Why doesn't QUIC work well for machine-to-machine traffic ? Is it due to the lack of offloads/optimizations for TCP and machine-to-machine traffic tend to me high volume/high rate ?
QUIC would work okay, but not really have many advantages for machine-to-machine traffic. Machine-to-machine you tend to have long-lived connections over a pretty good network. In this situation TCP already works well and is currently handled better in the kernel. Eventually QUIC will probably be just as good for TCP in this use case, but we're not there yet.
But that is the huge advantage of QUIC. It does NOT totally outcompete TCP traffic on links (we already have bittorrent over udp for that purpose). They redesigned the protocol 5 times or so to achieve that.
The NAT firewalls do not like P2P UDP traffic.
Majoritoy of the routers lack the smarts to passtrough QUIC correctly, they need to treat it the same as TCP essentially.
sounds great but it fucks up P2P in residential connections, where it is mostly used due to ipv4 address conservation. You can still have nat in IPv6 but hopefully I won't have to deal with it
In practice, P2P over ipv6 is totally screwed because there are no widely supported protocols for dynamic firewall pinholing (allowing inbound traffic) on home routers, whereas dynamic ipv4 NAT configuration via UPnP is very popular and used by many applications.
Most home routers do a form of stateful IPv6 firewall (and IPv4 NAT for that matter) compatible with STUN. UPnP is almost never necessary and has frequent security flaws in common implementations.
You just send a (UDP) packet to the other side's address and port and they send one to yours. The firewalls treat it as an outbound connection on both sides.
I don't believe that's true. You would still need something like UDP hole punching to bootstrap the inbound flow on both sides first. Also you would still only be limited to UDP traffic, TCP would still be blocked.
Sending one packet outbound is hole punching. It's really that simple. Since there's no NAT, you don't need to bother with all the complexity of trying to predict the port number on the public side of the NAT. You just have two sides send at least one packet to each other, and that opens the firewalls on both sides.
Why run your K8S cluster on IPv6 when IPv4 with 10.0.0.0/8 works perfectly with less hassle? You can always support IPv6 at the perimeter for ingress/egress. If your cluster is so big it can’t fit in 10.0.0.0/8, maybe the right answer is multiple smaller clusters-your service mesh (e.g. istio) can route inter-cluster traffic just based on names, not IPs.
And if 10.0.0.0/8 is not enough, there is always the old Class E, 240.0.0.0/4 - likely never going to be acceptable for use on the public Internet, but growing use as an additional private IPv4 address range - that gives you over 200 million more IPv4 addresses
> Why run your K8S cluster on IPv6 when IPv4 with 10.0.0.0/8 works perfectly with less hassle? You can always support IPv6 at the perimeter for ingress/egress.
How is it "less hassle"? You've got to use a second, fiddlier protocol and you've got to worry about collisions and translations. Why not just use normal IPv6 and normal addresses for your whole network, how is that more hassle?
> You can always support IPv6 at the perimeter for ingress/egress. If your cluster is so big it can’t fit in 10.0.0.0/8, maybe the right answer is multiple smaller clusters-your service mesh (e.g. istio) can route inter-cluster traffic just based on names, not IPs.
You can work around the problems, sure. But why not just avoid them in the first place?
> How is it "less hassle"? You've got to use a second, fiddlier protocol and you've got to worry about collisions and translations.
Because, while less common than it used to be, software that has weird bugs with IPv6 is still a thing-especially if we are talking about internally developed software as opposed to just open source and major proprietary packages. And as long as IPv6 remains the minority in data centre environments, that’s likely to remain true - it is easy for bugs to linger (or even new ones to be introduced) when they are only triggered by a less popular configuration
True, but already the newest software has good IPv6 support, and that suggests a tipping point should be coming where as soon as the majority is on IPv6 it becomes in everyone's interest to get off of IPv4.
Sure. When I can bgp advertise my laptop with my phone provider and have it update is a second or so globally when I move from tethering to wifi, or one network to another.
No doubt you think I should simply renumber all my VMs every time that happens, breaking internal connections. Or perhaps run a completely separate addrsssing in each vm in parallel and make sure each vm knows which connection to use. Perhaps the vms peer with my laptop and then the laptop decides what to push out which way via localprefs, as paths etc. that sounds so much simpler than a simple masquerade.
What happens when I want vm1 out of connection A, vm 3 out of connection B, vm 4-7 out of connection C. Then I want to change them quickly and easily. I’m balancing outbound and inbound rules, reaching for communities, and causing bgp dampening all over the place.
What when they aren’t VMs but instead physical devices. My $40 mifi is now processing the entire DFZ routing table?
What happens when I want a single physical device like a tv to contact one service via connection 1 and another via connection 2 but the device doesn’t support multiple routing tables or selection of that. What if it does support it but I just want to be able to shift my ssh sessions to a low latency higher loss link but keep my streaming ups on the high latency no loss link.
All this is trivial with nat. Now sure I can use NAT66, and do a 1:1 natting (no PAT here), but then I’m using nat and that breaks the ipv6 cult that believes translating network addresses is useless.
I think basically there is currently a lot of overhead and, when you control the network more and everything is more reliable, you can make tcp work better.
Encryption gets you data integrity "for free". If a bit is flipped by faulty hardware, the packet won't decrypt. TCP checksums are not good enough for catching corruption in many cases.
Interesting. When I read this I was thinking “that can’t be right, the whole internet relies on tcp being “reliable”. But it is right; https://dl.acm.org/doi/10.1145/347059.347561. It might be rare, but an unencrypted RPC packet might accidentally set that “go nuclear” bit. ECC memory is not enough people! Encrypt your traffic for data integrity!
Because any random machine in the same datacenter and network segment might be compromised and do stuff like running ARP spoofing attacks. Cisco alone has had so many vendor-provided backdoors cropping up that I wouldn't trust anything in a data center with Cisco gear.
Back in the 90s I discovered the CTO of a major telecoms company was packet sniffing EFnet traffic in one of their datacenters in order to log all the PRIVMSGs to extort a couple of people. Security is only as good as its weakest leak, and all that.
> No one enters the cage and just plugs something into my switches/routers.
I'm not talking about someone plugging something in. I'm talking about someone pwning your VPN endpoint or firewall, and laterally moving from there. There's always a way to move around unless you are really, really careful (and even that is not enough if the adversary has an exploit for something really deep in the network stack).
At the very least, choose different vendors for your VPN/frontend firewall gear and the rest of your system. That way, an adversary can't just go and pwn every little piece of your network infrastructure with a single exploit.
To me this seems outlandish (e.g. if you're part of PRISM you know what's happening and you're forced to comply.) But to think through this threat model, you're worried that the NSA will tap intra-DC traffic but not that it will try to install software or hardware on your hosts to spy traffic at the NIC level? I guess it would be harder to intercept and untangle traffic at the NIC level than intra-DC, but I'm not sure?
> you're worried that the NSA will tap intra-DC traffic but not that it will try to install software or hardware on your hosts to spy traffic at the NIC level
It might not be able to, if you use secure boot and your server is locked in a cage.
The difference between tapping intra-DC and in computer spying is that in computer spying is much more likely to get caught and much less easily able to get data out. There's a pretty big difference between software/hardware weaknesses that require specific targeting to exploit and passive scooping everything up and scanning
Assuming the PSP isn't backdoored, using AMD SME and SEV theoretically allow you to run VMs that are encrypted such that, even at the hypervisor level, you can't read code or data from the VM.
a database noob question, when you say distribute the database to 50 servers all these are shards, correct? MySQL (or any standard RDBMS) can't span more than one server, correct ?
> when you say distribute the database to 50 servers all these are shards, correct?
Yes, these are separate server instances that are essentially separate from each other. All of the records for a given user live on a single particular server. Although MySQL doesn't do this kind of partitioning inherently, this kind of partitioning can be implemented in the application.
It's not something that you can easily abstract away from the application's concerns without a significant performance penalty. For the most basic CRUD operations, an ORM could probably do a decent job. Surely someone has already written an ORM that supports sharding?
Beyond CRUD, I'm not so sure, and any application that's big enough to use sharding probably has some pretty complicated queries. At that point you really don't want to be depending on a library to handle the low level details. You need to think about the performance implications of the access patterns and the trade-offs inherent in different design choices. If a library makes these choices for you then you are unlikely to get optimal results.
Sharding is when you store your tables, or parts of tables, on other machines, so that queries are executed by the resources of those remote machines.
Read-only replication stores a copy of the whole database on other machines, so that any query which doesn't write can be handled by asking the remote machine. Writes are bottlenecked through the primary machine, which then sends changes to the remotes.
Here is something from the National Association of Realtors. Granted, it varies across states (TX leading with highest 28%)
> Institutional buyers made up 13% of the residential sales market in 2021, with the median purchase price of institutional buyers typically 26% lower than the states’ median purchase prices (Slides 6 – 15).
I am an Indian and have been in US for many years. There is one thing I have noticed among brahmins, during their Naturalization process many of them change their last names to Iyer or Iyengar (two sects of Brahmins).
I am referring to guys from the southern part of India where I am from. Its not a common practice there.
My interpretation of this is these folks have a perceived sense of superiority feeling about their caste and having it in the last name is a form of boasting.
In South India there has been a social movement in the last few decades to allocate quotas for "lower" caste members in universities and govt jobs to stop the domination of brahmins (merits, or lack there of, of the quota system is whole different topic). So having Iyer or Iyergar as last name would be frowned upon/judged endlessly there. May be they feel a sense of freedom here in US that prompts this behavior.
The social movement started several years ago. Its called the quota system and it has been enforced at various levels of government jobs and education. People just get promoted with no regard to their actual performance in all kinds of government jobs. This type of reservation on the basis of caste is regressive. What about someone who is supposedly from a "higher" caste but is still not economically well-off. Such people have to work much harder than their counterparts who receive concessions on their performance. Once you are in the university this doesn't stop. For most government universities the fees are different for people from reserved, non-reserved categories - meaning that someone from a poor background but with "higher" caste label has to work harder for opportunities for education and also has to bear a financial burden once you cross these hurdles. Think from the perspective of a middle class "higher" caste member of society - why should someone like that bear the high tax burden of the country when their kids won't receive much of the benefits. Any talk of scaling back this historical policy screw-up (Mandal comission report / VP Singh government) is vehemently put down. Just look up how the previous government reacted when doctors protested against the extension of caste-based reservation to postgraduate medical education. This is not even partisan. Even in current government one politician said something similar in very derogatory terms leading to him losing in the elections. Reservation should be granted on the basis of economic condition only because the point is economic upliftment. There should be policy that grants economic parity but I don't think the country has resources for satiating revenge.
Fair points. I don't have historical data, but my observation is that the issue of brahmins controlling/dominating lot of sectors was a real problem at some point and the reservation system was a populist response that did provide some benefit for oppressed castes, but created a whole bunch of other problems and unintended consequences. And its still remains such a hot button populist issue no political party would dare implementing the required reforms. The unintended consequence is the emigration of a lot of people from the "higher" castes. I guess its hard to say if it had any material impact on India's progress but the "higher" caste population that doesn't have the means/resources to emigrate is put in a real difficult situation.
iyer or iyengar is their traditional surname probably. same way as a family name in the US. why discriminate against iyers because they want to have a surname of their choice? most folks would be proud of their surnames. Is there a community that feels horrible about their surname?
No, these are not the traditional surnames. What I am referring to is a practice of legally changing the last name (typically father's or grand father's name) to Iyer or Iyengar. To me its a clear on your face statement that the person belongs to that caste and wants to flaunt it.
Genuine questions as someone with no experience in dealing with large sclae log aggregation: Can you share some details on what kind of issues you ran into in production with Elastic Search that needed a dedicated team to manage ?
As vikram360 pointed out, they're on the schedule page (https://pdos.csail.mit.edu/6.824/schedule.html). Since this is the class going on right now (Spring 2020), only a couple that have already happened have been posted so far, but I'd bet they're uploaded pretty soon after their date.
can someone help me understand this better.. Did Cisco leave a user public key in the switch and the private key has leaked ? To exploit this vulnerability attacker has to get hold of that private key ?
The keypair is essentially some default known value.
You shouldn't be able to use this to connect at all, but apparently works over IPv6.
So you'd have to have the private key, as well as knowing the IPv6 address of the device you're connecting to, and that device would have to have a route to the internet or a location you could connect to it from.
It's a joke. You can't choose your ancestors, what he's saying is that the experience of getting older is dictated in no small part by the genes you inherited. Looking at your family's medical history will inform you of what might be in store for you.
