Threads for Vigdis

  1. 4

    No, it hasn’t. The page is there in preparation for the release but it has not yet actually been released.

    1. 5

      It hasn’t been properly announced but sets/packages are already available on the mirrors e.g. https://fastly.cdn.openbsd.org/pub/OpenBSD/7.1/

      1. 4

        I’d argue if it’s not announced it’s not released. Also sets and packages could in theory still be overwritten.

        1. 1

          I’d argue further if the release date on the page itself doesn’t yet exist, it hasn’t been released.

          Released May ?, 2022.

          1. 4

            They just actually released! :)

            Including an announcement from The de Raadt:

            https://marc.info/?l=openbsd-announce&m=165054715122282&w=2

            Maybe vermaden knew more?

            1. 2

              Haha. Whelp, I’ll go back to my corner.

              1. 1

                It’s all in the commits…

            2. 1

              Received email from Theo (from the announce maillist).

              We are pleased to announce the official release of OpenBSD 7.1.

              Therefore I consider it officially released, now.

          2. 5

            I assumed that if OpenBSD Webzine states that - then its released - sorry, my bad :)

          1. 3

            it reads so simple. I’d love to know how long this whole endeavor took you.

            1. 10

              I began this journey in December 2020, so it was over the last 14 months. Trying to think back about it, I’d say

              • 10 hours to find how to do it (i.e. pick the RIR, pick a sponsoring org etc)
              • 3 hours to deal administratively with Grifon/RIPE
              • 30 hours to find/deal with hosting providers, installing a new VM (I had two VMs I haven’t anymore because of the unsatisfying quality of service)
              • 8 hours learning more than the basic traffic engineering I knew
              • 15 hours doing sys/netadmin, writing ansible stuff, moving from my initial simple network tunneling setup to this bgp mesh tunneling setup
              • 5 hours writing my igpd before I aborted
              • 30 hours writing this blog post haha, this took so loooong

              +/- 25% for each, since I’m not sure how long it took me

              Playing with BGP was probably between 1 and 5% of the overall time. BGP is quite simple and works very reliably, which is both a curse and a blessing :)

              1. 2

                This is a great post, thanks for sharing it! I started my own AS a few years ago, but the “kick start” was receiving a v4 block from ARIN after being on their waiting list for 2 or 3 years… Once I had a block, I was able to announce to my upstream provider, but rather than a VM, it was from a dedicated server at a cheap colo DC. It has now grown, and I host a friends’ business internet, and have also joined the local internet exchange. It was an awesome learning experience so far. Cheers!

                1. 1

                  Appreciate the detailed break down. Thank you! :)

              1. 1

                I love the article, but one minor point I didn’t quite follow — If your preferred solution was native IPv6, which is presumably unencrypted, why was lack of tunnel encryption a deal-breaker?

                1. 3

                  Good point!

                  The tunnel endpoint would have likely been “far” network wise. So if I visit e.g. a no-tls website, the non encrypted packets would take a longer path (so the security risk increases) than it would have with native IPv6.

                  That said, my homemade routing may make the path longer than using a tunnel from professionals like HE.

                  It’s probably not a good argument haha

                1. 1

                  As mentioned in my infrastructure blog post, I have multiple networks (VLAN) at home. Because I didn’t want to do some unholy things, I needed to have a /64 per network, meaning multiple /64s for my home.

                  I don’t understand this part. Why can’t he split the network into multiple segments? What use case does anyone have for multiple /64 in their home? That’s 18446744073709551616 addresses per subnet.

                  1. 6

                    Each network need to be /64 for SLAAC to work.

                    1. 2

                      But that’s… a giant amount of addresses. Why is this? Not allowing smaller sizes looks as if we’re repeating the IPv4 mistakes?

                      1. 12

                        Because that’s the only functioning way we’ve been able to come up with for devices to be able to be able to automatically configure themselves with a predictable persistent address without any conflicts.

                        The issue is that people seem to have a hard time comprehending just how big of a number 2^128 is. With that address space we could for example assign 2^32 /64’s to each IPv4 address (of which there are 2^32). We can give the entire IPv4 address space to each IPv4 address.

                        Additionally, RIPE strongly discourages assigning prefixes longer than /56, and in general recommends assigning end-customers a /48 or /56, and that assigning a /48 to all customers is the most practical address plan.

                        1. 1

                          Thanks for the explanation. Indeed these numbers are just too large to properly imagine them…

                          Additionally, RIPE strongly discourages assigning prefixes longer than /56, and in general recommends assigning end-customers a /48 or /56, and that assigning a /48 to all customers is the most practical address plan.

                          Well, at least in Germany consumer ISPs seem to hand out /64 by default, though. I suppose one can ask to get a /48 or /58, though.

                          1. 2

                            Vodafone (previously Unitymedia) gives a /56 by default for IPv6-only cable, so it’s not uncommon.

                            1. 2

                              Well, at least in Germany consumer ISPs seem to hand out /64 by default, though. I suppose one can ask to get a /48 or /58, though.

                              When have consumer ISPs ever been known to follow guidelines. ;)

                              1. 1

                                Are you sure it’s the ISP specifically only giving a /64 and not the DHCP-PD client only taking a /64 out of the available /56?

                                1. 1

                                  That might actually be it. Sorry for the noise.

                                2. 1

                                  Just checked it, from Telekom I get a /56 without any interaction. As far as I know as a consumer you can ask for a /48 and as a commercial customer you just get a /48. A few years ago there was a news about Telekom asking for a bigger prefix then a default ISP get, because they wanted to follow the RIPE guidelines. As the biggest ISP in Germany they could argue this. As far as I know most ISP in Germany does this similar.

                                  I’m not sure how it is handled for mobile access. As far as I know you get default slaac in a provider managed /64 and can request prefixes per dhcpv6. I can’t check this, because I don’t have mobile Internet.

                          2. 4

                            Thanks for the comment, I guess I should update my post to be more precise about what the problem is. As kyrias explained, it’s not the number of addresses, but to be able to use SLAAC.

                            1. 4

                              IoT is old, new is IoA (internet of atoms).

                              1. 1

                                I used to work for a now defunct IoT startup. Your comment wounds/intrigues me.

                            1. 1

                              So is this using provider independent (PI) IPv6 space, and would you be able to get your residential ISP to route this to your home?

                              1. 5

                                So is this using provider independent (PI) IPv6 space

                                Yes

                                would you be able to get your residential ISP to route this to your home?

                                that would be very cool, but the post is using tunnels (wireguard) to bring the network from their datacenter based VM’s to their home

                                1. 3

                                  blake is right but I’ll try to give more details:

                                  is this using provider independent (PI) IPv6 space

                                  For my two /48s from RIPE territory, one is PI the other is PA. Not sure if something exist in ARIN land, but it’s like a PA.

                                  would you be able to get your residential ISP to route this to your home?

                                  I really don’t think so. My ISP and the ISP which own the last mile, both have IPv6 prefixes, so me not having IPv6 access is not because of a lack of prefix.

                                  My understanding of how it works in IPv4, is my ISP “gives” the IP addresses to the last mile owner so they can do the put them on the last mile equipment. So it would mean I would need to give my ISP the IPv6 who would then give them to the last mile owner.

                                  1. 2

                                    Very few (if any?) eyeball networks (consumer ISPs) will send you full routes. Most people’s routers can barely route with a default, let alone handle the 3GB of RAM for each full table from ISPs.

                                    If you bumped up to commercial you may be able to find something? It’s going to set you back so much more than anything else because of the nature of peering.

                                    Sprint/T-Mobile and Comcast can get you circuits with BGP over them, but they obviously are not home style circuits (or even the basic commercial level of their normal service). Also, you’re still on an eyeball network, so you’re not getting much advantage from using BGP except for very basic fail over (losing all wireguard links from the article).

                                    The third aspect of this is that they are already advertising from near home. Most ISPs will only allow you to specify continent level preference. Their home internet probably doesn’t have a shorter path to anything than the VPC in Toronto except their own eyeball network. It would probably never be preferred for ingress. Then egress may all dump to the home ISP and you’d have to deal with asymmetric disputes (incoming ISP is fine with third ISP that home ISP is having a dispute with) and outages (eyeball network ISP ‘s router is oversubscribed and dropping outgoing packets only). You’re just going to depref all routes from that ISP anyhow. It would be fine as a third tier of peering usable as a fallback. Especially if you path prepend a bunch for incoming and depref locally for outgoing.

                                  1. 3

                                    The first step is firewall. I use ufw, a wrapper around iptables, and default to denying all access to everything other than ports 80, 443, and the non-default port I run my SSH server on.

                                    Did you test it?
                                    https://github.com/moby/moby/issues/4737
                                    https://blog.newsblur.com/2021/06/28/story-of-a-hacking/

                                    While searching for these links, I stumbled upon https://github.com/chaifeng/ufw-docker which people seem to love.

                                    1. 4

                                      Kubernetes! My org switched to it from Marathon, and after a slight period of annoyance, I’m excited to make the switch. I’ll try to pass the CKAD certification as a related goal.

                                      1. 1

                                        My org switched to it from Marathon

                                        Haha that was enough to notice you’re a (distant) coworker of mine!

                                        1. 1

                                          Hehe, it’s a small world!

                                      1. 1

                                        Any thoughts on Exoscale vs Vultr vs others?

                                        1. 2

                                          Exoscale is cheap and yet it’s perfect. The only drawback is they’re available only in Europe and I live in Québec so I have some unavoidable latency crossing the ocean.

                                          Vultr is quite good. I recently setup some BGP with them (https://www.vultr.com/features/bgp/) and while the support was reactive on a Friday evening (which I didn’t expect because I pay less than 10$/month) the work was far from perfect. Other than that I think they’re a pretty good deal.

                                          But I mostly picked both because they officially support OpenBSD. While OpenBSD works fine on KVM virtualization, I don’t want to deal with the support blaming the OS for something unrelated, just because they don’t officially support the OS.

                                          1. 3

                                            There’s no such thing as perfect until you try Hetzner Cloud.

                                            Trust me, never looking back.

                                            1. 1

                                              I assume for BGP you have ipv6 prefix? Curious what it was like getting one for yourself. As far as I’ve read it’s quite expensive and annoying to do it personally now.

                                              1. 1

                                                Yes my ASN is IPv6 only. I plan to write about that in my next article, but it may be a few weeks/months until I publish it!

                                                1. 1

                                                  Good to know, I look forward to reading it!

                                          1. 5

                                            With your knowledge of OpenBSD, I’m curious why your choice of Ubuntu for ZFS. What made you choose Ubuntu rather than (FreeBSD || HardenedBSD)?

                                            1. 3

                                              That’s a good question! It’s mostly because I’ve never really used {Free,Hardened}BSD so I know way better Ubuntu. Since I’ve been using Ubuntu for quite some time, I’ve some automation for it. Using Ubuntu was easier for me :)

                                              1. 1

                                                thank you! Great read :)

                                              1. 1

                                                ema posted part 1 and 2 but it seems part 3 hasn’t been posted. I missed it, so I guess others may have missed it too.

                                                1. 4

                                                  I love people documenting their own personal infrastructure/custom tooling (for any purpose). Please share other examples if you know of any :)

                                                    1. 2

                                                      Awesome, thanks.

                                                      I love that there’s description of real-world objects as part of the docs:

                                                      • Blue is for the main internet connection
                                                      • White is for internal connections
                                                      1. 2

                                                        Is that an AvE sticker?

                                                        1. 1

                                                          Yeah!

                                                      2. 3

                                                        I wrote what I was hosting last year: https://chown.me/blog/infrastructure-2019 I plan to publish a new article with the changes from 2020 in a few weeks. :)

                                                        1. 1

                                                          Sweet! This is exactly what I’m after.

                                                          Give me a shout when the new one gets posted.

                                                        2. 3

                                                          Here is mine - all in one file, single command deploy/rollback:

                                                          https://git.sr.ht/~jamii/tower/tree/master/item/tower.nix

                                                          1. 1

                                                            Oh cool! A few things to dig into :)

                                                            1. 1

                                                              Oh this makes me miss using NixOS on a server. Nice configuration.

                                                          1. 4

                                                            What’s your plan to prevent people from creating sockpuppet account to keep posting their own content?

                                                            1. 5

                                                              I don’t think I need a plan, as there are already rules against sockpuppets, right?

                                                              1. 3

                                                                It’s worth noting that I don’t go looking for sockpuppets except based on user reports. Most of the time they point out (or I notice) that an account is posting vacuous compliments to an article posted by their inviter/invitee, or that low-quality self-submissions regularly show up on the homepage from someone who invited a half-dozen accounts in a day. It’s an infrequent problem that’s not so overwhelmingly compelling that I think it’s worth searching for effectively by site changes like indefinitely retaining logs, recording an IP/browser fingerprint with all user actions, or otherwise adopting other off-putting techniques and tools common in web advertising.

                                                                1. 1

                                                                  Correct, also, it’s easy to link that, as Lobste.rs write-access is invite-only, and recorded.

                                                                  It’s trivial to see whether the sites an account is posting are the same as it’s “parent”.

                                                              1. 6

                                                                Why put the link behind an url shortener?

                                                                1. 3

                                                                  I flagged the domain as a url shortener so it can’t be used again.

                                                                  1. 2

                                                                    Because it’s been submitted before: https://lobste.rs/s/hirkhr/ultimate_personal_security_checklist

                                                                    OP is a spammer and I regret inviting them. @pushcx, please review.

                                                                    1. 0

                                                                      It’s not been submitted before- this is a different post, check the link first. The last one was Security Checklist This is Privacy-respecting software :) - but yes, same GitHub accounts

                                                                    2. 1

                                                                      Tracking, I guess? I’m not sure why else it would be done in this case..

                                                                      1. 1

                                                                        yeah that’s what I assumed but since the link about privacy, I thought I asked OP first :)

                                                                        1. 1

                                                                          There’s no tracking on git.io URL’s, it just makes them shorter, because this is a link to a file in a repo it was quite long. Sorry, won’t shorten again

                                                                        2. 1

                                                                          I used the URL shortner to just make it shorter, since it is a file in a mono-repo the path is crazy long. No malicious intentions, and I didn’t intend to hurt or spam anyone.

                                                                          It’s not for tracking (git.io claims not to track clicks), and it’s not because it’s spam, and it’s not because it’s been posted before (the previous post was a security checklist, this is a list of privacy-respecting software)

                                                                        1. 1

                                                                          Enjoyed reading this! Do you find that it’s worth it to run/maintain your own personal infrastructure? The various apps and sites I’ve built and maintain are on cloud providers, which has been really great from a plug ‘n play point of view. I’m interested in setting up something like what you’ve described, at least for the sake of learning about the tools and getting the chance to implement some of my own tooling, but feel like it might be more trouble than it’s worth.

                                                                          1. 3

                                                                            I’m glad to hear you enjoyed it :)

                                                                            If it’s worth it, I don’t know I guess it depends on your priority. I think it boils down to my personality. I hate to rely on people and to feel I owe someone so I don’t really use some random orgs services. I did it in the past and I’m glad that when something is broken, I can go and fix it myself (of course to an extent). I don’t like (nor trust) companies (as you can see with the joke about google killing their services). I tend to be paranoid security wise, I think about surely way too many threats (while being reasonable, i.e. the NSA is not one of them). Therefore, hosting my own stuff is not really a choice ;)

                                                                            And to be honest, part of it is also it really helps getting a job (as I work as a sysadmin/devops/SRE/whatever the current trend names it).

                                                                            I do enjoy doing it but it’s not 100% pleasure. I guess it’s like cooking: I don’t always enjoy it, but I feel like I have to, and most of the time, I enjoy the result!

                                                                            Scratch your own itch and try to have fun while doing so!

                                                                            1. 1

                                                                              Makes sense! I think this would be a really cool project for after I graduate and have more free time (which is soon thank goodness)!

                                                                          1. 1

                                                                            Great read! Very interesting.

                                                                            I found a minor typo in a link (Machines section - automated link) its https://chown.me/blog/upgrading-openbsd-with-ansible.html - No captial A in ansible ;)

                                                                            What Firewall are you using on your APU2? *sense, ipfire?

                                                                            1. 5

                                                                              I initially wrote “ansible” everywhere then I thought a capital was better so I use sed like a hammer :D Thanks!

                                                                              On the apu2, I run OpenBSD as well. A few years ago I ran OpenBSD for everything but hosting mastodon was too complicated (I don’t know well the Ruby ecosystem). I have some Ubuntu because containers make easy to host stuff. Most of the stuff still run on OpenBSD because I know the system well and being an OpenBSD developer I follow quite closely the project.

                                                                              I would still recommend for anyone to run OpenBSD on a router since it’s quite easy as PacketFilter is fucking awesome.

                                                                              1. 1

                                                                                Well, I guessed that. OpenBSD is great for that. I have a a APU2 at home waiting for me to finish it.

                                                                                Did you just install a plain OpenBSD and configured everything? OPNsense and pfsense are both based on OpenBSD. Right know I have OPNsense installed.

                                                                                1. 4

                                                                                  Actually:

                                                                                  • OPNsense and pfSense are both based on FreeBSD.
                                                                                  • OPNsense is a fork of pfSense, which in turn is a fork of the good old m0n0wall (which was also based on FreeBSD).
                                                                                  • Deciso/OPNsense is working on a version that is based on HardenedBSD, which in turn is also based on FreeBSD. It should come out very soon[1].

                                                                                  So FreeBSD all the way with these routing/firewall operating systems ;).

                                                                                  I use OPNsense since it came out on my APU2 (and later APU3 for another rack) and I can really recommend it! It’s very user friendly, easy to install and rather complete. I also really like you can use LibreSSL instead of OpenSSL. I also use OpenBSD on another router (like the author) and that also works rock solid/stable for years now. The BSD’s are great for firewalls/routing in my opinion.

                                                                                  [1] https://opnsense.org/about/road-map/

                                                                                  1. 1

                                                                                    Alright! My bad :D

                                                                                    I also really like OPNsense. I just have to figure out some stuff with my ISP and then I am ready to go

                                                                            1. 1

                                                                              Company: Vade Secure
                                                                              Company site: https://www.vadesecure.com
                                                                              Position(s): DevOps, sysadmin, SRE (whatever you called it ;))
                                                                              Location: France (Hem, Paris), Canada (Montreal, Vancouver) or Japan (Tokyo)
                                                                              Description: From our website:

                                                                              Vade Secure is a global leader in predictive email defense, protecting 600 million mailboxes in 76 countries. We help MSPs and SMBs protect their Office 365 users from advanced email threats, including phishing, spear phishing, and malware.

                                                                              While we have a bunch of openings, I’m mostly looking for some new coworkers in my Ops team. If you know emails and how to administrate a server, reach out to me? :)
                                                                              The opening’s pdf is available at https://box.vadesecure.com/index.php/s/iRFqWbXdrmbdwMc
                                                                              Contact: lobstershr@chown.me