Mon Jan 14 2013 11:30:42 PM EST from IGnatius T Foobar @ UncensoredAfter a whole lot of pain with iSCSI multipath stupidness, I am swearing off block protocols for good. Everything I put in my data center is going to be NFS over 10 Gbps Ethernet from now on.
It Just Works (tm).
Off the shelf solution or something you built?
Off the shelf solution or something you built?
In this case it's a storage system from this little outfit called NetApp
:)
However ... the decision was based on experience that included homebrew storage.
Even at 1 Gbps, our little NFS boxes were far easier to manage than big-vendor iSCSI. I never want to read the words "logical volume not on preferred path" again. Several of my future homicide victims will have those words written on their gravestones.
Finally got around to reading that. Bizarre. Can you even generate a
key with a specific exponent, or do you have to just keep re-keying
until you get something acceptable?
Yeah, there are some arcane options to openssl's commandline that let you override the default exponent. There are only a few that are commonly in use, and the only one that's broadly acceptable to all software, and also secure under the most stringent standards, is probably 65537
But it's all pointless unless you ensure that every CA cert in the chain that signs your key, also uses a large exponent.
big-vendor iSCSI. I never want to read the words "logical volume not
on preferred path" again. Several of my future homicide victims will
have those words written on their gravestones.
Heh. My FHVs are going to have "Abort/Retry/Ignore? >" on *their* gravestones! <evil grin>
Mon Sep 30 2013 8:13 AM EDT from IGnatius T Foobar @ UncensoredOff the shelf solution or something you built?
In this case it's a storage system from this little outfit called NetApp
:)
However ... the decision was based on experience that included homebrew storage.
Even at 1 Gbps, our little NFS boxes were far easier to manage than big-vendor iSCSI. I never want to read the words "logical volume not on preferred path" again. Several of my future homicide victims will have those words written on their gravestones.
Funny you should say. I just remembered Coraid the other day and thought, what if they were still not just sales droids, but actually wanted to sell something to some company without coming off as being a used car salesman. I took the bait and researched what little there was on the internets to be gleaned and finally had to go to the website and post a "gimmie a quote you slimy so and so" request. The site made it seem like you were filling in a quote sheet that would be automated and sent out in a few minutes, but it was not until the next morning that I found out that 'it's a trap' was in store.
The sales droid first sent me an email with no body text (yes I use alpine as my mail client), but I digress. The second email was one to implore me to call him back for the quote. After a few hours he emailed me a sketchy pdf which contained the semi plausible bits that described a 1GBps/10GBps san unit (without enough details and enough asterisks to choke a horse stating that you needed a support contract on top of the purchase price of the hardware before they would sell you the minimum hardware). Even the base price (minus any drives) was enough to make me go away.
Glad you had more fun in that arena IG. I have opted for simple raid 1+0 and NFS to fit the bill for now as the needs have not shot past that (yet).
This year we have upper management that wants us to be Teh Cloud (tm) so we got the budget for NetApp hardware. Yum. It's pricey but the performance just screams. Because cloud.
Yeah, there are some arcane options to openssl's commandline that let
you override the default exponent. There are only a few that are
commonly in use, and the only one that's broadly acceptable to all
software, and also secure under the most stringent standards, is
probably 65537
I learned that 65537 is the default for OpenSSL while learning how to check to see if a certificate matches a particular public key (such as, when a CSR is sent out to a customer and then the cert they send back may or may not be generated from the CSR you gave them ... some people do weird things).
"Compare the modulus and exponent." And I said "gee, the exponent is *always* 65537, what's with that?"
I want to try an exponent of 0 and see what happens :)
Hmmmm...
Is this thing working?????
Oct 3 2013 1:18pm from vince-q @cascade (Cascade Lodge BBS)
Hmmmm...
Is this thing working?????
Looks that way...
Thu Oct 03 2013 01:18:53 PM EDT from vince-q @ Cascade Lodge BBSHmmmm...
Is this thing working?????
You gots to blow on it, or jiggle it :-)
http://blog.chromium.org/2011/06/new-chromium-security-features-june.html
chrome://net-internals/#hsts
^^^ mandatory SSL and certificate pinning for Chrome
http://technet.microsoft.com/en-us/security/jj653751
^^^ finer control over ASLR, the NX bit, stack smashing for Windows, and certificate pinning for IE
Okay, throwing out some weird here...
Remember IPX/SPX?
I wonder if it's still possible to set up a functioning network with those protocols today, and what limitations one might expect from it.
Hmmm...
You could probably build a local network with it. Good luck getting your hands on something to route traffic between different IPX subnets.
(Horrible memories of routers with fixed size RIP/SAP tables and seeing networks and services randomly drop off the network...)
I do think that the deployment of IPv6 is going to bring back some of the old IPX traditions. An IPX address was 32 bits of network and 48 bits of host, with the host side being a MAC address. IPv6 can autoconfig based on MAC address when the subnet size is /64 (as is recommended and typical). I think we'll see a lot of "let it autoconfig and register itself with DNS" which is an awful lot like "get an address from RIP and register your name with SAP"
For what I'm thinking, the machines would not require routing (they're all on the same segment).
But then, I suppose I could use NetBEUI as well. I just don't know if NetBEUI is available for Linux.
Yeah, I think IPX/SPX is more the way to go, if we elect to go down the road of an alternative protocol.
We can't use something that goes over TCP/IP for our purposes... we're trying to hide communications on the LAN (so students do not confuse our traffic for the kind of traffic they seek in their lessons).
We have other alternatives, but they aren't necessarily very good (e.g. virtual serial ports).
Hm. Even better, there's SCTP.
It's a protocol that has been around a while, but remains supported in some fashion. I can even download a user-land stack for it that can be compiled on Linux or Windows, and it looks to be better able to avoid SYN attacks.
Works over IP. Hm. Neat stuff.