[Cerowrt-devel] Fixing simple_qos.sh

[Cerowrt-devel] Fixing simple_qos.sh

[Dave Taht]

[-- Attachment #1: Type: text/plain, Size: 1752 bytes --]

A couple things:

It has long been my plan to integrate simple_qos (call it ceroshaper) into
the gui, and have a test run automatically to determine the uplink/downlink
bandwidth, and store that in upnp.

The gui interface stuff has long defeated me, as well as finding enough
servers to be the backend portion of the test. as for the latter portion, I
have got a couple linode boxes up and hope to get some more boxes from
another resource. as for the gui, I'm just hopeless there.

As for the shaper script...

One thing I notice right now is that an awful lot of stuff ends up in the
background bin for some reason.

Similar things are happening on (unshaped) wifi. There's a bug there I
think.

It's been my hope to finish cake (simple_qos poured into C and made more 32
bit cpu oriented) for a month now. I hope that will fix the background bin
thing as it does full diffserv classification - but I don't know when I'll
be done, so it would be nice to figure out what's going on.

One thing that testing (actually kathie) revealed last week is that 1024
nfq_codel flows may be excessive. 32 works pretty good, actually, and
provides a defense indirectly, against bittorrent eating your life. Why
that works is that codel works pretty good against one or a few flows in a
single bin, and 32 bins limits the amount of delay that can be injected
into the system that is unmanagable via codel. I'd been trying for "perfect
isolation" between flows, but that meant that in an extreme overload
situation with 100s of flows, and low bandwidth, delay could get out of
hand.

Heck, 16 bins might be enough. Don't know.

-- 
Dave Täht

Fixing bufferbloat with cerowrt:
http://www.teklibre.com/cerowrt/subscribe.html

[-- Attachment #2: Type: text/html, Size: 1917 bytes --]

Re: [Cerowrt-devel] Fixing simple_qos.sh

[Sebastian Moeller]

Hi Dave,



On Jan 27, 2013, at 04:28 , Dave Taht wrote:

> A couple things:
> 
> It has long been my plan to integrate simple_qos (call it ceroshaper) into the gui, and have a test run automatically to determine the uplink/downlink bandwidth, and store that in upnp.

	Any idea of how to determine link speed by a script? As I intend to disable upnp it would be great if the link speeds still be stored somewhere and/or manually overridden. I want a firewall since I do not trust a number of devices too much, like an iPod and a nexus7 and want to keep them under supervision, so allowing them to pierce the firewall makes me feel a bit uneasy. Then again, Skype and friends figured out how to do NAT traversal without upnp so disabling it will only buy me a little more control with  a lot more hassle. Any expert on the security tradeoff involved with UPNP willing to give their opinion on this question.
	In related news: https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play
So maybe my uneasyness has some grounding in reality, Mind you, I have not yet tested whether cerowrt is affected (and I doubt that, since the linked exploit requires old ). Related question should cero's firewall drop tcp port 5000 and udp port 1900 connection requests on the wan interface to put in belt and suspenders for UPNP remote exploits? But how does the interact with using cerowrt as secondary router? (Being away from the router I can not easily check/change the firewall settings…)

> 
> The gui interface stuff has long defeated me, as well as finding enough servers to be the backend portion of the test. as for the latter portion, I have got a couple linode boxes up and hope to get some more boxes from another resource. as for the gui, I'm just hopeless there.
> 
> As for the shaper script...
> 
> One thing I notice right now is that an awful lot of stuff ends up in the background bin for some reason. 

	Now I am away from my router and just equipped with an e-mailer, that is typically when I am most dangerous ;), but when you send out non-working examples earlier I wondered whether to check individual TOS bits would you not have to mask off all other bits? 

> 
> Similar things are happening on (unshaped) wifi. There's a bug there I think.
> 
> It's been my hope to finish cake (simple_qos poured into C and made more 32 bit cpu oriented) for a month now. I hope that will fix the background bin thing as it does full diffserv classification - but I don't know when I'll be done, so it would be nice to figure out what's going on.

	Ah, is this to have a drop in replacement for pfifo_fast?

> 
> One thing that testing (actually kathie) revealed last week is that 1024 nfq_codel flows may be excessive. 32 works pretty good, actually, and provides a defense indirectly, against bittorrent eating your life. Why that works is that codel works pretty good against one or a few flows in a single bin, and 32 bins limits the amount of delay that can be injected into the system that is unmanagable via codel. I'd been trying for "perfect isolation" between flows, but that meant that in an extreme overload situation with 100s of flows, and low bandwidth, delay could get out of hand.

	Question, is not the extreme condition round robin through all other flows? So the worst case latency might arise if all flows are eligible for one full MTU packet ;at (measly) DSL uplink speeds of say 512Kbit/sec that means each sent package will hog the line for ~23ms, so even at 32 queues the worst case latency would be 31 * 23 = 713 ms. So no more than 4 queues can be serviced routinely before the system will exceed target (assuming the default 100ms, but I might have that wrong)


> 
> Heck, 16 bins might be enough. Don't know. 
> 
> -- 
> Dave Täht
> 
> Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel

Re: [Cerowrt-devel] Fixing simple_qos.sh

[Maciej Soltysiak]

[-- Attachment #1: Type: text/plain, Size: 2342 bytes --]

On Tue, Jan 29, 2013 at 10:21 PM, Sebastian Moeller <moeller0@gmx.de> wrote:

>         Any idea of how to determine link speed by a script?

I assumed Dave meant this to be as simple as fetching a file and
timing that. Basically a quite script form of http://speedtest.net/


>  As I intend to disable upnp it would be great if the link speeds still be
> stored somewhere and/or manually overridden. I want a firewall since I do
> not trust a number of devices too much, like an iPod and a nexus7 and want
> to keep them under supervision, so allowing them to pierce the firewall
> makes me feel a bit uneasy. Then again, Skype and friends figured out how
> to do NAT traversal without upnp so disabling it will only buy me a little
> more control with  a lot more hassle. Any expert on the security tradeoff
> involved with UPNP willing to give their opinion on this question.

Well, UPNP or not, with a 3rd party server outside your network and proper
client/server code Skype and friends can do hole punching.

If you don't trust ipad and nexus, you're on privacy territory, not network
security per se, so I think you're better off proxying and filtering (e.g.
privoxy), than only disabling upnp.


>         In related news:
> https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play
> So maybe my uneasyness has some grounding in reality, Mind you, I have not
> yet tested whether cerowrt is affected (and I doubt that, since the linked
> exploit requires old ). Related question should cero's firewall drop tcp
> port 5000 and udp port 1900 connection requests on the wan interface to put
> in belt and suspenders for UPNP remote exploits? But how does the interact
> with using cerowrt as secondary router? (Being away from the router I can
> not easily check/change the firewall settings…)

Yeah, this old thing. One thing is cerowrt firewall ruleset is a default
ACCEPT with exceptions to block in zone_wan and that's one bad thing [tm]
and should be the other way round. Where is the file that contains the
default ruleset?

I'll try to confirm if blocking it breaks anything or not today.

Perhaps running metasploit against cero from outside and inside could be
beneficial? Or at least a through nmap scan.

Maciej

[-- Attachment #2: Type: text/html, Size: 3164 bytes --]

Re: [Cerowrt-devel] Fixing simple_qos.sh

[Török Edwin]

On 01/30/2013 02:20 PM, Maciej Soltysiak wrote:
> On Tue, Jan 29, 2013 at 10:21 PM, Sebastian Moeller <moeller0@gmx.de <mailto:moeller0@gmx.de>> wrote:
> 
>             Any idea of how to determine link speed by a script?
> 
> I assumed Dave meant this to be as simple as fetching a file and timing that. Basically a quite script form of http://speedtest.net/

I've been using http://ipv6-test.com/speedtest/, but I don't think they provide a script API.

--Edwin

Re: [Cerowrt-devel] Fixing simple_qos.sh

[Sebastian Moeller]

Hi Maciej,

thanks for your thoughts.

On Jan 30, 2013, at 04:20 , Maciej Soltysiak wrote:

> On Tue, Jan 29, 2013 at 10:21 PM, Sebastian Moeller <moeller0@gmx.de> wrote:
>         Any idea of how to determine link speed by a script?
> I assumed Dave meant this to be as simple as fetching a file and timing that. Basically a quite script form of http://speedtest.net/

	Well, I am not sure whether that is a good idea, as speediest.net might be not as well connected as your typical servers. So personally I try to rate limit my up and download to line rates minus 5% to avoid the buffer bloat in the CMTS/DSLAM. I guess I am hoping that all real routers suffer less from over buffering than the consumer facing endnodes. (Then again this is a can of worms, but the minus 5% so far worked okay for me)

>  
>  As I intend to disable upnp it would be great if the link speeds still be stored somewhere and/or manually overridden. I want a firewall since I do not trust a number of devices too much, like an iPod and a nexus7 and want to keep them under supervision, so allowing them to pierce the firewall makes me feel a bit uneasy. Then again, Skype and friends figured out how to do NAT traversal without upnp so disabling it will only buy me a little more control with  a lot more hassle. Any expert on the security tradeoff involved with UPNP willing to give their opinion on this question.
> Well, UPNP or not, with a 3rd party server outside your network and proper client/server code Skype and friends can do hole punching.
>  
> If you don't trust ipad and nexus, you're on privacy territory, not network security per se, so I think you're better off proxying and filtering (e.g. privoxy), than only disabling upnp.

	I might have phrased that a bit awkward, I am not sure about the speed in which critical remote exploitable bugs are fixed in an aging collection of devices (this certainly includes iPod and nexus, but honestly also my laptop). (If I'd really be concerned about privacy I guess I would need to disable networking in apple ang google devices completely :) )

>  
>         In related news: https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play
> So maybe my uneasyness has some grounding in reality, Mind you, I have not yet tested whether cerowrt is affected (and I doubt that, since the linked exploit requires old ). Related question should cero's firewall drop tcp port 5000 and udp port 1900 connection requests on the wan interface to put in belt and suspenders for UPNP remote exploits? But how does the interact with using cerowrt as secondary router? (Being away from the router I can not easily check/change the firewall settings…)
> Yeah, this old thing. One thing is cerowrt firewall ruleset is a default ACCEPT with exceptions to block in zone_wan and that's one bad thing [tm] and should be the other way round. Where is the file that contains the default ruleset?

	I guess this what I will set my router to (default drop), I assume though that Dave's goal is rather to be open so end to end connectivity is open enough to easily allow to run your own servers. Mmmh, thinking over this I should bolt down the router itself from the outside a bit more and the secure network segments and use the guest segments as permissive segments in which to run servers and such...

>  
> I'll try to confirm if blocking it breaks anything or not today.
>  
> Perhaps running metasploit against cero from outside and inside could be beneficial? Or at least a through nmap scan.

	I checked my 3.7.2-4 cerowrt router and ScanNOwUPnP.exe (from rapid7) and it comes up empty, meaning cerowrt is not affected by that issue (as to be expected as cero's miniupnp >> 1.4).

Thanks a lot for your thoughts.

best
	Sebastian

>  
> Maciej
>