Tuesday, April 01, 2008
The tragedy of the wifi commons
Ahh, multicast - the holy grail of distribution networks - is like wet paint. Once you decide that "hey, multicast would be the best way to do this", you are compelled to touch it. You are led down a twisty trail of rfcs, all different, and complex protocols like IGMP...It's no wonder that skype and bittorrent went their own way, and adopted simpler protocols (udp,tcp) to achieve their purposes. Figuring out how to use multicast properly is a black art. The amount of open source code that actually uses it is limited to a few odd corners of the internet, and is very hard to understand.
The one major client side application of multicast - multicast DNS - is so badly broken that it makes me cringe to see the packets go by. The following is a dns scan taken from a public wireless access point (the names and mac addresses have been changed to protect the innocent), using mdns-scan:
root@dancer:~# mdns-scanAt the time, the access point in question was saturated - maybe capable of 3KB/sec out to the internet. Now, I don't think multicast was at fault for that in this case, but given how 802.11 wireless works (coherent explanation to be typed in later), multicast is bad. BAD. BAD. It does not scale.
+ dancer [MA:C :AD:DD:RE:SS]._workstation._tcp.local
+ Jen Christou’s Computer [MA:C :AD:DR:ES:SS]._workstation._tcp.local
+ Malcolm Jone’s Computer [MA:C :AD: D:RE:SS]._workstation._tcp.local
+ pecutmac [MA:C :AD:DR:ES:S ]._workstation._tcp.local
+ Shogunate Macbook._smb._tcp.local
+ Very Annoyed Wombat._ssh._tcp.local
+ Very Annoyed Wombat._sftp-ssh._tcp.local
+ Trophie [MA:C :AD:DD:RE:SS]._workstation._tcp.local
+ Trophie._pds._udp.local
+ Trophie._pds1._udp.local
+ Trophie._msgsys._tcp.local
+ Trophie._cba8._tcp.local
+ Trophie._ldgateway._tcp.local
+ Ryan’s Computer [MA:C :AD:DD:RE:SS]._workstation._tcp.local
+ Malcolm Jones’s Computer._sftp-ssh._tcp.local
+ Malcolm Jones’s Computer._ssh._tcp.local
+ Malcolm Jones’s Computer._ftp._tcp.local
+ Malcolm Jones’s Computer._net-assistant._udp.local
+ Malcolm Jones’s Computer._rfb._tcp.local
+ Human._ssh._tcp.local
+ Human._sftp-ssh._tcp.local
+ pecutmac._net-assistant._udp.local
+ pecutmac._rfb._tcp.local
+ pecutmac._sftp-ssh._tcp.local
+ penutmac._ssh._tcp.local
+ iTunes_Ctrl_stringofdigitsthatdontlooklikeamacaddr._dacp._tcp.local
+ Nicolas Bob’s Computer [MA:C :AD:DR:ES:SS]._workstation._tcp.local
+ mbears-mbp._smb._tcp.local
But it's not just multicast. The uselessness of some of the dns announcements above in mapping back to conventional DNS boggle the mind.
Nicolas Bob's computer.local Great. Not only do we have spaces in this name, but punctuation! Try parsing that dns name with tools like grep - or sticking it into named - etc.. You can't even type it into a web browser or ssh. What's the point?
[MA:C :AD:DR:ES:S ] as a part of the announcement. Cooool. Now I know who you are - forever....
mbears-mbp._smb._tcp.local: Thanks for letting me know you have windows filesharing turned on. I look forward to introducing your girlfriend to your wife.
pecutmac._ssh._tcp.local: I'm willing to bet that none of the people on this network broadcasting that they have ssh available have ever used it. Why should they tell people about its availability?
5 multicast announcements from this one machine alone...
Itunes: Why the heck does itunes have to have its very own announcement with a huge unique identifier?
Programmers coding for multicast ought not to be allowed to code for it until they can recite the relevant RFCs chapter and verse, the same goes for their QA people. Would it have been so hard for Apple to enforce a DNS compatible naming scheme with a single regex? IDN, even, would have been fine. Or did they put the same people that loosed filenames with spaces and punctuation on the world on the multicast DNS project?
I'm told that the linux.conf.au network basically suffered congestion collapse. Was it due to the 70+ olpcs merrily broadcasting their services under both IPv4 and IPv6? I don't know...
I saw that the latest iphones support ssh, via a mdns-scan, the other day. That was kind of cool... but seeing the public wifi airspaces of the world clogged with devices saying "Hi! I'm ME! I do this, this, and this! My owner is clueless! I am insecure! CRACK ME! ME! ME!" really gets to me.
People can wander around naked at home all they want, but I'd really like to see computer manufacturers implement a standard policy of clothing their hardware by default on unknown access points.
Although I just used multicast dns as a talking point, it is far from being the worst offender.
As it is a relatively new protocol, the designers should have done better. Perhaps it can be fixed in the field before it becomes more pervasive.
The rest of the local networks services is much worse.
I don't want to talk about all the other announcements like SSDP, and SMB - or the bittorrent traffic, worms, insecure IM exchanges, bogus DNS servers, dhcp announcements, and TCP retransmits, etc, I saw on this poor overloaded public access point. It depressed me. All I wanted to do was get my email, (via IMAPS, thank you very much) but I couldn't.
I turned off my laptop, had a long black coffee, and moved on. I don't know how to fix public internet access points. I just don't. We could use a unique frequency band per user and people would still screw it up. Maybe the amateur radio guys and the FCC have it right, that certification should be required in order to broadcast anything on any frequency band.
I now know what it must have been like for someone that understood germ theory during the black plague era, seeing all the rats scuttle around.
I'd like to add a clause to The world of ends.
The Internet:
a) Nobody owns it.b) Everyone can use it.
c) Anyone can improve it.
...
d) Everyone is messing it up!
Apply wireshark to a network that shouldn't be slow, but is, and see your awareness change.
Bonus Link: Ongoing discussion on Ipv6 in the home.
Labels: commons, dns, ipv6, multicast, networking, olpc, wifi
¶ 4:22 PM
Comments:
Links to this post:
<< Home
You know, I was almost--it was between me and one other candidate--the guy at Apple in charge of maintaining their multicast DNS product.
(They decided to hire the other guy because he had more DNS experience, and that's how I ended up with my current job as maintainer of BIND.)
(They decided to hire the other guy because he had more DNS experience, and that's how I ended up with my current job as maintainer of BIND.)
Well Evan;
I bow to you. I *love* BIND. Great Stuff. In fact, I have great fondness for all things isc.
I run nntp just to run nntp. no one here uses it anymore, but I run it anyway. Another dusty unused and forgotten corner of cyberspace.
let's see, this series of postings has been to say that multicast is not to blame, but IPv4 is. That hammering the available network with as many packets as the hardware will support, that don't really carry any useful information is good, but that clearheaded, purposeful communiction is, well, something less than optimal, because, , well, , because it isn't 'user friendly' of some such.
Don't really get it myself.
I bow to you. I *love* BIND. Great Stuff. In fact, I have great fondness for all things isc.
I run nntp just to run nntp. no one here uses it anymore, but I run it anyway. Another dusty unused and forgotten corner of cyberspace.
let's see, this series of postings has been to say that multicast is not to blame, but IPv4 is. That hammering the available network with as many packets as the hardware will support, that don't really carry any useful information is good, but that clearheaded, purposeful communiction is, well, something less than optimal, because, , well, , because it isn't 'user friendly' of some such.
Don't really get it myself.
PS;
I know this speaks of my deep cluelessness, but *if* something is going to be browsable remotely, or is going to broadcast/multicast, then it should *never* be of tld .local.
If it's .local. then it should remain local to that machine, and I don't want to know, see, hear, or suffer from it.
I know this speaks of my deep cluelessness, but *if* something is going to be browsable remotely, or is going to broadcast/multicast, then it should *never* be of tld .local.
If it's .local. then it should remain local to that machine, and I don't want to know, see, hear, or suffer from it.
PPS;
Over the last month, I've rolled out a fair number of new Apple Leopard machine on my network.
At Mtaht's behest, I took a nice long drink with wireshark of the network traffic.
/me sighs
Over the last month, I've rolled out a fair number of new Apple Leopard machine on my network.
At Mtaht's behest, I took a nice long drink with wireshark of the network traffic.
/me sighs
I hate to say it, but there is a compelling use of multicast DNS. I carry my own personal cloud of devices that I like to be able to talk to - specifically, laz and lor, my two nokia handhelds.
A while back I setup sshfs to let me drag and drop files from my laptop to them, so no matter where I go, I can talk to devices in my cloud, over whatever wireless network I'm on.
It doesn't work perfectly (if laz and lor come up on the same IP address that some other machine I've talked to, ssh won't authenticate), but it works well enough to be useful
Everybody has a "personal cloud" nowadays of devices that should - probably - be able to communicate with each other - this is a good thing. How they do so, well... I don't think mDNS is the answer, but others don't exist yet. (I'm thinking about it, though)
My laptop used to be able to act as an access point, which is saner and more secure than using someone elses, but thanks to the ongoing rush of progress, ad-hoc mode and ap mode don't work on my latest and greatest card.
802.11 is basically the lowest common denominator for personal connectivity.
Bluetooth is too slow and not available on everything.
I have high hopes, and high fear, on what the wireless world will look like on a mesh network, when everything can act as a router.
While IPv6 (specifically mobile IPv6) solves the ssh authentication problem, it introduces others. Recently I fired up my laptop which automatically tunnels out to get an ipv6 and a /56 allocation - and shares it - only to find that several machines on the network I was using, autoconfigured on that net, and were routing ipv6 packets through me....
Ubiquitous , and a group of linux dudes is very close to making all wireless cards that have an openmac speak 802.11s. I look forward to no longer needing an AP... and dread what will happen when the general public starts using it.
A while back I setup sshfs to let me drag and drop files from my laptop to them, so no matter where I go, I can talk to devices in my cloud, over whatever wireless network I'm on.
It doesn't work perfectly (if laz and lor come up on the same IP address that some other machine I've talked to, ssh won't authenticate), but it works well enough to be useful
Everybody has a "personal cloud" nowadays of devices that should - probably - be able to communicate with each other - this is a good thing. How they do so, well... I don't think mDNS is the answer, but others don't exist yet. (I'm thinking about it, though)
My laptop used to be able to act as an access point, which is saner and more secure than using someone elses, but thanks to the ongoing rush of progress, ad-hoc mode and ap mode don't work on my latest and greatest card.
802.11 is basically the lowest common denominator for personal connectivity.
Bluetooth is too slow and not available on everything.
I have high hopes, and high fear, on what the wireless world will look like on a mesh network, when everything can act as a router.
While IPv6 (specifically mobile IPv6) solves the ssh authentication problem, it introduces others. Recently I fired up my laptop which automatically tunnels out to get an ipv6 and a /56 allocation - and shares it - only to find that several machines on the network I was using, autoconfigured on that net, and were routing ipv6 packets through me....
Ubiquitous , and a group of linux dudes is very close to making all wireless cards that have an openmac speak 802.11s. I look forward to no longer needing an AP... and dread what will happen when the general public starts using it.
I miss netnews. I wish there was a way to ensure that rants like these were more widely read, (or translated into less of a rant and more widely read) and acted upon by the right people. I do hope people forward my urls around, and google listens, but that faith is nothing near as unshakeable as my faith in netnews was.
Perhaps I will go back to trying that. I've been enjoying several mailing lists lately, far more than the web.
As for where you are evan - I'm glad you are there, in part because - on my bad days (and I've had a few recently) - I think at Apple you would have been one day visited by "Men in Black" who would explain that screwing up DNS multicast made for an easier law enforcement environment, that the chaos it causes provided jobs, and that users could not be expected to adhere to petty naming conventions simply because they made interacting with computers easier.
At the moment, what I forsee is having to graft yet another compatability layer, along the lines of %20, on top of DNS, to keep the apple users safe in their cluelessness.
(I've seen people struggle with how to get a file with spaces on it into a web page so many times, it hurts)
(note, I'm not able to recite any of the relevant RFCs chapter and verse)
I seem to recall that _ didn't use to be a valid DNS character...
Perhaps I will go back to trying that. I've been enjoying several mailing lists lately, far more than the web.
As for where you are evan - I'm glad you are there, in part because - on my bad days (and I've had a few recently) - I think at Apple you would have been one day visited by "Men in Black" who would explain that screwing up DNS multicast made for an easier law enforcement environment, that the chaos it causes provided jobs, and that users could not be expected to adhere to petty naming conventions simply because they made interacting with computers easier.
At the moment, what I forsee is having to graft yet another compatability layer, along the lines of %20, on top of DNS, to keep the apple users safe in their cluelessness.
(I've seen people struggle with how to get a file with spaces on it into a web page so many times, it hurts)
(note, I'm not able to recite any of the relevant RFCs chapter and verse)
I seem to recall that _ didn't use to be a valid DNS character...
My reason for publishing the wireshark link was that, according to the world of ends, "the internet is an agreement".
It's an agreement to share that nobody seems to have read. I found wireshark recently to be a compelling argument to a bunch of people as to why running bittorrent was bad - showing the TCP retransmits - (which wireshark conveniently shows in red for the uninitiated)
And showing one of them what his worm did and how to fix it, seems to have raised awareness a lot
Post a Comment
It's an agreement to share that nobody seems to have read. I found wireshark recently to be a compelling argument to a bunch of people as to why running bittorrent was bad - showing the TCP retransmits - (which wireshark conveniently shows in red for the uninitiated)
And showing one of them what his worm did and how to fix it, seems to have raised awareness a lot
Links to this post:
<< Home
