четвер, 16 листопада 2023 р.

Decentralized versus distributed services

 

Decentralized versus distributed services

causa-arcana.com
6 min
A more correct, but less known diagram showing the difference between centralized, decentralized and distributed networks
A more correct, but less known diagram showing the difference between centralized, decentralized and distributed networks

In this article, I will talk about two approaches to creating services that do not depend on a single central node, and compare their prospects. It is not my goal yet to create a detailed classification of approaches with examples, although I hope to do so in the future.

By services I mean both familiar web applications, to access which you need to go to a website, and distributed networks that provide services through client applications installed on a computer or smartphone. Recently, the difference between these concepts has been erased, and for our study it does not matter.

Classification

Centralized services

In a centralized service, there is one highest decision-making authority . It doesn't matter how many physical servers it has. Nowadays, any busy service uses many servers in different parts of the world (CDN - Content Delivery Network) to deliver content to the user faster. However, decisions on the possibility of posting information and limiting access to it are made by the owners of the service.

Examples of such services are familiar to everyone. I will list several services indicating the service they provide so that the reader can understand the further classification:

  • Blogger, Medium - text blogs.
  • YouTube, Vimeo, Dailymotion - video posting.
  • SoundCloud - audio hosting.
  • Dropbox, Google Disk, iCloud - hosting arbitrary files.
  • GitHub Gist, Google Docs - hosting and editing text documents.

The names of some of these services can evoke many unpleasant associations. Centralized services are often found to engage in censorship, leakage of unencrypted data due to access rights violations, and transfer of data to law enforcement agencies.

Decentralized services

In a decentralized service, there are many decision-making authorities. The user can choose the service provider whom he considers better. The most famous examples:

  • MediaWiki [1] is the engine that powers Wikipedia. If you are not satisfied with its policy, you can set up your own server or use many ready-made wiki site hosting services.
  • RSS allows users to create news feeds from a variety of sources that are not related to each other.

One type of decentralized services is federated services. In them, many independent servers are combined into one network, and the user of any server has access to information located throughout the entire network. This allows for network effects , which are very important for the development of technology. It lies in the fact that the usefulness of a network depends exponentially on the number of users. An example is telephony, which is more valuable to the subscriber the more subscribers he can contact. By the way, telephony can also be an example of a federated network, if you delve into the technical details of its implementation.

It is probably due to the network effect that in recent years federated architecture has become very popular among programmers creating analogues of centralized services. Here are some examples of such systems:

  • Matrix [2] is a messenger (its own protocol of the same name).
  • PeerTube [3] — video hosting (ActivityPub protocol).
  • Mastodon [4] is a microblog, an analogue of Twitter (ActivityPub protocol).
  • Diaspora [5] is a social network (its own protocol of the same name).

Despite all the advantages of a federated architecture, censorship is still possible in it, both at the level of individual users (deletion of a user account by the server owner) and at the federation level (blocking one server by another). The first forces you to choose a server with suitable rules instead of a more technically reliable and advanced one. The second greatly reduces the network effect.

Distributed Services

In a distributed service, there is no decision-making authority. We can also say that such an authority is the entire network, which makes decisions automatically due to its architecture. Thanks to this, the rules are universal and do not depend on the human factor and the content of stored or transmitted information. Often, information on a network is encrypted, and individual network participants do not know what information they are storing or transmitting. Examples of distributed networks:

  • Bitcoin [6] and other cryptocurrencies are based on blockchain technology. Network participants receive payment for confirming financial (and other) transactions, which are forever stored in the history of the network.
  • IPFS [7] is a global information storage. It works as a temporary cache, but it is also possible to use special services (paid or volunteer) that guarantee the safety of information.
  • Tor [8] is an anonymous network for bypassing blocking through exit nodes and accessing hidden services within the network. In both cases, no network node, except the end node, knows what information is transmitted through the network. Even the end node does not know who the information is transmitted to.

Developing distributed services for the most basic services is much more difficult than developing decentralized ones, because their operation is not guaranteed by one or many instances. They must reconcile the conflicting interests of many network participants. For this reason, they are not as common as federated services.

To implement more complex functions in distributed networks, a multilayer architecture is used . The base layer ensures uninterrupted storage and transmission of information, and the layers working on top of it already provide business logic. This is how, for example, the Lightning Network [9] works on top of Bitcoin. This is how the Internet works (see the OSI model [10] and the TCP/IP stack [11] ).

Problems and prospects

Let's look at what motivation drives the participants in decentralized and distributed networks, which ensures their work.

The main motivation is independence from centralized private services, which can impose arbitrary rules, including censoring information, displaying advertising or demanding payment. However, in a decentralized network, users are still dependent on the will of the provider they choose. This is called vendor lock-in. Users invest resources in promoting their content on their chosen platform, with their links leading to that platform.

There can be many reasons for censorship in decentralized services. Of course, no one wants to give a platform to offensive content. This applies to both volunteer services, which exist solely due to the goodwill of their owner or donors, and paid services, which depend on the opinions of clients.

Unfortunately, this neutralizes the network effect and does not allow it to compete with large corporations. In trying to solve the real and annoying problem of offensive content, technology creators and service owners are forgetting about the most important principle, which, among other things, contributed to the explosive growth in the popularity of the Internet. We will formulate it further.

The principle of technology neutrality

The principle goes like this: information technologies should be neutral in relation to the content of information.

A well-known special case of this is the principle of network neutrality . It lies in the fact that network providers do not favor one traffic over another. As a libertarian, I do not endorse such a principle as a law, but I fully support it as part of the contract between the client and the service provider. In recent years, he has been frequently written about in the media around the world. From these publications you can understand how important he is for the development of the Internet and for society.

As can be understood from the previous technical description, distributed systems allow this principle to be implemented much better than decentralized ones. Caleb James DeLisle, lead developer of cjdns technology, said it well:

At the heart of cjdns is the belief that social problems such as unjustified domain seizures and mass eavesdropping are the result of outdated protocols that put too much power in the hands of a few people.

Source [12]

I believe that the future lies with distributed services. Only they provide sufficient guarantees of information security so that users are willing to trust them with their information.

Does this mean that users are required to see offensive content? Of course not. The already mentioned multi-layered architecture allows the existence of rating services and agencies that the user can use in order not to see unwanted information or so that potentially unreliable information is flagged in a special way.

пʼятниця, 3 листопада 2023 р.

IPv6 Stateless Address Auto-configuration (SLAAC)

 

IPv6 Stateless Address Auto-configuration (SLAAC)

networkacademy.io
9 min

Each IPv6 node on the network needs a globally unique address to communicate outside its local segment. But where a node get such an address from? There are a few options:

  • Manual assignment - Every node can be configured with an IPv6 address manually by an administrator. It is not a scalable approach and is prone to human error.  
  • DHCPv6 (The Dynamic Host Configuration Protocol version 6) - The most widely adopted protocol for dynamically assigning addresses to hosts. Requires a DHCP server on the network and additional configuration.
  • SLAAC (Stateless Address Autoconfiguration) -  It was designed to be a simpler and more straight-forward approach to IPv6 auto-addressing. In its current implementation as defined in RFC 4862, SLAAC does not provide DNS server addresses to hosts and that is why it is not widely adopted at the moment. 

In this lesson, we are going to learn how SLAAC works and what are the pros and cons of using it in comparison to DHCPv6.

What is SLAAC?

SLAAC stands for Stateless Address Autoconfiguration and the name pretty much explains what it does. It is a mechanism that enables each host on the network to auto-configure a unique IPv6 address without any device keeping track of which address is assigned to which node.

Stateless and Stateful in the context of address assignment mean the following:

  • A stateful address assignment involves a server or other device that keeps track of the state of each assignment. It tracks the address pool availability and resolves duplicated address conflicts. It also logs every assignment and keeps track of the expiration times.
  • Stateless address assignment means that no server keeps track of what addresses have been assigned and what addresses are still available for an assignment. Also in the stateless assignment scenario, nodes are responsible to resolve any duplicated address conflicts following the logic: Generate an IPv6 address, run the Duplicate Address Detection (DAD), if the address happens to be in use, generate another one and run DAD again, etc.

How does SLAAC work?

To fully understand how the IPv6 auto-addressing work, let's follow the steps an IPv6 node takes from the moment it gets connect to the network to the moment it has a unique global unicast address.

Step 1: The node configures itself with a link-local address

When an IPv6 node is connected to an IPv6 enabled network, the first thing it typically does is to auto-configure itself with a link-local address. The purpose of this local address is to enable the node to communicate at Layer 3 with other IPv6 devices in the local segment. The most widely adopted way of auto-configuring a link-local address is by combining the link-local prefix FE80::/64 and the EUI-64 interface identifier, generated from the interface's MAC address. 

Figure 1 shows a step by step example of how a local address is generated from MAC address 7007.1234.5678.

Figure 1. Generating a link-local address from interface
Figure 1. Generating a link-local address from interface's MAC address

Once the above steps are completed, the node has a fully functional EUI-64 format link-local address as shown below:

C:\>ipconfig /all

Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix..: 
   Physical Address................: 7007.1234.5678
   Link-local IPv6 Address.........: FE80::7207:12FF:FE34:5678
   IP Address......................: 0.0.0.0
   Subnet Mask.....................: 0.0.0.0
   Default Gateway.................: 0.0.0.0
   DNS Servers.....................: 0.0.0.0
   DHCP Servers....................: 0.0.0.0
   DHCPv6 Client DUID..............: 00-01-00-01-C4-35-08-8E-70-07-12-34-56-78

Step 2: The node performs Duplicate Address Detection (DAD)

After the IPv6 host has its link-local address auto-configured, it has to make sure that the address is actually unique in the local segment. Even though the chances that another node has the same exact address are very slim. It has to perform a process called Duplicate Address Detection (DAD).

DAD is a mechanism that involves a special type of address called solicited-node multicast. Upon configuring an IPv6 address, every node joins a multicast group identified by the address FF02::1:FFxx:xxxx where xx:xxxx are the last 6 hexadecimal values in the IPv6 unicast address. Therefore, for each configured unicast address, no matter if it is link-local or global, the host joins the respective auto-generated solicited-node multicast group.

In our example, the last 6 hexadecimal values of the link-local address are 34:5678 so the node joins the multicast group FF02::1:FF34:5678. As PC1 is running a Windows 10 operating system, we can verify that with the following command:

C:\>netsh interface ipv6 show joins

Interface 8: Ethernet0

Scope       References  Last  Address
----------  ----------  ----  ---------------------------------
0                    0  Yes   ff01::1
0                    0  Yes   ff02::1
0                    1  Yes   ff02::c
0                    2  Yes   ff02::fb
0                    1  Yes   ff02::1:3
0                    2  Yes   ff02::1:ff34:5678

Having this logic in mind, we know that if another host has the same exact link-local address, it will also be listening for messages on the solicited-node multicast group auto-generated from this address - FF02::1:FF34:5678. In order for PC1 to check that, it sends an ICMPv6 message with a destination address set to this group, and the source address set to the IPv6 unspecified address. In the ICMPv6 portion of the packet, PC1 puts the whole address in the Target Address field. Figure 2 illustrates that process. PC1 then sends the packet on the network. Only nodes that are listening to this exact auto-generated multicast group will open the packet, all other nodes will discard it. If any node has an IPv6 address that has the same last 6 hex digits, will look in the ICMPv6 portion and check if the target address matches any of its own addresses. If there is a match, the host will reply back that this IPv6 address is already in use. If nobody replies back, PC1 will conclude that this address is unique and available to be used, and will assign it.

Figure 2. PC1 performs IPv6 DAD for its link-local address
Figure 2. PC1 performs IPv6 DAD for its link-local address

This process is called Duplicate Address Detection (DAD) and is done upon every new address assignment. In our example, PC1 sends the ICMPv6 Neighbor Solicitation message as shown in figure 2, and nobody replies back. PC1 will then know for sure that this link-local address is unique in this local segment.

Step 3: The node sends a Router Solicitation message

Step 1 and 2 in this example depict the process of generating and assigning a unique link-local address. This process is not exactly part of the Stateless Autoconfiguration feature but without a link-local address, PC1 won't be able to communicate at layer 3 with any other IPv6 node. Thus, it is a pre-requisite for the SLAAC to work and that's why we have included it in our example.

After PC1 has a link-local address, it can now start the process of auto-configuring a global unicast address using SLAAC. The first step of this process is to send an ICMPv6 message called Router Solicitation (RS). The purpose of this message is to 'ask' all IPv6 routers attached to this segment about the global unicast prefix that is used. The destination address is the all-routers multicast address FF02::2 and for source, PC1 uses its link-local address. Note that only routers are subscribed to multicast group FF02::2, which means that only Router 1 will process this message, and all other nodes on the local segment will discard it.

After Router 1 gets the Router Solicitation message, it responds back with an ICMPv6 message called Router Advertisement (RA). The RA message includes the global IPv6 prefix on the link and the prefix length. In our example, these would be the prefix 2001:1234:A:b:: and the prefix length of /64. For the source of this RA packet, Router 1 uses its own link-local address and destination is the all-nodes multicast address FF02::1. The process is illustrated in figure 3.

Figure 3. IPv6 Stateless Address Autoconfiguration example

Step 4: The node configures its global unicast address

Once PC1 gets back the Router Advertisement from  Router 1, it combines the prefix 2001:1234:A:B::/64 with its EUI-64 interface identifier (7207:12FF:FE34:5678) resulting in the global unicast address 2001:1234:A:B:7207:12FF:FE34:5678/64. Because the Router Advertisement came from Router 1, PC1 sets its IPv6 default gateway to the link-local address of R1.

Now PC1 has a global unicast address and a default gateway. But the SLAAC process is not completed. PC1 must know for sure this auto-generated address is unique in the local segment. Thus, PC1 performs the Duplicate Address Detection (DAD) process. 

Step 5: The node performs Duplicate Address Detection (DAD)

We have already explained the DAD process in detail in step 2. When PC1 auto-generate its global unicast address, it immediately joins the auto-generated solicited-node multicast group FF02::1:FF34:5678. To be sure that nobody else is using this address, PC1 then sends an ICMPv6 message called Neighbor Solicitation to the solicited-node address FF02::1:FF34:5678 and waits to see if a node replies back. If no reply is received back, PC1 knows that this address is unique and can start using it for communication outside its local segment including on the Internet.

Figure 4. IPv6 Duplicate Address Detection

The problem with SLAAC

So far so good. We have seen how a node can auto-configure a globally unique IPv6 address and a default gateway.

However, SLAAC does not provide DNS information and without DNS, many services such as surfing the Internet are not possible.  

There is a field in the Router Advertisement header, that is designed to solve this problem.

Router Advertisement Flags

As we said above, by default, SLAAC does not provide DNS. And without DNS, many services that require resolution from URL addresses to IP won't work. There is a field in the RA message that helps nodes understand where to get an IPv6 address and DNS information from. 

Figure 5. Examining the Router Advertisement Flags
Figure 5. Examining the Router Advertisement Flags

If the M-flag is set to 1, it indicates that addresses are available via DHCPv6. The router is basically telling the nodes to ask the DHCP server for addresses and DNS information. If the M flag is set, the O flag can be ignored because DHCPv6 will return all available information.

If the O-flag is set to 1, it indicates that DNS information is available via DHCPv6. The router is basically telling the nodes to auto-configure an address via SLAAC and ask the DHCP server for DNS information.

If neither M nor O flags are set, this indicates that no DHCPv6 server is available on the segment.

The Prf-flag (Default Router Preference) can be set to Low (1), Medium (0), or High(3). When a node receives Router Advertisement messages from multiple routers, the Default Router Preference (DRP) is used to determine which router to prefer as a default gateway.

Figure 6. Examining the Router Advertisement Flags with Wireshark
Figure 6. Examining the Router Advertisement Flags with Wireshark

Configuring SLAAC on Cisco routers

Typically, when IPv6 unicast-routing is enabled on a Cisco router, it starts to send RA messages via all interfaces that have a configured IPv6 global unicast address. 

Router1(config)#ipv6 unicast-routing 

In our example, when interface GigabitEthernet 0/0 is configured with a global IPv6 unicast address, it immediately starts sending RA messages on the local segment. 

Router1(config)#interface GigabitEthernet 0/0
Router1(config-if)#ipv6 enable 
Router1(config-if)#ipv6 address 2001:1234:A:B::1/64

Most parameters can be verified using the show ipv6 interface command

Router1#show ipv6 interface GigabitEthernet 0/0
GigabitEthernet0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::2D0:97FF:FE49:C501 
  No Virtual link-local address(es):
  Global unicast address(es):
    2001:1234:A:B::1, subnet is 2001:1234:A:B::/64 
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF00:1
    FF02::1:FF49:C501
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
  ND advertised reachable time is 0 (unspecified)
  ND advertised retransmit interval is 0 (unspecified)
  ND router advertisements are sent every 200 seconds
  ND router advertisements live for 1800 seconds
  ND advertised default router preference is Medium
  Hosts use stateless autoconfig for addresses.

If there is a DHCPv6 server available on the segment, we can set the M-flag or the O-flag in the RA messages using the following options. 

Router1(config-if)#ipv6 nd ? 
  advertisement-interval  Send an advertisement interval option in RA's
  autoconfig              Automatic Configuration
  cache                   Cache entry
  dad                     Duplicate Address Detection
  destination-guard       Query destination-guard switch table
  managed-config-flag     Hosts should use DHCP for address config
  na                      Neighbor Advertisement control
  ns-interval             Set advertised NS retransmission interval
  nud                     Neighbor Unreachability Detection
  other-config-flag       Hosts should use DHCP for non-address config
  prefix                  Configure IPv6 Routing Prefix Advertisement
  ra                      Router Advertisement control
  reachable-time          Set advertised reachability time
  router-preference       Set default router preference value
  secured                 Configure SEND

If you'd like to disable the SLAAC feature on this interface, you can use the suppress command under the interface ipv6 options

Router1(config-if)#ipv6 nd ra ?
  dns        DNS
  hop-limit  IPv6 RA hop-limit value
  interval   Set IPv6 Router Advertisement Interval
  lifetime   Set IPv6 Router Advertisement Lifetime
  mtu        IPv6 RA MTU Option
  solicited  Set solicited Router Advertisement response method
  suppress   Suppress IPv6 Router Advertisements

Ricoh GR IIIx: the Point-and-Shoot That Costs $1500

Ricoh GR IIIx: the Point-and-Shoot That Costs $1500 Yes, I've "missed the boat" again, which only elevates my sheer amazem...