Dr. Jerry Pournelle

Email Me


Why not subscribe now?

Chaos Manor Subscribe Now



Useful Link(s)...

JerryPournelle.com


Hosting by
  Bluehost


Powered by Apache

Computing At Chaos Manor:
The Mailbag

Mailbag for February 26, 2007
Jerry Pournelle jerryp@jerrypournelle.com
www.jerrypournelle.com
Copyright 2007 Jerry E. Pournelle, Ph.D.

February 26, 2007

Regarding IPV6

Subject: Famous words: "Vista also supports IPv6. At the moment that hardly matters,"

Hello Jerry!

Thanks again for your wonderful column.

Regarding Vista and IPV6, it very much is a matter.

The thing with Vista and IPv6 is that it hides one of the biggest surprises of all in Windows Vista. A technology which will change the way we think about our computers and the Internet. There will be a time before Vista and a Time after Vista. In one to two years, when a large mass of Vista users are out there, we will all look back at the time when we couldn't reach out to each other's...

Imagine this scenario...

I put a lot of holiday pictures on my hard drive in a folder named "C:\pictures".

I then share this folder as "pictures" with all authenticated users.

Then I make an account for Aunt Millie.

Finally I run "ipconfig /all" on my Vista machine and find the globally unique IPV6 address: 2001:0:4126:e38c:2d19:4684:a87c:cadc

Finally I send a mail to Aunt Millie with her account name and password on my machine. In the mail I paste the following link:

\\2001:0:4126:e38c:2d19:4684:a87c:cadc\pictures <file:///\\2001:0:4126:e38c:2d19:4684:a87c:cadc\pictures>

When Aunt Millie clicks this link on her Vista machine she automatically and magically gets access to the folder on my machine (opening up in her Windows Explorer) even though both Aunt Millie and I have Routers with NAT and Firewall functionality to hide behind.

The secret to all this is named Teredo and that is a name that we will all learn to respect as we leave IPv4 behind us and move on to the world of IPv6.

Teredo addresses always start with the number 2001, that's how I knew which address to pick from ipconfig.

To learn more see this video at channel9:

Note that this feature is not Vista only, but is available for all MAC and Linux users also as long as we all use the same Teredo server at Microsoft.

By the way, the Remote assistance feature in Windows Vista is Teredo aware which explains why you can connect to Aunt Millie and help her with computer problems even though Windows XP Remote Assistance has no chance of reaching through Aunt Millie's Router and on to her Windows machine.

Think of it... I am quite sure that in the future we will all be accustomed to a situation where you expect all computers to make direct contact (as the Internet was meant to be, before all this NAT stuff showed up).

Bruno Horvat

Kentor Teknik Stora
Göteborg

Interesting. Of course with increasing computer power we can expect such direct connections to work invisibly. Interesting indeed. Thanks. Your letter generated some discussion. Captain Morse observed:

Gives me the willies, it does! An ad hoc, on the fly VPN server managed by a third-party?

Ron

But Eric notes that the system apparently allows for competition among third parties including allowing you to manage your own. Our security expert Rick Hellewell says:

Dr. Pournelle:

Initial thoughts on Teredo and IPv6 (I'm still learning about this, so don't take this as gospel):

1. Teredo is a process that allows IP6 traffic to get to a computer that is connected (at some point) to a IP4 network. It does this by encapsulating the IP6 traffic inside a IP4 packet.

2. Many systems are behind a NAT (Network Address Translation). Your local IP address is private (192.168.x.x) and translated to your public IP address by the NAT router. Most NATs are only IP4 devices, so Teredo allows a IP6 packet to make it through your NAT.

3. IP6 is only enabled by default on Vista and Longhorn.

4. Teredo is not enabled by default on XP/SP1/SP2, Windows Server 2003, or Longhorn. In Vista, Teredo is enabled but inactive by default. To become active, a user must install a Teredo-enabled application, or configure advanced Windows Firewall settings to allow Teredo.

5. Teredo does not bypass your NAT. If you enable (and activate) Toredo on your Vista system, then the Toredo client (if you are using a host-based, stateful firewall that supports IP6 traffic, such as Windows Firewall [in Vista]) you are protected from unsolicited or unwanted incoming IP6 traffic. Microsoft states (in the "Toredo Overview" document http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/teredo.mspx ) that

"The combination of IPv6, Teredo, and a host-based, stateful, IPv6 firewall does not affect the packet filtering function of the NAT for IPv4-based traffic and does not make your Windows-based computer more susceptible to attacks by malicious users and programs that use IPv6 traffic, rather than IPv4 traffic."

6. The user must explicitly allow unsolicited/incoming Toredo traffic through their firewall. Unsolicited Toredo traffic should be blocked by their firewall (including the Vista Firewall).

7. The user can enable Toredo traffic from a IP6 computer, as in enabling remote assistance. The user and 'assister' must agree on that access. Toredo only assists in translating IP6 traffic to the IP4 network used by the user or assister. This doesn't appear to be any different than how remote assistance works now: the user still has to allow that remote assistance.

8. It is possible to 'social engineer' someone into allowing remote assistance (via IM, for instance). But the user has to agree to allow that remote assistance request. I suspect that User Access Control may come into play here.

9. Users may have been using NAT as their sole protection against outside intrusion. This is not good (even now), and will be less good with IP6 traffic. But the user still needs to make a specific decision to allow an application access through their NAT. Toredo, by itself, will not punch a hole through your firewall. Each Toredo-aware application has to request that exemption.

It doesn't appear, from my limited reading, that Toredo by itself is a problem. It is a solution that allows IP6 traffic to be sent over IP4 network. It doesn't appear to open up any more insecurities that are out there now.

Regards, Rick Hellewell

We should note that "social engineering" remains as a major vulnerability in any system.

Subject: E-mail Sender Authentication and Anonymity —

"Vista also supports IPv6. At the moment that hardly matters, but IPv6 has the potential to implement sender authentication/verification for email. That could be very important.

"Marty Winston suggests that one way to implement sender authentication is to make it a USPS revenue center so access to US addressees can mandate it or else not pass the mail. I doubt this will ever happen, but it's an intriguing idea. "I have some mixed emotions here: anonymous pamphleteering was very important to the Committees of Correspondence that organized the American Revolution, and it is a right that the Framers were zealous to protect. Once we have secure sender verification, most of us will use it and reject all mail that doesn't employ it. That will effectively eliminate anonymous pamphleteering. I don't know if that's important, but it does concern me."

I am curious about your statement about IPv6. IPv6 does have some features that make IP spoofing more difficult, but even with IPv4 it is very difficult to do anything more than pretend to come from another IP that the sender controls.

E-mail authentication is a big issue these days. I've been involved with Sender Policy Framework (SPF) - http://www.openspf.org/ - for nearly three years. It is the most widely deployed domain level e-mail authentication technology. As long as automatic e-mail forwarding doesn't play a large part within the group you e-mail to/from it is reasonably effective.

I've also been involved in the IETF working group for the Yahoo!/Cisco backed Domain Keys Identified Mail (DKIM) - http://www.dkim.org/ - for the last year. This also has some potential to help.

I think that we are well past there being significant anonymous speech on the internet. E-mail headers include enough information to trace messages back to the IP address from which they originated (or to a party that can do so). Any entity with the power and motivation to get providers to reveal the person behind an IP address can find out who sent any message. It is difficult and so not worth the trouble unless you are motivated by financial gain (e.g. RIAA/MPAA) or trying to maintain a repressive government (e.g. People's Republic of China).

Scott K

I expect you are right. Eric notes that you can still print pamphlets anonymously, and he sure doesn't want you to be able anonymously to stuff his inbox with spam. Nor do I. I suppose I need to think about this more. Anonymity is one of those rights that can easily be abused. There is a difference between "tagging" (putting up malicious graffiti), and "Chalking slogans on the gate," and you can't protect the one without protecting the other. As I said, I need to think about this more.


Upgrading to Vista

Regarding upgrade installs of Vista: The only excuse for having the Upgrade version of Vista is if it was a freebie for a machine purchased in recent months. There is simply no good reason to get the Upgrade version at retail. OEM versions are readily available and cost a good deal LESS than the retail Upgrade versions. In fact, for individual licenses, I'm hard put to imagine why anyone should ever get anything other than the OEM version. At $200 for Vista Ultimate OEM vs $299 for Vista Ultimate Upgrade or $399 for Vista Ultimate, the choice shouldn't require a lot of thought.

Now, the boxes for the retail Vista packages are pretty spiffy but not $100 worth of spiffy.

Eric Pobirs

And indeed Ultimate OEM costs less than Upgrade Business. There don't seem to be any restrictions on buying the "system builder" OEM versions, either, although some vendors may require you to buy hardware as part of a package deal to get OEM Vista. It depends on the vendor.


On Upgrading to Vista through "upgrade" rather than "clean" install.

Doctor Pournelle,

In your February 6, 2007 "Computing at Chaos Manor" you asked if anyone had successfully upgraded an existing XP system to Windows Vista.

I have done this twice, but did find one "gotcha".

I have an HP dc7700 Business Desktop with a 2.13GHz Core 2 Duo, 2GB of RAM, integrated Intel graphics, and an 80GB SATA primary HDD that holds the OS and applications and 250GB SATA secondary HDD that holds all data.

I first made an image of my XP Professional installation using Acronis TrueImage 10 and then performed an upgrade with the Vista Enterprise DVD. It took about an hour, but when it was done, everything appeared to work, but with one "gotcha" - I could not access my Outlook PST. I received an "Access Denied" error. I think this may have been related to User Account Control, but at the time, I decided "back to XP" and restored my image.

About two months later, driver support had improved so I thought I would try again. I imaged my XP install with Acronis then did an in-place upgrade with Vista Enterprise. I turned off User Account Control from the start (it just drives me batty - I so prefer the security model on OS X and my Intel Macs) and Outlook worked fine.

I used this for about a month, then decided to try a fresh Vista install. I imaged my (now Vista) drive and then formatted and installed. Disabled UAC on first log-in and installed all my apps and it's been fine so far, except that my 250GB HDD will constantly power-down into an S3 sleep state when I resume from Standby, even though I have disabled HDD sleep in Vista and the BIOS (which is the latest). This didn't happen with my XP-to-Vista upgrade, so... Since I have a UPS, I just leave the machine on 24x7 now.

So I found XP to Vista Enterprise to be a painless upgrade. As to performance, I can't really tell a difference (seems quick enough either way) so if you have a lot of user data (passwords, cookies, etc.) that you'd really prefer not to lose (though I am told Vista has a very nice User Data migration tool), first imaging/backing up your XP install and then performing an upgrade might be prudent. However, MS' "upgrade path" is evidently very convoluted (only XP Home can be upgraded to Vista Home, for example and XP Pro will only upgrade to Business, Enterprise and Ultimate) so one needs to carefully check Microsoft's site to see what versions you can upgrade to.

I've enjoyed your computer writing since your first published Byte articles.

Chris Wallace
Happy Subscriber

It certainly would be worth doing upgrade just to save all the cookies and passwords. I know you can export all those, but I never think to do it. Thanks.

Subject: Vista upgrade vs. install

I think in the past bad drivers from a previous OS version could really gum up the works - Vista seems to do a very good job of detecting/disabling these drivers and falling back to a usable (if not optimized) state. I upgraded my relatively new Lenovo laptop from XP to Vista a few weeks ago. I did experience a few difficulties with incompatible drivers/software that hung around from the XP install. Many of the pre-installed IBM utilities were not compatible with Vista. There were no showstoppers though, after the upgrade things worked just fine, I was just subjected to an annoying series of taskbar bubbles telling me about this or that incompatibility after a reboot. Downloading new versions of the IBM utilities and some other drivers fixed the issues.

I suffered some minor application incompatibilities, but nothing that I would attribute to having done an upgrade vs. a clean install. I have some video driver issues with certain games, but that will have to wait for ATI to get its driver act together, and has nothing to do with my upgrade path.

In short I have to say that I was very much impressed with the Vista upgrade process and could recommend it to others vs. a clean install. Just make sure to download the latest Vista drivers for your hardware before you upgrade.

Josh Vanderberg

I have not yet tried upgrading the Lenovo ThinkPad Z61t from XP to Vista, but perhaps I'll give that a try. The Z is certainly powerful enough. Thanks.


On CPU Affinities:

Subject: processor affinity

Jerry,

You said:

I do wish I had some means of assigning Outlook all of one CPU and no more, while the other CPU is reserved for everything else. Even better would be a table of assignments. I expect this will come one day.

Well, that day is here; in fact, it's been here since Windows NT first came out. I suspect I'm not the first to tell you this, but just in case:

Under XP, in Task Manager, on the Processes tab, right-click on the Outlook process, pick "Set Affinity". Choose the CPUs you want Outlook to use, and you're done. I assume Vista is the same.

Hope this helps - keep up the good work!

-C

I am sure I knew that and forgot it. Samuel Johnson tells us that we seldom need educating but we often need reminding.

For those who don't want to fool around in Task Manager:

Subject: Outlook & CPU afinity

Jerry,

It took a bit of digging but Microsoft released an applet with W2K to do just this - imagecfg (.exe). It is part of the Resource Kit and is supposed to be compatible with Windows XP (I haven't tested this however).

I also found this link on AMD's forum pages - http://www.smogsy.com/edgemeal/ there are several freeware apps that do the same thing.

Bill Shields

So that problem is solved for good. Thanks.


Subject: Net Neutrality

Jerry,

I think that the Market Place can provide all of the regulation needed to accomplish the goals of Net Neutrality. There is a single proviso. The marketers of Internet Access must spell out exactly what they are providing their customers.

My first reaction when Whitaker of AT&T nee SBC sent up his trial balloon of charging Internet content providers for bandwidth was to start looking at alternatives to my AT&T DSL service and think that Whitaker must be crazy to in effect ask his customers to "please bend over."

I believe that Internet Service Providers that clearly spell out to their customers that any content that their customers wish to access will be given equal access to bandwidth will prosper at the expense of those providers that seek to give preferential access to bandwidth to those content providers that pay for it.

There is, of course, nothing to prevent ISPs from limiting the amounts of data transferred per billing period by providing tiered pricing for stated amounts of data transfer and unlimited transfer.

In the end the market place is by far the best regulatory body where there is competition. The only disadvantage, from a political perspective, is that it does not require any bureaucrats to achieve its regulation.

Bob Holmes

And this from another reader

Subject: Net Neutrality Comments

It puzzles me why Net Neutrality seems so complex. It is pretty simple, though many people (congress critters mostly) refuse to allow it to be simple. I guess it is because Peering Agreements on the Internet are not well understood by most people.

A Peering Agreement is nothing more than a simple agreement between network owners who have physical assets such as fibre lines. Such an agreement usually says "if you route my packets to destinations most easily reached by your network, I'll route your packets to destinations most easily reached on my network. I'll have my routers talk to your routers and pass the routing information for my network along too." Usually such agreements are made at no cost, or with a mutual cost coverage agreement. They are not direct profit centers for either company involved.

What this means is that if you obtain Internet Service from Time Warner Cable, you will be able transmit or receive packets to someone else who uses AT&T. You don't have to know or care about which provider the remote destination uses.

What AT&T and other companies want is to change those agreements to say, sure you can reach any destinations I service, but I want to charge you a toll for every packet you send over my network if you are not one of my customers. Of course, any other companies will have to charge similar tolls to AT&T customers.

This is a basic and intrinsic change in how the internet operates, and not surprisingly, it enables companies like AT&T to charge a premium for and impose limitations on certain types of data transmissions - for example Voice Over IP transmissions. A subject that has hit companies like AT&T right where it hurts - the bottom line.

It is a reaction to the fact that data is now about as important as voice on the national networks. And even more so on the International Network. The phone companies appear to have failed to envision this situation entirely.

Everything else being bandied around about in regards to 'Net Neutrality' amounts to not much more than smoke and mirrors.

While I agree with you that losing the old Bell Labs was a terrible loss - allowing the new AT&T to emerge is not going to bring back Bell Labs. It does, however, seem to be suggesting we will see the modern day analog of the old sky high long distance rates though - in the form of tolls on network traffic.

Yours, -Paul R.

I retain the opinion that regulation generally accomplishes less good, and more harm, than those who set up the regulatory bureaucracy intended. I am also of the opinion that the market plus technology will take care of this situation and no "net neutrality" legislation is needed.

It's probably all moot. The Democrats are in power and influential Chairmen like Markey want this legislation, so we will probably get it. I predict that many of those who want it will be complaining not too long after it is enacted. So it goes.


Subject: Vista 32 bit and 4GB Memory

Jerry,

I suspect that even the 64 bit version of Vista would only see 3GB of the 4 GB of memory that is installed in your system. This is a function of the system BIOS and in most cases BIOS settings can be changed to allow the 32 bit OS to see more of the memory and the 64 bit OS to see all of it.

The inability of the OS to see all of the installed memory is the result of the addresses to which the memory "hole" for PCI devices is mapped. The default mapping for most BIOS implementation starts immediately above the 3 GB address and occupies about 512 MB. It is possible to tell most BIOS implementations to change the starting address of this "hole."

I am running an AMD Opteron 165 dual core processor on a Gigabyte GA-K8NF-9 Mother Board with 4 GB of memory. I have both Windows 2000 and Windows XP x64 edition installed on this system. Before changing the BIOS settings both operating systems saw 3 GB of memory. After changing the BIOS settings Win XP X64 sees all 4 GB while Win 2K sees 3,407,336 KB of memory.

Bob Holmes

Thanks. I suppose I ought to muck about with the BIOS settings and I certainly will when I go to Vista 64, but for the moment I have no real need for 64-bit while the driver incompatibilities can cause real problems.


Regarding World of Warcraft

Hello Dr. Pournelle,

I was just reading the mailbag from Feb 19, and Tim notes:

While trips to the graveyard are MUCH reduced a Hunter's spirit runs twice as fast back to the body as other classes, making downtime even shorter.

This is incorrect. This is not a hunter ability, but a Night Elf ability (see this link). And also, it is only 25% faster than other classes. I have played a Dwarf Hunter (Ulwar) since launch (currently lvl 64) and absolutely love it. With the buffs that pets got with Patch 2.0, my cat pet is a very effective tank. So, if you're ever on the Alleria server, look me up!

Glenn Hunt

I understood that Tim was wrong on that, but forgot to mention it. Thanks for pointing it out.

Thanks also for the invitation, but I am not likely to get to any other servers. I am on Feathermoon, and I haven't managed to visit my characters for weeks; if I get ahead on my columns, my Paladin will go about saving damsels in distress and slaying orcs again. Hunters are certainly more fun for solo play, but for reasons that may have roots in my Norman ancestry, I do like Paladins.