife, Web3D

Blackhat study reveals Ethernet less secure than IP-VPN

Tue, 24 Apr 2007 19:21:46 +0000

This presentation from the blackhat conference in Europe last year speaks directly to the point about the security issues between IP-VPN and Ethernet that I took issue with in my last blog.

A couple of the key points that I took from this presentation were:

In the case of both Ethernet VPNs and IP-VPNs, in order to hack into a customers network from outside the network, the attacker must have access to the provider's core routers. (pg. 26)
If an attacker has penetrated the customer's network through a backdoor or through weak physical security, he has some interesting options with an Ethernet VPN that do not exist on an IP-VPN network, especially in a VPLS environment. (pg. 34 and others)
A reminder about how much I dislike spanning tree (pg. 38)

ps. he refers to as the Juniper M7i as a "big-iron" router, when in fact it is the smallest of Juniper's carrier-line of routers and doubles as a high-end Enterprise router. An M7i may be used by a carrier in a very small site, but such a site is not likely to have thousands of customers as cited in his example. A site with thousands of customers is much more likely to be riding an M40e at minimum, or more likely an M320.

Hat Tip to Jim Lippard

Technorati Tags: Ethernet, VPLS, IP-VPN, Security

Ethernet, the latest religion

Thu, 08 Mar 2007 00:41:07 +0000

If you've been on the technical side of this industry even a short time, you've no doubt run across debates that are so monumental and so emotion-driven that they are labeled religious debates. Perhaps the debates are not really so monumental, but each side of the issue often represents a fundamentally different philosophy. Some favorites of mine?

Mac vs. Windows
PC w/ Unix vs. Unix Workstation
BSD vs. SVR4
Emacs vs. vi (or any other editor, really)
EISA vs. VLB
USB vs. Firewire
VHS vs. Betamax?

From the realm of networking, who could forget the long running debate between ATM and IP? There were many arguments used against IP that were just plain false, like the security concerns around IP and it being easier to hack (which I found silly because all ATM/FR network were running IP atop ATM/FR).

That's why it makes me chuckle a bit to see the same type of argument used in to promote Ethernet as a substitute for IP-VPN in this article about advertising.com switching out their IP-VPN.

Bavisi said that because VPLS is a L2 service there is no need for the firewalls the London office of Advertising.com previously had to manage at the remote sites. ?Both IPsec [a.k.a. DIY] VPNs and IP VPNs delivered by carriers over MPLS networks are at Layer 3, and thus face security issues,? he said.

The first sentence is fine. It's true, Ethernet (or an MPLS-based IP-VPN solution) eliminates the need for firewalls at each site. You can safely run in a closed network environment with no IPsec tunnels or other hassle. The downside to that, however, is that each site now has to use the main corporate center for all Internet traffic, which puts more strain on the WAN...which is great for the backbone provider. Ultimately it means more business for them.

The second sentence I quoted is the FUD factor coming into play. There could not possibly a difference in the security risk between an Ethernet VPN running IP and a closed IP-VPN network running IP. The security risks inherent with an IP network, especially one connected to the Internet somewhere, are not necessarily lessened by moving to an Ethernet network, and the process of centralizing Internet Access and firewalls into one or more main hubs is a common design element in layer 2 and layer 3 VPN's alike.

In a way, the recent development effort into Ethernet remind me of one of the Fundamental Truths of Networking, as cited in RFC 1925.

(11) Every old idea will be proposed again with a different name and a different presentation, regardless of whether it works.

Ethernet as a WAN protocol (and the use of VLAN's for logical seperation, QoS, and site identifiers) reminds me an awful lot of ATM and Frame Relay, and MPLS reminds me an awful lot of ATM too. ATM had QoS and Traffic Engineering and IP didn't, so along came MPLS to give some traffic engineering function and they put CoS into IP. Now that we're trying to use Ethernet in the WAN, we've got to add all that stuff to it as well, so we'll run it over MPLS and make 802.1p to give it QoS. We're re-inventing the wheel!

Those of you involved in the creation of these new Ethernet standards should remember your your RFC's. That way you'd know that the twelfth fundamental rule of networking is

In protocol design, perfection has been reached not when there is nothing left to add, but when there is nothing left to take away.

Technorati Tags: Ethernet, VPLS, IP-VPN, MPLS

The session wasn't named 10Gig and the Next-Gen network

Tue, 24 Apr 2007 19:22:38 +0000

The title of the panel was 10GigE and the Next-Gen Network, not 10G and the Next-Gen network. Why is Ethernet so key to the next gen network compared to 10G in general, and perhaps more importantly why has SONET/SDH becomes a 2nd class citizen in the network compared to Ethernet?

I could have only focused on how great our own network is and all the various Ethernet products we have and how they work, but I like to try give my presentations some general educational value or to be thought-provoking in some way. The last time I tried this at an Ethernet conference I was referred to as a fox in the hen-house, so I toned it down a bit and just provided some data for people to mull over.

You'll recall from a previous conversation about how cost scales in a network that as new technology is released you tend to get a 4x improvement in bandwidth for about twice the interface cost as the previous step. The chart below uses current pricing from router vendors for SONET/SDH interfaces. Notice the nice clean trend...cost/meg dropped as speed increases. Then it takes an unexpected twist when you hit 10G, and it flattens. What a shock it was when we had to finish budget planning the year before our vendors had released their pricing on 10G interfaces and we had to project their cost. We had to change some plans based on the price of a 10G interface being twice what we projected.

The next interesting thing that happened was that 10GigE intefaces came out and the pricing was half of what the SONET interface was! We got back to our 4x/double cost trend, but the catch was that it had to be a 10GigE interface. Perhaps there is some cost between the optics for SONET and Ethernet (as a result of volume), but enough to justify a difference of $90,000 in list price? This was only of limited usefulness to us, however, because there was no 10GigE WAN capability then, so it was only useful intra-POP.

Also notice the pricing of similar interfaces on a Switch/router. A switch/router is a platform that was originally introduced as an Ethernet Switch (e.g. a Cisco Catalyst 6500), but by replacing the main processor board with a router board, it becomes a router! Voila! When Switch/routers were first introduced, they lacked a great many features of their larger full-scale router-brethren had, but that's all changing now. Switch/routers not only have almost all of the software functionality of a larger-scale router, but they have POS interfaces as well. The price/meg on a 10GigE on a Foundry/Force10/Cisco OSR7600 is under $1/meg!

To further illustrate the disparity between routers and switch/routers, see the next chart. I've drawn a floating bar in the center of the chart that represents the range of prices for a 2.5Gig SONET circuit. If you can make the switch from a router to a switch router during your upgrade from a 2.5Gig platform to a 10Gig platform, you will actually see your total cost (not just your cost/meg) drop! That's right, your 10GigE interface will run you around $10,000/port vs. your old 2.5Gig SONET interfaces that run $25,000 and up.

I would prefer to have some illustrations of the architecture of a router vs. switch to show you, but the vendor presentations that I have that illustrate the material are all confidential. If you can get a hold of such drawings, you'll see that many of the different components that perform various functions inside the platform are pretty much the same. In short, there's not a lot of difference between a router and a switch/router from a hardware design aspect, any more than there is a difference between a 10GigE and a 10G SONET interface on a router. So why the huge cost disparity?

I will tell you that if these costs don't fall in line with each other soon, the players offering these big-iron boxes for tall prices are going to find themselves with a dead-end platform.

If they do drop their prices to compete, it may be too late for them to fix the trend. SONET may have lost favor, and it did nothing to deserve last place in that race...it is the victim of market dynamics.

Not only will switch/routers become increasingly popular, but 10G waves can be delivered as Ethernet as commonly as SONET on newer DWDM platforms.

And with the growth curve on the MPLS network looking like this next diagram, the typical SONET/SDH 4x jump is not enough. 10x jump, please! We need 100GigE, not 40G.

Here's a shout-out to Randall Pearl in our engineering department for providing all the figures used to make these charts.

Windows Vista: the view sucks at night

Tue, 20 Feb 2007 23:57:08 +0000

It's not like this is a beta release, it's supposed to be the real thing. It should go pretty smooth, right?

So when I broke open my copy of Windows Vista Home Premium last night, I was surpised to see a notice on the CD that said "This disc contains 32-bit software only." I don't remember seeing anything on the site that I ordered the product from about a 32-bit release vs. a 64-bit release, and the outside of the box is mysteriously devoid of any obvious labeling about the fact that it's a 32-bit version or that a 64-bit version even exists...except of course in a small section of text in the system requirements sectoin on the BOTTOM of the box.

Includes 32-bit DVD and information on obtaining 32-bit CD's or a 64-bit DVD , additional fees may apply.

Inside you'll find a URL for a Microsoft that allows you to order the 64-bit DVD for about $10, plus an extra $6 if you want an expidited ship (as soon as 5 days!).

What a dissappointment!

But wait, it gets better. Further documentation on the difference between 32-bit and 64-bit indicates that if you upgrade from a 32-bit version to a 64-bit version, you can't use the upgrade utility, you have to wipe your hard drive and start from scratch.

So I decide "what the heck" I'll do the upgrade to the 32bit version
and maybe think about messing around with the 64-bit install later. I
pop the CD in and it says that my system doesn't recognize the
executable as a valid win32 file. I can't even upgrade from Windows XP
SP2 (32-bit, I assume) to Vista 32-bit.

On the bright side, while I wait for the 64-bit DVD to arrive I can get my personal effects backed up to DVD's.

Guys, c'mon. 5 years since your last OS release and this is the best you can do? Even (free) open source Linux/BSD upgrades go smoother than this.

I'm still looking forward to the upgrade, though. More on this next week once I get this moving along.

Technorati Tags: windows vista

Computer, Earl Grey, Hot

Thu, 08 Feb 2007 00:46:54 +0000

In Jon Stewart's interview with Bill Gates (clip found at comedy central), Gates is asked if his original vision for computer has been realized, and he responds with some pointed examples. One such example refers to the ability to speak with a computer.

In the segment of the interview before the break, he speaks to security as being a major focus for Windows Vista.

Perhaps the irony is not lost on those of you that have read the reports of a security flaw in the voice recognition capability of Windows Vista, a flaw that rather easily allows a random voice playing out of your speakers to do malicious things to your system, such as delete your photo archive or your tax return. George Ou suggests an easy fix, but there is no word on whether it will be implemented or not.

At present time, Vista Speech Recognition wakes up to the command "start listening". How hard would it be for Microsoft to make that a
user-definable phrase or word; For example: A user would pick "Zelda" as the word to wake speech mode while someone else picks "439" as their wake word. How hard would it be for Microsoft to implement a wake timeout so that Speech Recognition would sleep after 5 minutes idle? How hard would it be for Microsoft to implement their excellent echo cancellation algorithm in Windows Messenger for Speech Recognition? I don't believe this is too much to ask.

That's an easy fix, but the better fix is for the computer to not only recognize what I say, but identify my voice and only accept commands from me. Idenfication by password is a low-tech way of identifying I'm authorized to give commands to my computer, but the high-tech flavor of actual voice identification would be much harder to crack.

Microsoft Tech Support says not to worry about this little problem, but I for one will make sure all the voice recognition features are disabled after I install Vista next week, and I recommend you do the same.

Technorati Tags: vista, analog hole, microsoft

Happy Birthday voiploser!

Wed, 31 Jan 2007 15:52:51 +0000

I don't know what the protocol is for embarrassing your colleagues in a blog, but what the heck.

Please join me in wishing Adam Uzelac a happy birthday! You're one year older, and hopefully one year wiser. :-)

Global Crossing puts dns redirection in the lab

Sat, 27 Jan 2007 03:06:22 +0000

What would you do if you were approached by someone saying that they wanted to enter into a partnership with you that would require little or no money out of your own pocket and would pay you on a monthly basis. If it were an email, you'd dismiss it as just another SPAM, or if it was a phone call you'd dispatch it as you would any tele-marketer.

When paxfire approached us last summer offering exactly that, we didn't kick them out. I'm not saying that you jump on every peice of investment advice that ends up in your junk folder, but haven't you ever been curious enough to look up the ticker symbol to see if the spam campaign has had an impact on the stock price?

We had to hear what they proposed , because the prospect of receiving additional revenue with no COGS means that, if true, our gross margin and margin percentage see direct improvement. Or as the MacKenzie brother's might say, "free beer, eh?"

The arrangement is pretty straight forward. You drop a vendor-supplied appliance in front of your DNS server and it will capture a failed DNS requests, and answer the request with the IP of a search engine page with advertisements on it. Whatever money the company makes off advertising is split 50/50 with the ISP.

Right around the time we started talking to paxfire, net neutrality was one of the hottest topics of debate in the blogosphere. Was this technology a net neutrality issue?

While it is true that this technology could be used to do sneaky things with people's DNS requests, lots of things could be leveraged to do sneaky things with people's packets, and we have no more motivation to make our customers Internet perform slow by tipping the QoS scales in someone elses favor than we would to divert reasonable DNS requests in a manner that paying customers would disapprove of. Having the means to do something doesn't mean you will. Just because you own an ax doesn't mean you'll chop the heads off chickens...maybe you just want to split some wood. Case in point, there is one installation of this technology that uses a subscription-based list of known phishing sites and redirects the person to a portal that explains phishing and then allows them to continue to the originally requested site if they wish.

Right around the time we were debating this internally, the Earthlink news hit the streets. After Earthlink deployed a similar solution from a company called Barefruit, they posted a blog Handling Dead Domains for which they got flamed by their customers (and non-customers) for

a) not telling customers ahead of time,
b) not providing an opt-out capability and
c) in general, breaking the basic functionality of DNS.

The move drew fire from the blogosphere as well, with negative comments by Om Malik, the Tao of Mac, and slashdot.

We are hoping that we've learned from Earthlink's experience. The purpose of this blog is to let customers know with plenty of advanced notice that we're lab testing a similar (but better) solution. If we successfully get through lab tests we will post another blog entry to let people know when it will go live and how they can opt out.

The last issue can be addressed through one of the advanced configuration options available from paxfire (although the difference in ad revenues could be significant). The paxfire solution can be set up so that it only grabs what is referred to as keyword traffic. A keyword is when you just type your search term into the address bar. If you are running a browser that supports an autosearch and you have not configured your browser to use a particular search engine, it will grab those search keywords and re-direct them to a search engine.. Since it's a real DNS name that is hardcoded into your browser application and not a random DNS request that is going to fail, all other applications on your computer continue to work normally, receiving a unknown hostname error if you use the wrong domain. We're currently thinking that we might use this setup on the opt-out servers since it's pretty innocuous, and will experiment with a less-conservative setting in a field trial setting to compare the difference.

Lab testing has gone well so far, and everything is working as advertised, and we'll be announcing a field trial soon. If you're a Global Crossing customer and you have comments or concerns, contact your account manager or drop a comment here.