me.getBrain().dump()
My silly ideas or dumb thoughts
Sunday 26 June 2011
New blog
I was not satisfied with blogger, so I'm moving my blog to WordPress and my own domain: http://blog.juzna.cz
Wednesday 12 January 2011
Banning on optical network
Based on true story in Helemik company
Disclaimer: My colleges asked me, how does blocking on optical network in our company works. They probably expected very short technical detail, but since I was in a good mood, I wrote 'em this story. Hope they will hate me for that. (But at least they'll practice their english :)
So, where to begin.
Once upon a time there was a lazy customer who didn't want to pay his
internet bills. He just thought he could surf for free and nobody
would notice - considering the large amount of customers the provider
has, they can't all be checked for their payments. However, he wasn't
very lucky with his idea. The meant-to-be-stupid provider he was
against to was big hero El Helemikos, famous in all towns and villages
from west to east. In that company, that was running specialized
software for maintaining not just all customers, but all network
devices as well. Despite of the fact that this software was still
running on old piece of hardware, called "Five" because of it's IP
address ending with number five, it was still capable of validating
thousands of customers and tens of thousands of their payments. Each
night, this mighty software just took one customer after another and
recalculated his payments. Shall it realize given customer was due
date with his payment for more than two weeks, it has written a cruel
scenario to follow - it could ban the customer from connecting to
public Internet. Let me tell you little bit about this procedures and
also about customer's choices for a fair fight.
Since the network, which our system was taking care about, had been
growing rapidly for couple of previous years, all the php code
responsible for blocking became one big piece of mess. All blocking
was based on IP addresses, despite on optical network were blocked
whole ports on edge switches: On all switches, there was a guest vlan
called "the sixteen" created for customers unauthenticated to the
network. This vlan was also used for blocking customers by simple
means. If you would have a look into database dedicated to radius, you
can find a group "ban-optika". When blocking a customer on optical
network, the system just used his IP address to find actual MAC
address and appropriate vlan number. This touple, being used as a user
name by the 3com switches when authenticating a edge port to network,
was just added to this ban group. Then, when switches asked radius for
authenticating such a blocked customer, being in a ban group meant
presence of some additional parameters in radius' response. If you
wonder what in particular could be in this response, you can have a
look into radgroupreply table in appropriate database (the most
important message is telling switch to put this customer into "the
sixteen" vlan). So, however being successfully authenticated, customer
was not authorized to access proper vlan with internet access. Being
in "the sixteen" vlan, customer gained temporary IP address from
Mikrotik's hotspot and when opening a web browser (or IE, which can or
sometimes cannot be considered a web browser) was redirected to
helemik.cz:84 while passing customers mac address in an GET argument.
On this URL address, classic "welcome to optical network" message was
normally displayed. While being used for blocking as well, there was a
slight check in first lines of code - when customer came from an mac
address being blocked, he's browser was told to follow one more
redirect. And this redirect went to last page customer wanted to see:
the blocking page. This blocking page just set up some variables and
called the-mighty-systems module ban with function name I can not
recall now (but you may find it in source code if you want). Blocking
page with relevant message was displayed to the customer telling him
of his luck of being doomed. No internet connection. At all. And no
facebook either.
Luckily, there was a chance for this customer, called a "soft-ban". It
was a special type of ban, which could have been unlocked by the
customer himself. By clicking on "un-ban" button, customer was removed
radius' ban group and his port on edge switch was restarted, putting
him in right vlan with internet access. Thus, customers being lucky
enough to have just this soft-ban, were able to poke their friends on
FB not even thirty seconds later.
If you wanna know some technical details how the mighty system was
doing all this, read further.
Blocking: Calling methods from scripts/classes/ban.inc.php - this
finds several devices on route to customer (first mikrotik, one
supervisor, shaper II and also L2 parent - which is edge switch for
customers on optical network) and sent a message 'ban' to daemons
taking care about there routers. These daemons are executed from
daemons/apon/main.php, which in than executes given class based on
operating system on given router. For blocking ports on 4210 switches,
you should be looking for 4210.inc.php. This specific driver performs
IP to MAC lookup mentioned before and also adding it to radius' ban
group. Then, as the source code is telling us, it checks whether
customers port is up and running and if so, it restarts it.
In your new approach you suggest, you should change this code to
modify port's setting moving it to another dedicated vlan.
Unbanning is very similar. Script in scripts/classes/ban.inc.php just
looks up the same routers (including edge switch being l2 parent) and
sends them "unban" message. According to the source code, this message
means much similar actions to banning procedure.
In your new approach, you should change the port having access to
standard internet vlan.
You need to keep in mind that the deamons are running on background.
So when changing source code of it, you need to restart it. (or just
kill it. There is one master daemon taking care of all the small ones
which can start 'em in case they're needed).
PS: All the names may or may not be real, depends what you prefer.
Disclaimer: My colleges asked me, how does blocking on optical network in our company works. They probably expected very short technical detail, but since I was in a good mood, I wrote 'em this story. Hope they will hate me for that. (But at least they'll practice their english :)
So, where to begin.
Once upon a time there was a lazy customer who didn't want to pay his
internet bills. He just thought he could surf for free and nobody
would notice - considering the large amount of customers the provider
has, they can't all be checked for their payments. However, he wasn't
very lucky with his idea. The meant-to-be-stupid provider he was
against to was big hero El Helemikos, famous in all towns and villages
from west to east. In that company, that was running specialized
software for maintaining not just all customers, but all network
devices as well. Despite of the fact that this software was still
running on old piece of hardware, called "Five" because of it's IP
address ending with number five, it was still capable of validating
thousands of customers and tens of thousands of their payments. Each
night, this mighty software just took one customer after another and
recalculated his payments. Shall it realize given customer was due
date with his payment for more than two weeks, it has written a cruel
scenario to follow - it could ban the customer from connecting to
public Internet. Let me tell you little bit about this procedures and
also about customer's choices for a fair fight.
Since the network, which our system was taking care about, had been
growing rapidly for couple of previous years, all the php code
responsible for blocking became one big piece of mess. All blocking
was based on IP addresses, despite on optical network were blocked
whole ports on edge switches: On all switches, there was a guest vlan
called "the sixteen" created for customers unauthenticated to the
network. This vlan was also used for blocking customers by simple
means. If you would have a look into database dedicated to radius, you
can find a group "ban-optika". When blocking a customer on optical
network, the system just used his IP address to find actual MAC
address and appropriate vlan number. This touple, being used as a user
name by the 3com switches when authenticating a edge port to network,
was just added to this ban group. Then, when switches asked radius for
authenticating such a blocked customer, being in a ban group meant
presence of some additional parameters in radius' response. If you
wonder what in particular could be in this response, you can have a
look into radgroupreply table in appropriate database (the most
important message is telling switch to put this customer into "the
sixteen" vlan). So, however being successfully authenticated, customer
was not authorized to access proper vlan with internet access. Being
in "the sixteen" vlan, customer gained temporary IP address from
Mikrotik's hotspot and when opening a web browser (or IE, which can or
sometimes cannot be considered a web browser) was redirected to
helemik.cz:84 while passing customers mac address in an GET argument.
On this URL address, classic "welcome to optical network" message was
normally displayed. While being used for blocking as well, there was a
slight check in first lines of code - when customer came from an mac
address being blocked, he's browser was told to follow one more
redirect. And this redirect went to last page customer wanted to see:
the blocking page. This blocking page just set up some variables and
called the-mighty-systems module ban with function name I can not
recall now (but you may find it in source code if you want). Blocking
page with relevant message was displayed to the customer telling him
of his luck of being doomed. No internet connection. At all. And no
facebook either.
Luckily, there was a chance for this customer, called a "soft-ban". It
was a special type of ban, which could have been unlocked by the
customer himself. By clicking on "un-ban" button, customer was removed
radius' ban group and his port on edge switch was restarted, putting
him in right vlan with internet access. Thus, customers being lucky
enough to have just this soft-ban, were able to poke their friends on
FB not even thirty seconds later.
If you wanna know some technical details how the mighty system was
doing all this, read further.
Blocking: Calling methods from scripts/classes/ban.inc.php - this
finds several devices on route to customer (first mikrotik, one
supervisor, shaper II and also L2 parent - which is edge switch for
customers on optical network) and sent a message 'ban' to daemons
taking care about there routers. These daemons are executed from
daemons/apon/main.php, which in than executes given class based on
operating system on given router. For blocking ports on 4210 switches,
you should be looking for 4210.inc.php. This specific driver performs
IP to MAC lookup mentioned before and also adding it to radius' ban
group. Then, as the source code is telling us, it checks whether
customers port is up and running and if so, it restarts it.
In your new approach you suggest, you should change this code to
modify port's setting moving it to another dedicated vlan.
Unbanning is very similar. Script in scripts/classes/ban.inc.php just
looks up the same routers (including edge switch being l2 parent) and
sends them "unban" message. According to the source code, this message
means much similar actions to banning procedure.
In your new approach, you should change the port having access to
standard internet vlan.
You need to keep in mind that the deamons are running on background.
So when changing source code of it, you need to restart it. (or just
kill it. There is one master daemon taking care of all the small ones
which can start 'em in case they're needed).
PS: All the names may or may not be real, depends what you prefer.
Monday 22 November 2010
On living in UK or in Czech republic
(I wrote this on my mobile phone while being bored at back seat of a car on my way back to Portsmouth. It’s just a stream of thoughts, and it’s written on phone’s keyboard, so it’s not really good.)
Disclaimer: This is written for Czech people to make them think (about how life in UK can be).
Where do you think it's cheaper to live, in UK or in Czech republic? Some months ago I would reply to this question without hesitating a second. And most of other people would do the same, I believe. At least what I've asked, people from Czech republic, Germany or England have the same stereotype. I was told in an English family: “We have heard, that there is everything very cheap in Czech Republic.” Is it really true? After living in UK I discovered that just the opposite can be true.
You have to look deeper, and not to compare prices by converting currencies using official ratios from banks. When you convert prices to time you need to work to buy that particular thing, you will get totally different result for that question I asked. And isn't this much more logical way for comparison of prices and life in different countries? Let's assume my potential job in IT for example. I could easily have a job with wage of 200CZK in Czech republic. It makes cost of a meal in normal restaurant about .7 hour (assume you would pay 120CZK, which is quiet normal price IMHO). When I would live and work in UK, with the same type of job I could easily earn 20GBP per hour. For a normal lunch in restaurant I need to pay about £5 up to £8, which depends much on the restaurant. I find even the cheaper one quiet comparable to that hypothetical one in CR. It means, that in this case you would pay for lunch .25 hour if your time. Even in better restaurant, you would still pay less then .5 hour for a pretty good lunch.
This conversion, however, would be much inefficient to calculate, because for everyone is different as everyone earns different amount. So you may try to find a better metric and it shows, that classic currency conversion works pretty well. You just have to apply another ratio than the banks gives you. This could be different for each job, but from what I asked people, it seems to be pretty similar for most of people. For me it would be 10 (because with the same job I can earn 200czk or 20gbp). Minimal wage is something like £6.5 for people over 25 in UK. I'm not sure if next statement is true, but I guess that there are lots of people who earn about 70czk in CR. The ratio is still approximately 10. For a part-time job as a kitchen porter, you can have £5 or maybe 60-70czk, this ratio is still so close to 10. At least when you compare it to official rate which is about 30 (czk for 1 gbp).
[for czech people] Imagine a dream-world, where you would pay in czk everywhere. However, if you would like to move there, you would give up two thirds of money you have saved, since the conversion ratio from bank and the “working-time” ratio differs. But then, you would earn the same as you are used to (or you would get the same pocket money from your parents). Some things would be more expensive (but very few), some would be about the same price (just some) and very many would be cheaper. Because this beautiful conversion ratio of 10, I can now take prices I see every day, simply add one more zero to the end and this would give me the price of that dream-world. Some things are same, like the rent for a single room in small house, which is here 3500 czk, for one beer you have to pay about 30czk, which is a little bit worse than home. Wanna take a bus? You have to pay 20czk for just few stops, it’s expensive mate! You don’t like it here. But you try to go out to the town centre to see prices there. You’re thirsty, so you buy a small bottle of coke for 10czk, wow, very nice price. Then you stop for a lunch in a fast food, it could be a kebab (lots of meat) for just 35czk. If you’re more hungry you can have a whole meal in burger king for 50czk. What about a coffee in a restaurant then, they got special offer: coffee and muffin just for 15czk? In a restaurant? Unbelievable! You eat you dinner in another restaurant later. For a burger with chips (chips in england means something like french fries, it’s not the same as chips in czech republic), onion rings, some cheese sauce. You pay just 65czk, and a drink is included of course (either coke, beer or coffee). It seems great, you can’t believe how cheap can things be. But when you go the next day to buy some electronics, you have to be careful. Brand new iPhone 4 for just 5000czk? Why to buy a PC, when you can have great iMac for just 10,000czk? All this electronics cost just one third of what they used to be. You wanna drive a car? You can buy it for just one third of the price you were told few weeks ago in real world. And petrol costs you just 10czk for litre, isn’t it amazing? You can go whenever you want and don’t need to care that it would cost you a fortune.
Wonderful place to live this dream-world seems to be, doesn’t it? I wish I could live there, I would enjoy my life much more. So sad that it’s just a dream. Or is it not?
So what would you say now? Where do you think it's cheaper to live, in UK or in Czech republic?
(BTW: 900 words essay written on phone, G1 rulezzz!)
Subscribe to:
Posts (Atom)