Thursday, November 14, 2013

荷蘭情報機關準備對 IP 網路進行大規模監聽

Dutch secret service prepares for wiretapping of IP networks on a large scale!

News:
http://www.volkskrant.nl/vk/nl/2686/Binnenland/article/detail/3541591/2013/11/09/Nederland-bestelt-een-nog-verboden-spionagesysteem.dhtml

In Summary:

The Dutch AIVD (dutch NSA counterpart) has ordered equipment to wiretap IP links for €17 million. Doing "undirected" surveillance is currently only legal in the Netherlands for signals that are not carried over cables (eg broadcast signals). With this move, the agency is anticipating a law change, which will allow it to wiretap cables to do undirected (mass) surveillance.


<人腦翻譯>
荷蘭情報機關已經採購類似美國情報局的設備, 以便對於網路與電話進行監聽. 雖然目前該行為仍然為法令所禁止, 但是情報主管認為該法令已經過時.
</人腦翻譯>

So... finally, it comes...


Saturday, August 17, 2013

RAID-1 (mirror) on FreeNAS boot disk

Although FreeNAS will mount boot disk in read-only but there could still be a chance that boot disk goes wrong. Traditional way to fix a broken boot disk is reinstall FreeNAS on a new boot disk and import backup config. However, this method may introduces longer downtime, and in worst case the backup config may not even up-to-date.

Using RAID-1 (mirror) on boot disk is a good choice to reduce such kind of impact, and usually can be done through hardware raid card. if there is no hardware raid card, software RAID is also a good choice. However, during or after installation, there is no option in the menu to create software RAID for boot disk.

Luckily, FreeNAS is based on FreeBSD that provides super easy way to setup a software RAID manually. Here comes steps,

Assume boot disk is SATA "/dev/ada0" and mirror disk is SATA "/dev/ada1". From the console, select 9 to launch a shell, then enter following commands.
# sysctl kern.geom.debugflags=16
# gmirror label -v -b round-robin gm0 /dev/ada0
# gmirror insert gm0 /dev/ada1

System will automatically rebuild the newly added disk, /dev/ada1, and the disk status will show DEGRADED. For example,
# gmirror status
      Name    Status  Components
mirror/gm0  DEGRADED  ada0
                      ada1 (64%)

After automatic rebuild, disk status will become COMPLETE. For example,
# gmirror status
      Name    Status  Components
mirror/gm0  COMPLETE  ada0 (ACTIVE)
                      ada1 (ACTIVE)

In case the boot disk (assume "/dev/ada0" is broken) and needs to be replaced, here comes procedures,
# gmirror forget gm0 /dev/ada0
[unplug /dev/ada0, and plug a new disk]
# gmirror insert gm0 /dev/ada0

The system will again automatically rebuild /dev/ada0. During the rebuilding, system can keep running without problem.

*Note*
FreeNAS loads geom_gmirror module by default, and uses geom_label in /etc/fstab rather than physical disk name. Hence there is no need to modify /boot/loader.conf and /etc/fstab.

Tuesday, July 23, 2013

Juniper/Cisco Switch L2 Spanning-tree inter-op (config on Juniper side)

RSTP is standard and supported on every other vendors switch platforms and mostly be the default spanning-tree protocol.

However, Cisco from certain OS version can no longer config RSTP. Instead, its proprietary Rapid PVST became default and no way to go back to RSTP. It shows how evil Cisco is.

Cisco also send VLAN-1 traffic on the trunking (802.1q) interface to be untagged by default even there is no explicit native VLAN id been configured on the interface. It is again another stupid Cisco design.

Following is a configuration sample on Juniper EX switch to make it inter-op with Cisco switch. RSTP on Juniper side and rspid-PVST on Cisco side.
interfaces {
    ge-0/0/15 {
        description "## Cisco-SW g0/23 ##";
        ether-options {
            speed {
                1g;
            }
            802.3ad ae3;
        }
    }
    ge-1/0/15 {
        description "## Cisco-SW g0/24 ##";
        ether-options {
            speed {
                1g;
            }
            802.3ad ae3;
        }
    }
    ae3 {
        aggregated-ether-options {
            no-flow-control;
            minimum-links 1;
            link-speed 1g;
            lacp {
                active;
            }
        }
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members [ VLAN-10 VLAN-20 ];
                }
                native-vlan-id 1;
            }
        }
    }
protocols {
    rstp;
}
vlans {
    VLAN-1 {
        description "## Native VLAN for Spanning-Tree ##";
        vlan-id 1;
    }
    VLAN-10 {
        vlan-id 10;
        l3-interface vlan.10;
    }
    VLAN-20 {
        vlan-id 20;
        l3-interface vlan.20;
    }
}
All I can say is we should dump Cisco and go for other vendors.