Wednesday, March 28, 2012

SSH Debugging: Public and Private Keys



SSH Key Debugging: Public and Private Keys

Abstract:

There have been several articles published on forwarding ports with SSH over an encrypted tunnel and setting up automatic SSH Auto-Login using an encrypted ssh tunnel. This is the third in the series, discussing a particular problem when differing clients experience differing login symptoms while trying to log into a common server.

Solaris 10 Client Symptom:

If a Solaris 10 Client can not get a password prompt on a server, you might get the following error:

solaris10/user$ ssh badserver
no common kex alg: client
'diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1', server
'gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g=='
Solaris 9 Client Symptom:

If a Solaris 9 Client can not get a password prompt on a server, you might get the following error:

solaris9/user$ ssh badserver
no kex alg

Solaris Server Root Cause:

If the Solaris 9 and Solaris 10 clients are trying to attach to the same server, check to see if your private and public ssh host keys are missing in your /etc/ssh directory:

badserver/root# ls -al /etc/ssh
-rwxr-xr-x 1 root sys 88301 Jan 21 2005 moduli
-rwxr-xr-x 1 root sys 861 Jan 21 2005 ssh_config
-rwxr-xr-x 1 root sys 5025 Aug 6 2010 sshd_config
The /etc/ssh directory should look more like the following:

goodserver/root# ls -al /etc/ssh
-rw-r--r-- 1 root sys 88301 Jan 21 2005 moduli
-rw-r--r-- 1 root sys 861 Jan 21 2005 ssh_config
-rw------- 1 root root 668 Apr 10 2009 ssh_host_dsa_key
-rw-r--r-- 1 root root 602 Apr 10 2009 ssh_host_dsa_key.pub
-rw------- 1 root root 887 Apr 10 2009 ssh_host_rsa_key
-rw-r--r-- 1 root root 222 Apr 10 2009 ssh_host_rsa_key.pub
-rw-r--r-- 1 root sys 5372 Feb 12 21:49 sshd_config
-rw-r--r-- 1 root sys 5106 Dec 15 12:30 sshd_config.orig
Creating Server Keys:

Log into the server, refusing connections with errors and missing the ssh host keys, and create the keys.

badserver/root# cd /etc/ssh
badserver/root# /lib/svc/method/sshd -c
Creating new rsa public/private host key pair
Creating new dsa public/private host key pair

badserver/root# ls -al ssh_host*key*
-rw------- 1 root root 668 Mar 28 22:26 ssh_host_dsa_key
-rw-r--r-- 1 root root 602 Mar 28 22:26 ssh_host_dsa_key.pub
-rw------- 1 root root 887 Mar 28 22:26 ssh_host_rsa_key
-rw-r--r-- 1 root root 222 Mar 28 22:26 ssh_host_rsa_key.pub
Restarting SSH Service:

Once the SSH server public and private keys have been created, the ssh service needs to be restarted, in order to leverage the new private keys.

badserver/root# /usr/bin/svcs ssh
STATE STIME FMRI
online May_21 svc:/network/ssh:default
badserver/root# /usr/sbin/svcadm restart ssh
Validating Repair:

The final step in any repair is validation. In this case, the ssh is attempted.

solaris10/user$ ssh badserver
Last login: Wed Mar 28 22:48:57 2012 from solaris10
Oracle Corporation SunOS
5.10 Generic Patch January 2005
INTR=Ctrl-C ERASE=Ctrl-H KILL=Ctrl-U
badserver/user$

Monday, March 26, 2012

SPARC: Life in the Fast Lane - 10 Months Later


[aggregate computing power in the HPC list, by processor architecture]
SPARC: Life in the Fast Lane - 10 Months Later

Abstract:

SPARC, being a standard by which any vendor can create a binary compatible processor to leverage readily available applications, has been at the top of the HPC charts in the past, but noton the top for some time. About 10 months ago, Japan skyrocketed to the top of the Top 500 High Performance Computing systems world-wide. Fujitsu, a multi-vendor and open systems equipment manufacturer, designed a new SPARC processor. Fujitsu designed an Interconnect, CPU, Hardware Platform, File System, and Overall MPP System to make their mark.



[Rikagaku Kenkyusho (Riken) research lab in Kobe, Japan - image from The Register]

The Fujitsu MPP System

The Japanese Government funded Fujitsu to implementation the K machine under Project Keisoku. The Japanese government often referred to it as the Next Generation Supercomputer Project. The massively parallel processing (MPP) system cost approximately $1.2bn and was implemented using standard general purpose CPU's, without the need to leverage graphic co-processor cards. The Register writes in November of 2011.

The K super is based on the "Venus" Sparc64-VIIIfx processor designed by Fujitsu and fabbed by Taiwan Semiconductor Manufacturing Corp. The eight-core Venus chip clocks at 2GHz and delivers 128 gigaflops per chip, has a thermal efficiency of around 2.2 gigaflops per watt, and dissipates around 58 watts.

The K super has 22,032 four-socket blade servers fitted into 864 server racks to bring 705,024 cores...
Many newer systems are using graphical co-processor cards, in order to meet higher floating point processing requirements, so this system was a real shocker to the rest of the community. The former #1 contender established themselves about 8 months earlier, the Chinese Government funded Tianhe-1A - a CPU-GPU hybrid system using Intel CPU, NVidia GPU, and Chinese designed SPARC CPU's.

Many speculated that HPC systems could no longer compete without GPU's, yet Fujitsu's SPARC platform proved them wrong, by a long run. The Fujitsu general purpose SPARC super computer has remained #1 for longer than the former CPU-GPU hybrid.


[Fujitsu's PrimeHPC FX10 upgrade to the K super computer - image from The Register]
The Building Blocks

Fujitsu, who has a long history of building mainframe class systems, as well as SPARC based processors, decided to commoditize their #1 K super computer, in the form of the PrimeHPC FX10. The Register also writes about it's massive scalability in November of 2011:

The PrimeHPC FX10 machine will scale from 4 to 1,024 cabinets, sporting between 384 and 98,304 nodes. In the K architecture, each socket on the four-socket blade is a unique node in the cluster. This is also true for the FX10 super.
The new building block uses 16 core processors, instead of 8 core processors, granting the overall commercial system a total high-end capacity of 1,572,864 cores - double the capacity of their #1 super computer, just released months earlier.

[Top 500 super interconnects share, by system capacity - courtesy The Register]
The Interconnect

The Interconnect is sometimes the least interesting component in a system. Some systems use 1 or 10 gigabit ethernet, others use infiniband. In the case of the Fujitsu system, their "secret sause" is their proprietary "Tofu" interconnect.

[Fujitsu's FEFS is based upon Oracle Lustre]

The File System

The File System used by the Fujitsu's Super Computers are both based upon Sun/Oracle Lustre file system - called FEFS or Fujitsu Exabyte File System.


[The PrimeHPC blade server with Tofu interconnect chips on the left - courtesy The Register]
Four Nodes per Blade Card

In the MPP world, a node is sometimes considered a chassis, other times a card. In Fujitsu's SPARC64 PrimeHPC system, a node is built around a socket on a card. With the K super computer, there were 8 cores per socket. With the new Prime HPC blade, each socket holds 16 cores.


[The SPARC64 IXfx floorplan - courtesy Fujitsu]
The SPARC Socket

The SPARC VIIIfx and IXfx are not terribly unique in the marketplace. Sun and Oracle had offered 8 and 16 core processors before Fujitsu - but Sun, Oracle, and Fujitsu were the market leaders - and all three companies were/are doing an Open Systems based SPARC design. While the rest of the HPC market seemed to concentrate on proprietary CPU vendors (perhaps this made these three companies unique.
SPARC ComparisonSPARC64TM VIIIfx SPARC64TM IXfx
Number of cores 8 cores/socket16 cores/socket
Clock frequency 2 GHz1.848 GHz
L1 CacheI: 32KB/core, D: 32KB/coreI: 32KB/core, D: 32KB/core
L2 Cache6 MB (Shared cache)12 MB (Shared cache)
Peak performance128 Gigaflops236.5 Gigaflops
Memory throughput 64 GB/s85 GB/s
Power consumption58 Watts110 Watts
Process45 nm40 nm
Die size22.7 mm × 22.6 mm21.9 mm × 22.9 mm
Number of Transistors~ 760 million~ 1.87 billion



[The SPARC64 IXfx core - courtesy Fujitsu]
The SPARC Core

The SPARC64 core is an extension of the SPARC V9 architecture. Various enhancements were made by Fujitsu to each core. Some of the features are as follows:


  • 64 Bit Processing

  • Standard SPARC-V9 instruction set, with enhancements

  • Floating Point Registers expanded from 32 to 256

  • Combined Integer and Floating Point Unit

  • 2 SIMD / Cycle (Single instruction, multiple data)

  • 8 Floating Point / Cycle

  • New Floating Point Trigonometric functions

  • New Floating Point Reciprocal Approximation of divide/Square-root

  • New Floating Point Minimum and Maximum Operations


[The SPARC64 history and roadmap - courtesy Fujitsu]
The SPARC Roadmap

The SPARC64 processor has a long history, which pre-dates the acquisition by Fujitsu. The latest processor appears to be just another in the long progression of the SPARC64 line. It appears that Sun dropped SPARC out of the HPC arena, after being purchased by Oracle - but it also appears that Fujitsu decided to aggressively pursue this arena.

Conclusions

Both Oracle and Fujitsu are independantly pursuing SPARC in disjoint, non-overlapping, markets. They are not the only vendors creating new production quality SPARC processors (as noted by the former #1 HPC system from China.) SPARC appears to have a long road ahead, being implemented by multiple vendors, and each implementation performing best in it's class.

Friday, March 23, 2012

Free 4G Wireless Internet


Free 4G Wireless Internet?

Abstract:
Wireless cellular or packet protocols are typically described by different categories, the higher the category the faster the performance. The categories are loosely defined by the International Telecommunications Union-Radio communications sector (ITU-R) and organized by Generation. The first vendor has appeared on the market to support free 4G.


Wireless History:

New wireless generations seem to be appearing regularly every 10 years since the 1980's, with the latest being 4G.
0G - Mobile Radio Telephone, appearing in 1946
1G - Analog, 22kb/s-56kb/s, appearing in 1981
2G - Digital, 56kb/s-236.8 kbit/s, appearing in 1992
3G - Multi-Media, 200kbp/s peak rate, appearing in 2001
4G - Packet based Internet Protocol, 1 gigabit peak rate, 2010-2011

It should be noted: there is a wide gap between 3G and 4G, as far as capacity is concerned. There are many intermediate steps, which vendors have branded 3.5G, 3.75G, or even as 4G (if the technology has on it's "roadmap" the ability to meet 4G specifications, as WiMAX has done.)


Internet Access:

The Internet was a term coined with access to the U.S. Military Department of Defense's TCP/IP network. Early on, this was done through cooperation between different U.S. government organizations as well as through the public and private university systems within the United States.

Regular public American citizenry started gaining access to The Internet in the 1990's via dial-up access, providing 300b/s-56kb/s. Various corporations managed to raise enough investment resources to provide this access. In the late 1990's, free dial-up internet services started to become available, through corporations like: NetZero and FreeServe. As users started to migrate from dial-up to broardband (see later), lawsuits started to be filed between major players in a shrinking market (like NetZero and Juno) resulting in consolidation and creation of United Online (NetZero and Juno created the second largest internet access provider.) Towards the end of popular dialup access the internet, major providers included: AOL, United Online, MSN, Earthlink, AT&T Worldnet.

Performance was enhanced in the 2000's via broadband or high-speed access, commonly via DSL, Satellite, and Cable. The telco market was regulated, forcing them to allow access from third-party internet service providers (ISP's.) In order to encourage quicker adoption of faster technology, the regulations were loosened, consolidating internet access to several cable, several telco, and several satellite providers. Free service broadband providers never were able to be profitable.


Internet Access and Wireless Convergence:

Internet access became possible via diverse wireless telco networks, as the wireless telephone companies became more diverse, wiress data access became more desirable, and the back-haul links to the cell towers became more robust. Internet access based upon cellular networks started becoming more competitive.


Free Internet Access over Wireless:

The local area network WiFi protocol has become nearly ubiqutous, with locations offering free internet access via WiFi in hotels, coffee shops, book stores, and even automobile service stations.

The drawback to this methodology is that people must remain in a fairly confined area. This restriction has been pretty reasonable for many people, just as "free beer" may only be available at a frat house.


Free internet access provider, Net Zero, helped to pave the way for free internet in the dial-up. United Online is now prepared to offer free ineternet access over 4G via it's NetZero subsidiary - with the purchase of equipment and for a period of 1 year (for 200MBytes of data.) After the first year, the $9.95 plan must be purchased, providing for 500MBytes of data. Using WiMAX technology, now being billed as a 4G technology, people can walk or drive around and have access to the internet.

The drawback is clear: with the purchase of the hotspot or USB dongle, Internet is only free for 1 year. No one has a right to complain how long something is free, the consumer just needs to decide how good of a deal it is for them.

Network Management Connection:
With the rapid expansion of wireless as an access mode and the rapid cost reduction in internet access for wireless devices, inexpensive and massively scalable network management tools will become a requirement.

Tuesday, March 20, 2012

Mobile Update: Android and Windows


Mobile Update: Android and Windows

Abstract:

Developers in an ecosystem will often foretell adoption by creating content to drive demand for a product. The mobile market has been gauged by this same phenomenon.

Developers and Android:

While the chart is not linear (a mistake, not to create this as a time-series graph), it seems to show some very interesting trends. Developer interest in Android has appeared to have peaked and declining under both phones and tablets; interest in iPhone development is showing an ever so slight decline; iPad holding steady; interest in Windows mobile is inclining; BlackBerry dropping like a proverbial stone.


People have been commenting that the wrong statistics are getting followed, it is not happening, marketshare is not accurate, etc. - but there seems to be a slight discontent with the Android market from a developer's standpoint.

This is not the entire story - Android has a terrific price point, marketshare grows for Android at an astounding rate (as we will see shortly.) There is still some level of comfort that developers and consumers have with iOS, but one can never know how long that will last for - the marketplace is fickle.

Windows Clunky & Crashy:

While Windows for mobile devices seems to be catching more developers market share, it still looks very clunky, during various demonstrations. Note the multiple [thick] cabling hanging off of the tablet on the left, one with what seems to be an ugly adapter... one would not be surprised if all those cables place a great deal of strain on the tablet connectors and reduce longevity. They certainly reduce the ability to use the tablet in a free-flowing way. If I was presenting at Convergence 2012, I would not want to use that device.


The worst possible thing happened (again) when Microsoft was presenting at Convergence 2012 - a crash and burn of their new tablet.


You've got to hand it to Kirill Tatarinov, the head of Microsoft's ERP division. The Russian Rocket was cool as a cucumber on Monday when a demo of the Windows 8 Metro UI running on a touch-screen tablet crashed and burned during the opening keynote of Convergence 2012.

Sometimes, one has to feel bad for these presenters. having done multiple demos in the past, it is not very fun to have something like this happen, but it is not uncommon for Microsoft. It does not get any better, once you have a conference facility filled with people, networking at it's capacity peak, and power being drawn on a massive scale.


Windows Sinking, Android Skyrocketing:

Last year, this time, Microsoft mobile handset users experienced crashing on a massive scale, with a patch. Under 1 year later, mobile Windows handset sales collapsed while Android skyrocketed with what appears to be brand-new marketshare. Apple continued to make measured, but modest gains.



Network Management Connection:

Wired infrastructure is critical, but it seems to quickly becoming relegated to back-office. Front-office work moved towards laptops (which started outselling PC's in 2003, 2005, 2008), which often had wireless built-in for mobility. The trend continues to move mobile with smart phones and tablets. The previous Gartner marketshare chart (not the percentages) tells all: increase in overall units from 81 million units sold to 115 million units sold in 1 year in the 3rd quarter!

Wireless is THE PLACE to be, in the network management world. If you do not have a grasp on your wireless network, you need to figure out how to do so. People are clearly becoming unteathered, regardless of what the Microsoft Mobile presenters are doing, with their tethered and crashing tablets.

Tuesday, March 6, 2012

Wireless Breakthroughs: Full Duplex and Unlimited Channels


[TheRegister's article on new antenna technology]
Wireless Breakthroughs: Full Duplex and Unlimited Channels

Abstract:
Wired communication had traditionally been more point-to-point communication through technologies such as POTS (Plain Old Telephone System), ISDN, TCP/IP., etc. Wireless communication had traditionally been more point-to-multipoint through broadcast technologies such as radio, television, and satellite. With the convergence of technologies, wireless and wired have been competing with one another in all markets, but wireless had traditionally been saddled by short-comings conquered in wireless communications such as half-duplex and limited frequencies in bandwidth spectrum. These challenges have been getting addressed in wireless.


[GizMag's article on full duplex radio]
Full Duplex Wireless Radio:
Full Duplex is the ability to transmit at the same time as receiving information. Around this time, last year, in 2011.
Stanford University researchers have found a way to double the capacity of wireless networks, while at the same time making them more reliable and efficient.
Full Duplex is important for such operations such as one person on a wireless phone to speak at the same time as another person on one or more other wireless phones.


Many Channels, One Radio Frequency:
Channels within a radio frequency provides the ability for multiple pieces of wireless equipment to share a piece of wireless spectrum. Traditionally, multiple channels can be bound together between devices to get more bandwidth or fewer channels can be used between devices to allow for more devices to use wireless spectrum. A new capability was recently demonstrated:
We have shown experimentally, in a real-world setting, that it is possible to use two beams of incoherent radio waves, transmitted on the same frequency but encoded in two different orbital angular momentum states, to simultaneously transmit two independent radio channels.
With the addition of this capability, more devices may be able to operate in the same area, and higher bandwidth communications (i.e. high definition video) may be able to easily function wirelessly.

Security Implications:
Wired infrastructure is generally more secure, being a point-to-point infrastructure with such technologies such as switches. When the movement from wired to wireless infrastructure occurs, encryption becomes ever more important, especially with management protocols.


[SPARCT4 Micrograph from NetMgt article]
Network Management Connection:
With the capabilities of wireless communication becoming more robust, the need to use wired communication to edge devices such as desktops in a business, may become a thing of the past. Network Managers need to take this into consideration when planning their next generation network management platforms.

If a network management platform is not running SNMPv3 and it is not running SSH or HTTPS for configuration - it is time for it to be thrown out. The vast majority of devices will all be connected wirelessly in the very near future - security is of the essence. Network Management platforms which support encryption, such as the SPARC T processor series, will become increasingly important when managing these wireless environments.

Sunday, March 4, 2012

POWER: Loss of Sony Playstation Platform


[Sony Playstation 3]

POWER: Loss of Sony PlayStation Platform

The Market Leaders:
Sun Microsystems introduced the RISC architecture SPARC in mid 1987. SPARC was registered as trademark of SPARC International, Inc., an organization established in 1989 to promote the SPARC architecture, manage SPARC trademarks, and provide conformance testing. Sun produced their systems on OpenFirmware, releasing it to the IEEE for standardization. SPARC found it's home on workstations, spread to servers, and even to embedded systems such as the Sun Ray in the late 1990's.


[IBM POWER5 Multi-Chip Module]

The Rise of POWER:
IBM produced the POWER architecture, an expensive multi-chip module which provided for outstanding performance at low volumes. Apple, IBM, Motorola, and decided October 2, 1991 to co-develop the POWER platform to expand the ecosystem for RISC processors under the AIM Alliance - to produce a single silicon chip high-volume RISC platform called PowerPC.

The Common Hardware Reference Platform (CHRP) for PowerPC was produced in 1994. CHRP platforms would require IEEE OpenFirmware (created by Sun) in 1995. To expand the POWER ecosystem, the "power.org" site was founded in 2004 by IBM, 15 other companies joined as members, nearly 20 years after SPARC. In 2006, the Sony Playstation released the PlayStation 3, under POWER architecture, expanding POWER into the gaming/entertainment sector.


SPARC Marches On:
In the 2000's, SPARC was no longer being used in the Sun Ray, but multiple vendors continue to produce SPARC processors. SPARC is an open specification, not a proprietary architecture, leaving multiple sources for this RISC processor. To continue to make this point, Sun Microsystems completely open-sourced their UltraSPARC T1 CPU in 2006, making SPARC it freely available for any manufacturer to produce - referring the architecture to OpenSPARC.

Fujitsu releases high-performance 8 core SPARC64 VIIIfx in 2009. The 16 core SPARC T3 was released by SUN/Oracle in 2010. Fujitsu releases another 8 core SPARC64 VII+ in 2010. Russia releases MCST-4R in 2010. Oracle released the 8 core SPARC T4 in 2011. Fujitsu is releasing SPARC64 IXfx in 2012. Oracle is projected to release the SPARC T5 in 2012.


The Decline of IBM POWER:
Apple abandoned PowerPC for Intel in 2006, leaving IBM POWER without a desktop partner. Sony is rumored to discontinue use of IBM POWER for their gaming consoles in the PlayStation 4, starting the decline of POWER in the gaming market. POWER7+ from IBM is now nearly a half-year late and IBM has still not delivered as of March 2012.

Thursday, March 1, 2012

EMC Ionix: Scanning for SNMPv3

Abstract:
Network Management is as old as The Internet. Various low level protocols and commands such as ICMP, Ping, and Traceroute were created in order to assist in basic debugging. Middle Level protocols such as SNMP were created to help understand toplology, health, and performance, as well as facilitate configuration. EMC offers a management platform, formerly known as SMARTS, which supports SNMPv3, the Internet Standard management protocol.

SNMP - The Standard:
Wikipedia described SNMPv3:


As of 2004 the IETF recognizes Simple Network Management Protocol version 3 as defined by RFC 3411–RFC 3418 (also known as STD0062) as the current standard version of SNMP. The IETF has designated SNMPv3 a full Internet standard, the highest maturity level for an RFC.
Support by EMC:
Systems Management ARTS or SMARTS created a product called InCharge, which was designed around managing networks for large service providers. EMC later purchased the company, to consolidate larger management ambitions.

EMC is now rumored to be experiencing schizophenea in it's product management cycle - exiting the Enterprise market with the decision to abandon UNIX markets such as IBM AIX, and considering an exit from it's Managed Services Market with experimenting to abandon UNIX markets such as Solaris.

With a product assumption, several portfolio name changes, and abandoning one core constitency after another - EMC is appearing to be at a point of crisis.

Service Providers and SNMPv3:
For service providers deciding to risk their fortunes on leaderless vendor, there is one good thing to keep in mind - SMARTS InCharge, or EMC Ionix, or whatever they decide to call the dead-product now a days does support SNMPv3.

To interogate discovered devices, in order to determine SNMP support, the topology dump can be leveraged.


sun9999/user$ sm_tpmgr -s AM-99 --dump-agents
To test an edge device for SNMP V3 capabilities, the a simple get command will almost be thorough.


sun9999/user$ sm_snmp --useif=10.11.12.13 --snmp=3 --user=${User} --auth=${Auth} --authPass=${AuthPass} --priv=${Priv} --privPass=${PrivPass} --dest=TestDevice.TestDomain.org get .1.3.6.1.2.1.1.2.0 2>&1 && echo "Test: Success: ${Node}\n" echo "Test: Failed: ${Node}\n"

MAIN-N-Using interface 10.11.12.13
SNMP-N-EUSMUSER-[USM]: Unknown User Name
Test: Failed: TestDevice.TestDomain.org

MAIN-N-Using interface 10.11.12.13
Error: authorizationError.1.3.6.1.2.1.1.2.0 = Null
Test: Success: SE_Corp_Banregio_Mty

MAIN-N-Using interface 10.11.12.13
.1.3.6.1.2.1.1.2.0 = noSuchObject
Test: Success: TestDevice.TestDomain.org

MAIN-N-Using interface 10.11.12.13
.1.3.6.1.2.1.1.2.0 = .1.3.6.1.4.1.43.1.16.4.2.21
Test: Success: TestDevice.TestDomain.org
Cavaets:
This script provides a Success or Failed flag, but this does not guarantee the device is fully discoverable.


  • A successful return is not a guarantee of full SNMPv3 usability

  • Authorization errors return a NULL and an error message with a Success flag

  • Permission issues may return "noSuchObject" get result message with a Success flag
A combination of the Success flag with the content result will provide a highly likely assessment of whether the discovered device may be fully SNMPv3 supportable.