Posts by isomer@fosstodon.org
(DIR) Post #ATw33W2Pr6Qq8PrTRQ by isomer@fosstodon.org
2023-03-24T08:40:07Z
0 likes, 0 repeats
@mjg59 @offby1 hey @djm I don't see you on this thread yet. Do you have an opinion on this?
(DIR) Post #ATxDs8xrSYKz9jvK6K by isomer@fosstodon.org
2023-03-24T13:10:06Z
0 likes, 0 repeats
@djm @mjg59 @offby1 hmm. So:T0: Alice connects to GitHub and tofu's Key1 and learns KeyB (backup).T1: GitHub accidentally publishes the secret part of Key1.T2: GitHub accepts Key1 and a new Key2 and continues to teach about Key2 and KeyBT3: GitHub stops accepting Key1.
(DIR) Post #ATxDsJ2U0DyaOyA9h2 by isomer@fosstodon.org
2023-03-24T13:13:55Z
0 likes, 0 repeats
@djm @mjg59 @offby1 AIUI: A) the private part of KeyB needs to be online to answer proof challenges. So KeyB would probably also been compromised.B) Nothing says to Alice to stop trusting Key1 anywhere. So while Alice may transparently move to using Key2 when talking to GitHub Mallory can still trick Alice into accepting Key1 as valid GitHub? There would need to be manual action to remove Key1 from known_hosts?
(DIR) Post #ATxDseGj4SqaFDzKJE by isomer@fosstodon.org
2023-03-24T13:17:21Z
0 likes, 0 repeats
@djm @mjg59 @offby1 (or am I missing something? Is the client supposed to remove all the keys that it's not taught about?)C) when does GitHub stop accepting the compromised Key1, if ever?Don't get me wrong, this is super cool and especially useful for transparently upgrading to new keys over time, and it solves a bit of githubs problem (how do you build trust in the new key), but it seems it still leaves some problems.
(DIR) Post #ATxDskCh0NBaeS9Br6 by isomer@fosstodon.org
2023-03-24T13:20:12Z
0 likes, 0 repeats
@djm @mjg59 @offby1 (I mean mjg's solution is not much better but it does allow the old key to expire after a while, and the CA key doesn't have to be online. It's also a client side only change rather than requiring server support.The downside is trying to figure out what the trust scope of the CA key should be. If it's the domain then the client needs at least a copy of the public domain prefix list)
(DIR) Post #AcEiMyBt4UuqXeYCdE by isomer@fosstodon.org
2023-11-27T12:46:48Z
0 likes, 0 repeats
@ewenmcneill how many depended on bgp? :)
(DIR) Post #AdL7Qfexuh9N1RzEBs by isomer@fosstodon.org
2023-12-30T13:06:51Z
0 likes, 1 repeats
One day I was on the London Underground on a Train. For those not in London, the tube mostly has wifi at the stations, and no wifi in the tunnels. I was attempting to have an IM conversation with a friend. Pull in to a station, get the replies to the messages I delivered at the last station, and send the replies I had written while in the tunnel. The trains dwell for about 30s at each station, it's only a couple of kB, so there should be plenty of time right?
(DIR) Post #AdL7Qi4CxoWwUJoPoW by isomer@fosstodon.org
2023-12-30T13:07:38Z
0 likes, 0 repeats
Well as you can guess no. So I went on a journey of exploration as to why, despite networks getting ever faster (with some residential ISPs now offering multiple 10s of Gb/s), that surfing the web still "feels" glacial. Why? I decided to go explore why the internet "feels" slow. Here's a story of the things I learnt along the way.
(DIR) Post #AdL7Qk01mKNITvs6Zk by isomer@fosstodon.org
2023-12-30T13:07:57Z
0 likes, 0 repeats
So my train pulls into a station. By the time I unlock my device, I should have Internet. But my Android phone needs to scan to find the wifi. For power saving reasons, most of the time the phone isn't scanning. Trick: You can open the "Internet" settings to have it scan more often.
(DIR) Post #AdL7Qlmz7n8823miWW by isomer@fosstodon.org
2023-12-30T13:08:26Z
0 likes, 0 repeats
Looking at a lot of Linux software, it appears that usually clients scan 2.4GHz channel 1, channel 2, channel 3... This is extremely wasteful. Channel 1 is usually a shitshow of lots of forgotten things ending up there, and channels overlap, so channel 2 is unlikely to be used, wasting time. Also, what's the chance that the AP is still on the channel I left it on? Linux should scan channels from the most to least recently used, then whats left. Dunno what Android does.
(DIR) Post #AdL7Qnn3gUNSErpnuq by isomer@fosstodon.org
2023-12-30T13:08:46Z
0 likes, 0 repeats
Once found, WiFi does a bunch of back and forth negotiating connection parameters. For the tube wifi, authentication is done by EAP-AKA' probably using RADIUS (or DIAMETER). TfL have a mysterious quote on their webpages: > It typically takes a few seconds to connect to the Wi-Fi service at a Tube station (this delay is due to a security feature). I wonder if they're deliberately ratelimiting auth attempts to protect against bruteforce attacks?
(DIR) Post #AdL7QpRVXaKLMblcbQ by isomer@fosstodon.org
2023-12-30T13:09:29Z
0 likes, 0 repeats
Now we've got WiFi stood up, we need to negotiate addressing. For IPv4, this is done by DHCP. The client sends a DISCOVER, gets back one or more OFFERs, picks one, then sends a REQUEST, and gets a ACK back.
(DIR) Post #AdL7Qr7jI5h8ZqWr3I by isomer@fosstodon.org
2023-12-30T13:09:55Z
0 likes, 0 repeats
On home networks, DHCP is frequently performed by dnsmasq. dnsmasq is a neat piece of software written for DLink WRTs released 20 years ago, and it is optimised for this use case by using the least memory possible. To meet this design goal, dnsmasq is single threaded, not even event driven. If it's handling a DHCP request, it can't handle another one. (Yes, I know the tube won't use dnsmasq, but I'm experimenting at home).
(DIR) Post #AdL7QspMxKCFrTxDiC by isomer@fosstodon.org
2023-12-30T13:10:24Z
0 likes, 0 repeats
dnsmasq can only handle one DISCOVER at a time. It also sends an ICMP ECHO Request to make sure the IP isn't in use. If it gets a reply to this request, then it knows the address is in use, and tries another one. If there is no reply, then it's good to go and it can send the OFFER. How long should it wait to see if there's no reply? 100ms? 500ms? No, it waits 3s. This means you get an address after 3s. If you have a second client it'll get a reply after 6s...
(DIR) Post #AdL7Qw68nQOY0Mp9lo by isomer@fosstodon.org
2023-12-30T13:10:48Z
0 likes, 0 repeats
Then there's IPv6. The client joins some multicast groups, waits up to MAX_RTR_SOLICITATION_DELAY (1s), sends ND for the LL address, send a Router Solicitation and get back an RA. Send RA for a SLAAC address, wait for reply (1s). A train pulling into a station probably skips most of this - the first client that sends a router solicitation will trigger a RA which everyone can use skipping the solitication delay. Optimistic DAD means you can skip the final 1s delay.
(DIR) Post #AdL7R06HuotCPyvKYS by isomer@fosstodon.org
2023-12-30T13:14:41Z
0 likes, 0 repeats
(oops broke the thread, it continues here: https://fosstodon.org/@isomer/111669534015244044 )
(DIR) Post #AjTZPEYk60mgh9zOK0 by isomer@fosstodon.org
2024-07-01T04:50:38Z
0 likes, 0 repeats
@geordie there are lots of internet esim providers. You can usually load 1 physical sim and 1 esim into the phone at the same time and use them both. You get two signal bars.They're particularly useful to set the esim as the default for data but leave your normal SIM for SMS and calls.